OBIEE 11G with Single Sign-On and Active Directory
Hi guys,
Release Version: Oracle Business Intelligence 11.1.1.5.0
Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
Our krb5login.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
We generate de keytab file:
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
Password for [email protected]:XXXXXXX
Done!
Service key for [email protected] is saved in cgdkobi2.keytab
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
Key tab: cgdkobi2.keytab, 1 entry found.
[1] Service principal: [email protected]
KVNO: 1
Time stamp: Mar 15, 2013 10:34
C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
Current LogonId is 0:0x406163f5
Cached Tickets: (0)
We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
Any suggestion?
Thanks in advanced
Follow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
Also check your logs for error like the one below:
[2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
If you are getting this when you login to OBIEE : You are not currently signed in to Oracle BI Server"
then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
Let us know the updates. Hope this helps. Mark if it does.!
Thanks,
SVS
Similar Messages
-
Weblogic Single Sign On on Active Directory doesn't work
Hello!
Please help me to work out what my mistake is.
I configured Weblogic for SSO on Active Directory using article, described on support.oracle.com.
My krb5.ini file is
[libdefaults]
default_realm = DOMAIN.RU
default_tkt_enctypes=des-cbc-crc
default_tgs_enctypes=des-cbc-crc
udp_preference_limit = 1
[realms]
DOMAIN.RU= {
kdc=192.168.1.1
admin_server = DC.DOMAIN.RU
default_domain = DOMAIN.RU
[domain_realm]
.DOMAIN.RU= DOMAIN.RU
DOMAIN.RU= DOMAIN.RU
When I try to launch check by running kinit command I get following error
C:\Users\testuser>kinit -k -t "C:\Oracle\Middleware\user_projects\domains\base_d
main\test.keytab" HTTP/[email protected] -J-Dsun.security.krb5
debug=true
KinitOptions cache name is C:\Users\testuser\krb5cc_testuserPrincipal is HTTP/[email protected]
Kinit using keytab
Kinit keytab file name: C:\Oracle\Middleware\user_projects\domains\base_domin\test.keytab
KeyTabInputStream, readName(): DOMAIN.RU
KeyTabInputStream, readName(): HTTP
KeyTabInputStream, readName(): test01.domain.ru
KeyTab: load() entry length: 66; type: 1Added key: 1version: 5
Ordering keys wrt default_tkt_enctypes list
Config name: C:\Windows\krb5.ini
default etypes for default_tkt_enctypes: 1.
0: EncryptionKey: keyType=1 kvno=5 keyValue (hex dump)=
0000: 79 02 0D 8A 19 29 67 E0
Kinit realm name is DOMAIN.RU
Creating KrbAsReq
KrbKdcReq local addresses for test01 are:test01/192.168.1.2
IPv4 address
test01/ga80:0:0:0:te2e:3de1:crew:a409%11
IPv6 address
default etypes for default_tkt_enctypes: 1.
KrbAsReq calling createMessage
KrbAsReq in createMessage
Kinit: sending as_req to realm DOMAIN.RUException: krb_error 0 Cannot get kdc for realm DOMAIN.RU No error
KrbException: Cannot get kdc for realm DOMAIN.RU
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:168)
at sun.security.krb5.KrbKdcReq.send(KrbKdcReq.java:147)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:298)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
Thank you!Hi,
Refer this..
http://help.sap.com/saphelp_crm52sp01/helpdata/EN/89/6eb8deaf2f11d5993700508b6b8b11/frameset.htm
Regards
Nandha -
Active Directory, single sign-on and SRM Users
We are in the process of installing SRM 7.0. using the Classic Scenario. I am seeking clarification around the creation of users in that system given the following:
- My Basis colleagues are in the process of implementing single sign-on using Active Directory for our SAP Portal, SAP Business Warehouse and SRM systems.
- Single sign-on will not at this point be used for our SAP ECC 6.0 system
My questions are:
1. If active directory is being used do we need to create actual users within the SRM system?
2. If actual users in the SRM system are not required, does this have any impact on the creation of the Organizational structure in SRM from the SAP ECC HR hierarchy?
Many ThanksHi Claire,
The Single Sign On work only if user exist on every systemes.
For example :
If you connect trough portal to access ECC and SRM, your user id must exist in ECC and SRM.
For Active Directory you can synchronize your user table to AD by using LDAP option.
The best way is to configure a CUA for ECC and SRM, use the UME of Portal on ECC and synchronize the CUA to Active Directory.
Finally use the SSO certificate between Portal ECC and SRM.
Regards,
Gilles SEBBAG
Sap Technical Consultant. -
Using multiple wireless networks with Single sign on?
The university that I currently work for has switched from one wireless SSID to 2 separate SSIDs that separate the student users from the faculty/staff users. At this time only the Faculty Staff can log into STAFF and students can only log into STUDENT...
I have a few laptop carts that were setup for student use and have single sign on configured for the STUDENT wireless connection. The laptops are on the university's domain so that students have access to the home drives.
We run into problems when Faculty try to use a laptop to teach a class. They are unable to log in because their credentials are not authorized for the STUDENT wireless network.
So...Is it possible to setup 2 wireless profiles (STUDENT and STAFF) with single sign on and give the user an option to choose from?Hi,
Based on your description, I would like to suggest you use Group Policy to configure Wireless Network Settings:
Using Group Policy to Configure Wireless Network Settings
http://technet.microsoft.com/en-us/magazine/gg266419.aspx
Please follow the information from the link above to check the issue.
If it doesn’t work, I recommend you initial a new thread in our Windows Server Forum for further assistance.
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/home?category=windowsserver
Hope it helps.
Regards,
Blair Deng
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Changing of the standard port 1521 and afterward problems with Single Sign
System / Host Environment
Operating System: HP-UX 11i, Existing Oracle RDBMS Vers. 9.2 x, Listener on standard port 1521
9iAS System Architecture: 9iAS Infrastructure and Middle tier (AS Instance) on the same machine
Problem Environment:
-Before and during the installation of 9iAS infrastructure the Listener of the existing Oracle RDBMS was stopped
-The installation of 9iAS Infrastructure (db: IASDB) Version 9.0.2.0 works well
-Afterwards the port 1521 of IASDB changed to 1525. For a detail description of IASB port changing please refer to Doc. ID: 211 929.1 AFTER CHANGE 'IASDB' LISTENER PORT
-The installation of Patch Set 2 (Common Patch 2703110) follows (9iAS is now up to Release 9.0.2.2).
-The Installation of 9iAS Middle tier (AS Instance) Version 9.0.3 follows
Problem description:
-During the installation of 9iAS Middle tier problems with Single Sign On occurs.
The reason of this problems seems a communication problem between the Single Sign On login sequence and the IASDB. After a reset of the port changing (back to the standard port 1521) the installation of 9iAS Middle tier works well.
Through this incorrect and problematic behaviour we have some notes and questions:
-Well at first the description of the port changing in Doc. ID: 211 929.1 seems us incomplete. Some configuration still carry on the standard port 1521 and not the knew value of the port 1525.
-So we want to know all configuration files and parts where we have to change the port value manually ?
-What will happened to the Single Sign On function with this manually port changing. Does Single Sign On works later on correct or have we to change much more ?Currently, changing the listener port is not supported. It must stay on 1521. I believe this is to be fixed in a latter release (perhaps 9.0.4)
-
Sum Aggregation Error in Physical & BMM Layer in OBIEE 11g with Essbase 11
Hi everyone,
I'm using OBIEE 11g with Essbase 11 as the data source. I'm using Sample Basic database from the Essbase as my data source. If I'm using the hierarchy for the measures (so I don't flatten the measures), and when I changed the aggregation in both physical and BMM layer from Aggregate_External to Sum, I can't create a report at all from the Answers.
Does anyone encounter the same thing? Any ideas/solution about this? Please help.
Thanks a lot!Hi Deepak,
When I picked the "Basic - measure" alone, I got this error.
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 43119] Query Failed: [nQSError: 96002] Essbase Error: Unknown Member Basic - measure used in query (HY000)
SQL Issued: SELECT 0 s_0, "Sample Basic"."Basic"."Basic - measure" s_1 FROM "Sample Basic".
When I picked the "Gen1,Measures" alone from the measure dimension, I got this error:
Error Codes: OPR4ONWY:U9IM8TAC:OI2DL65P
State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred. [nQSError: 43113] Message returned from OBIS. [nQSError: 43119] Query Failed: [nQSError: 46008] Internal error: File server\Query\Optimizer\ServiceInterfaceMgr\SIMDB\Src\SQOIMDXGeneratorGeneric.cpp, line 2610. (HY000)
SQL Issued: SELECT 0 s_0, "Sample Basic"."Measures"."Gen1,Measures" s_1, SORTKEY("Sample Basic"."Measures"."Gen1,Measures") s_2 FROM "Sample Basic"
But when I queried the dimensions one by one (only single dimension each), no error was shown.
This only happens if I use Sum in the physical and BMM layer. If I use External_Aggregation, these errors do not happen. And if I flatten the measures, these errors also do not happen. -
Configuring JCo3 Connection Pool with single sign on on non SAP Java server
Hi Everyone,
i have configured a connection pool on JBoss as per JCo3 Documentation and is working great.
Now I need help to configure this connection pool with single sign on so that RFc on SAP ECC systems are executed using end users credential rather than using single user name password used to configure JCo connection pool.
On SAP Java stack I am sure its possible within Java WebDynpro and i assume using JCA resource adapter. But what if we don't want to use SAP Java App server.
Any help will be appreciated.
Thanks,
Divyakumar JainEason, 你好!
I have exactly the same problem. Did you find a solution to this problem? If so, please let me know! -
Starting single sign-on and directory service
i am trying to install oracle 9i infrastructure on my clean win2000 box with 2.4 GHz proc and 1GB RAM.
i am getting falilure messages for the following:
infrastructure instance configuration assistant: failed
oracle 9i application server randomize password: failed
single sign on configuration assistant: failed
infrastructure mod-osso configuration assistant: failed
OPMN configuration assistant: failed
log file says:
Configuration failed for IAS
IAS Instance creation failed
Configuration failed for JAZN
JAZN configuration failed: unable to establish a directory context.
Configuration succeeded for IASProperty
Configuration failed for IAS
Configuration failed for JAZN
after which single sign-on and directory service dont start. which means no connectivity :(
can somebody please guide me about how to avoid this failure in installation or how to manually start these after installation.
it would be a great help
ashishHi,
we're having exactly the same problem.
Could you tell me what the problem is with the network ?
You say configure it properly but what do you mean ?
It's installed on a Windows 2000 Server machine, it's own DNS.
Thanks,
Yuri Arts -
Oracle Single Sign on and Oracle Internet Directory
Hello Gurus,
What is the relationship between Oracle Single Sign on and Oracle Internet Directory.
To my understanding, OID is required to install SSO.
If OID already exist, can we just install SSO and go on integrating it to existing OID.
Great Thanks,
vimal jain.
[email protected]Hi Tim,
I've been working on this and could reproduce the issue with anonymous binds. A fix will be ready in 4.2.1.
So what I really need is the password used for login to pass to the is_member call.The P101_PASSWORD item does not save state. However, you can access the value during submit processing of the login page, for example in the post authentication function of your authentication scheme. People sometimes put code in there to query the user's groups (e.g. with apex_ldap.member_of2) and save them in an application. This item value can then be used in the authorization schemes.
Regards,
Christian -
Single Sign-on and PORTAL30 DAD
What I've done:
1) Setup up PORTAL30 DAD with Single Sign-on
2) Created schema called JOHN with "hello world" procedure call TEST
3) Grant execute on TEST to PORTAL30
4) Goto http://<servername>/pls/portal30/john.test
5) Receive "Procedure Doesn't Exist" error
6) Change DAD from single sign-on to Basic authentication
7) Repeat Step 4 with no problemsHi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Single sign on and TimeMachine?
I finally sorted out a typo with my AFP server that was interferring with single sign on for clients, only to find that it appears TimeMachine still requires a username and password to do network backups. Is this true, or am I missing something? I was hoping single sign on would solve my user password issues around expiry time, but now I'm starting to fear that's not the case.
May have to look for an easier to manage agent based solution of some sort. Any suggestions (that aren't Retrospect)?bump?
-
Single Sign-On and Data Visibility Rights
Hello,
I was wondering whether anyone has any best practices for implementing single sign on and user identification with Excelsius.
More specifically, I need to interrogate user role, and limit certain data visibility based on that role.
For example, a sales rep may only see certain data for their own territories, but the regional and national managers can see more.
With the emphasis in improving enterprise integration with the new version coming up, I'm also wondering if there are any improvements included for this aspect.
Thanks in advance.
DerickHi Derick,
I want to make our discussion into 2 parts
1) Sign on
2) Viewing data based on the Heirarchy
1)Before discussing about the Sign on i want to know which connectivity you are using ? Live offcie or QaaWS.
2) We can make the second point possible in two ways One is with providing restriction at universe level
and the other one is through the use of flash variables.
Using flash variables:
The main idea of using flash variables is reading the User ID from BO authentication and based on that we fetch the Heirarchy level of that user. Then we use some excel logic to hide the data from Low level heirarchy(Here we use Dynamic Visibility for components).
I hope this is what you ar looking for....
If so i have more points to acheive such scenario.
Please provide the your BO environment details, such that it will be easy to identify the better best wat to acheve it.
Regards,
AnjaniKumar C.A. -
Single Sign-On and session information
I have an Oracle Portal application with many Java Web Applications. I wish to
provide Single Sign-On to this applications. I know how to configure Single
Sign-On and how to get the user login in Java. I want to store session
information such as: User First and Last Name, User Social Security Number. I
want to get this information from the database after authentication, store it
in session and then access this information from all my applications.Are you familiarized with sys_context function?
Hope this is useful help.
BR,
Marcos -
OBIEE 11G with MySql Issue Hierarchy is not working..
Hi,
i am using the OBIEE 11G with MySQL DB. i have sucessfully created the RPD. i created the Hierarchy in the RPD. this is the scerario i have created.
i have only one data column created_at. by using this column i create 3 more logical logical columns, which are Year,Month Name,Week and created Hierarchy by taking the these columns only.
when i am viewing the result by taking the hierarchy it throwing the error systax error"ou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version".
but we selecting the year column it successfully nagvigating to the month level data but when selecting the Hierarchy directly it is unable to navigate from year to month.
please provide me the solution for this as soon as possbile i have an urgent requirement on this.
Thanks,
Yogi.Hi,
Thanks for you post..
My Requriement is that we no need to create new columns we need to necessary columns in BMM layer only and we need to use them in Hierarchy.
Thanks,
Yogi. -
The option 'Display Credit Balance with negative sign" was not activated.
I've encountered with a huge problem after load opening balance.
I forgot to tick the option 'Display Credit Balance with negative sign"
It makes my client's Chart of Account uncommon such as credit balance in Cash Account, AR .....
However, I've search the sap note to solve it as follow:
Description of the bug::
When creating the company in the system the option 'Display Credit Balance with negative sign' was not activated.
Once transactions were created in the system the functionality can not be changed.
Limits of the query:
After running the update query, please restart SBO first and then run the restore 'GL account and bp balances';
otherwise, the cashed value of SBO will not be updated and restore function may not take effect.
1. Meaning of restart SBO => restart SBO Service Manager right?
2. Please help me please to find "The restore G/L account and bp balances" form. Where is it?;
Thank youHi,
I would think that you are following the PEQ instructions for note 970813, correct?
If this is the case and you are using 2007 then you will find the restorev in the top menu; Help -> Support Desk -> Restore. You will find the functions here. Please note that this should only be used on direct instruction from support or a note like in this case. A backup should also be taken before running restore.
Regards,
Jesper
Maybe you are looking for
-
How can I increase the members in the chat groups?
The number of members in the cha groups is limited (3000) How can I increase the members in the chat groups?
-
Packet Data Connection setup for Nokia 5800 on Tel...
Need help, purchased a Nokia 5800. Telus will not help me set it up for browsing, but they gave me thge APN, Proxy and Port. Can someone point me to where I need ot input it? My geuss is Access Point Internet Connection Advanced settings Network Type
-
No suitable driver when connect MS SQL server from Oracle 10g using JTDS
Hi, I have developed a java servlet application connection to MS SQL using jtds-1.2.jar. I have try to deploy this application to Oracle 9ias and it works fine. However, when I deploy the same application to Oracle 10g (10.1.2.0.2), I encounter this
-
How to call different viewer according its filetype?
Hi guys, there is a requirement. We write a custom report which shows all the attachments of a project. and the ALV report needs the drill down function too. So the question is that how it can determine its viewer in pc according its file extension,
-
BC: How to set an attribute in the validateEntity method
Hi All, a little question that hopefully someone knows the answers to. We override the validateEntity() method in our Entity Objects to perform validation. During our validation based on the value of a (bound to a database column) attribute, we concl