1 2 Previous Next 24 Replies Latest reply: Nov 30, 2012 1:46 PM by 962905 RSS


      Hello All,

      I am trying to configure Windows Native authentication for OBIEE per the "Configuring authentication and SSO with Active Directory and Windows Native Authentication in Oracle Business Intelligence Enterprise Edition” Oracle Support Note ID 1274953.1

      Created the JAAS login module and named it krb5login.conf and modified the krb5.conf in Linux Server /etc folder.Modified the Weblogic Start up script setDomainEnv.sh

      Also I have web.xml and weblogic.xml to configure BI for SSO. The user trying to login are members of BI Users.

      Enabled the SSO for Windows Native Authentication in Enterprise Manager Security tab.

      Configured the Client Machine for Single Sign on as per the TechNote note.


      Error 401--Unauthorized
      From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
      10.4.2 401 Unauthorized

      The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.


      Troubleshooting the Error 401 - Unauthorized :

      1. The Weblogic Kerberos config file is incorrect so that although kinit verifies your machine can authenticate with the AD server, Weblogic cannot.
      Recheck the settings in krb5login.conf, and setDomainEnv.cmd (see section above entitled “Configure Weblogic Login Module”)

      knit is Authenticating to AD using Kerberos V5.

      2. Your client is not correctly configured - have you added the Weblogic server URL (e.g. http://: bieesvr1.xyz2.com:9704/analytics/) to the Intranet
      zone and set the Automatic logon in Intranet zone setting? (see the section above entitled “Configure the client for single sign-on”)

      Have tried configuring Internet Explorer , Mozilla firefox and Google Chorme for SSO but not success till now.

      3. You're not logged into the AD domain on the client - you need to login to Windows on the client machine as an account in your AD domain (e.g.

      I have logged in to the AD domain I just configured.

      4. Your user account is not a member of the group(s) you specified in the principal element(s) in weblogic.xml. N.B. these groups must exist in the AD
      domain (see section above entitled “Configure BI Analytics App to request SPNEGO Authentication”)

      I am part of the group that has been created for the SSO Role which is configured in the weblogic.xml as principal name.

      I am stuck and trying to analyze the biserver.out log file

      Please let me know if anyone faced similar issue whilst configuring kerberos SSO for OBIEE 11g.
        • 1. Re: OBI

          This thread looks familiar :) , anyways from the tech note make sure the WLS principal created in your AD domain ( refer to bieesvr1 account in the tech note ) should have the following:
          •     Right-click on the user node, and select Properties.
          •     Click on the “Account” tab. Check the box: “Use DES encryption types for this account”. Ensure “Do not require Kerberos pre-authentication” is not checked (i.e. we DO require Kerberos pre-authentication)
          •     Click OK.
          •     Historically, it has been reported that setting the encryption type may corrupt the password. It is recommended at this point to reset the password of this user, by right clicking on the user, selecting “Reset Password” and re-entering the same password specified earlier.

          So once you have the both these settings in place, also are you currently running on OBIEE ?

          Let me know. Pls mark if helps.

          • 2. Re: OBI
            Thanks VidyaS for your reply. I already have made changes in the account properties for my WLS principal. But still having the same error.

            In krb5Login.config I used

            BUt still results are the same.

            And Yes I am running on

            Edited by: 959902 on Nov 9, 2012 6:36 AM

            Edited by: 959902 on Nov 9, 2012 6:36 AM
            • 3. Re: OBI
              Also below are the logs for bi_server1.log & bi_server1.out


              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825942> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825942> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=BISystemUser>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825942> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825943> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825943> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825943> <BEA-000000> <Signed WLS principal BISystemUser>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825943> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825943> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825944> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
                   Principal = class weblogic.security.principal.WLSUserImpl("BISystemUser")
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825944> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user BISystemUser, Identity=Subject: 1
                   Principal = class weblogic.security.principal.WLSUserImpl("BISystemUser")
              ####<Nov 9, 2012 9:37:05 AM EST> <Debug> <SecurityAtn> <server> <bi_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <00007RxkghwFs1Apn^K6yZ00044B000000> <1352471825944> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and BISystemUser was not previously locked out>


              <Nov 9, 2012 9:21:34 AM EST> <Warning> <Socket> <BEA-000450> <Socket 847 internal data record unavailable (probable closure due idle timeout), event received -32>

              <Nov 9, 2012 9:28:04 AM EST> <Warning> <Socket> <BEA-000450> <Socket 895 internal data record unavailable (probable closure due idle timeout), event received 0>

              <Nov 9, 2012 9:29:14 AM EST> <Warning> <Socket> <BEA-000450> <Socket 535 internal data record unavailable (probable closure due idle timeout), event received 0>

              Edited by: 959902 on Nov 9, 2012 6:56 AM
              • 4. Re: OBI

                Are you using BISystemUser account both the configure AD Provider and use it to generate keytab files for the weblogic instance?

                Let me know.

                • 5. Re: OBI
                  Yes I am using BISystemUser for both AD Authentication & to generate keytab files.
                  • 6. Re: OBI
                    I have asked Oracle regarding having only one user account to both of Provider and Keytab , they have asked to create separate accounts since each one has its own significance.

                    You should create another account in AD for you WLS instance.

                    Thats the way its recommended per Oracle.

                    Hope this helps. Pls mark helpful if it does.

                    • 7. Re: OBI
                      Thanks a lot for your reply. I will try reconnecting with new account.

                      Edited by: 959902 on Nov 9, 2012 6:55 AM
                      • 8. Re: OBI
                        I tried connecting with different account to create keytab. But unfortunately still having the same 401 error. Any pointers?
                        • 9. Re: OBI

                          I would first suggest to check if the SPNEGO token is being passed by the Negotiate Identity Assertor. If you have HTTPHeader you could find out if the "WWW-Authenticate:Negotiate".

                          Then go the the biserver1 log file and check for any issue also search for the client active user name with which you are trying to login to OBIEE Presentation services.

                          Hope this helps.

                          • 10. Re: OBI
                            Thanks VidyaS for your reply. In bi_server1.out I am getting "Client not found in Kerberos database" error. Also I couldnt find any active user name in the biserver1 log file .Then I suppose SPNEGO token is not passed by the asserter. Any ideas how to troubleshoot it.

                            Edited by: 959902 on Nov 13, 2012 1:12 PM
                            • 11. Re: OBI

                              i would recommend first enabling the atn and atz debug properties in weblogic on biserver1 managed server. To do that

                              1.     Login to WLS console
                              2.     Navigate to: WLS console --> expand 'Environment' --> click 'servers' --> click the server name on the middle pane, e.g., ‘BI_Server1'
                              3.     Click the 'Debug' tag on the top, expand 'weblogic' under 'Debug Scopes and Attributes'
                              4.     Expand 'security' -> expand 'atn' -> check the 'DebugSecurityAtn', and click 'enable' button

                              Check: http://idmrockstar.com/blog/2012/05/wna-kerberos-setup-with-oam-11g-lessons-learned/

                              Also :http://sammoffatt.com.au/jauthtools/Kerberos/Troubleshooting#Client_not_found_in_Kerberos_database

                              Client not found in Kerberos database

                              kinit(v5): Client not found in Kerberos database while getting initial credentials
                              krb5_get_init_creds_password() failed: Client not found in Kerberos database

                              Make sure that you're typing in the right name and the server has the right name (double check the account tab of the user, especially the realm)

                              Finally , check "WebLogic Server Support Pattern: Kerberos and SPNEGO Configuration Issues [ID 1332241.1]" on Oracle Support which has a sample application which you can deploy on you Admin Server and troubleshoot.

                              Hope this helps. Keep me posted.

                              • 12. Re: OBI
                                Hello Vidya,

                                Thanks for your reply. I did troubleshooting and applied changes where applicable. Now I am having krb error : Pre-authentication information was invalid

                                Below is the output of bi_server.out


                                     sTime is Wed Nov 14 14:15:45 EST 2012 1352920545000
                                     suSec is 701032
                                     error code is 24
                                     error Message is Pre-authentication information was invalid
                                     realm is XYZ.COM
                                     sname is krbtgt/XYZ.COM
                                     eData provided.
                                     msgType is 30
                                Pre-Authentication Data:
                                     PA-DATA type = 11
                                     PA-ETYPE-INFO etype = 23
                                     PA-ETYPE-INFO salt =
                                Pre-Authentication Data:
                                     PA-DATA type = 19
                                     PA-ETYPE-INFO2 etype = 23
                                     PA-ETYPE-INFO2 salt = null

                                          [Krb5LoginModule] authentication failed

                                Pre-authentication information was invalid (24)
                                • 13. Re: OBI

                                  Good to know, what exactly was the issue ? was it with the AD account or the keytab file? Let me know.

                                  Regarding the Pre-authentication information was invalid (24) , I have come across this error and first thing to check here would be if the AD account for the WLS instance was properly configured which means the this user should comply with the Kerberos protocol: the encryption type for this account must be DES, and the account must require Kerberos pre-authentication. This setting should be done on Active Directory side.

                                  Also there is an excellent blog to troubleshoot these error : http://weblogic-wonders.com/weblogic/2010/01/07/troubleshooting-kerberos-issues-with-weblogic-server/

                                  Refer to the section Pre-authentication information was invalid (24)


                                  Hope this helps. Pls mark if it does.


                                  Edited by: VidyaS on Nov 14, 2012 2:58 PM
                                  • 14. Re: OBI
                                    Previous error was because of keytab file. I regenerated it and resolved that error.

                                    In the AD account for the WLS instance. we don't have "USE DES ENCRYPTION" checked. hence we are using

                                    default_tkt_enctypes = rc4-hmac
                                    default_tgs_enctypes = rc4-hmac

                                    in the krb5.config. But still getting the same error "Pre-authentication information was invalid"

                                    Any other ideas?
                                    1 2 Previous Next