External authentication using MSAD

how do you setup the user configuration?

What do you mean with server portion, the MSAD or the Shared Services?
You have to configure the MSAD for the use with Shared Services, after that you can provide the users from the MSAD right for the applications registered in shared services. You can do this via Web-Interface
http://Shared-Services-Server:58080/interop/framework/editCSSProvider
Here you can set the User-URL and Group-URL which are the ou from the MSAD.
If youve already done that, can you see the users from MSAD in your Shared Services?

Similar Messages

Shared Services External Authentication using LDAP in 9.3.1

Hi,
I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
Questions:
1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
Any feedback would be much appreciated.
Thanks,
Lian

Hi,
Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
Gee

External authentication using Headervariable

Hi SAP Experts
We have configured External authentication for WEM using Headervariable.We are using BI Java 7.0
External authentication is working fine using Headervariable Login module for URL http://<WEb Server hostname>/irj which redirect to http://<J2EE hostname>:<port #>/irj
As you all know that we also use http://<J2EE hostname>:<port #> for Administation point of view where many options available like user management, SLD, Webdynpro, NetWeaver Administation etc.We have not configured this URL for External Authentication and also do not want to configure but when tyring to access any administration option on this, portal prompts default logon page and after entering Portal UserID/Password we get message like " No Loginmodules configured for Header"
I do not know why system display this message
Please help me if anyone has experience to resolve this issue, as we want to use URL http://<J2EE hostname:<port #>, which should prompts Portal Logon screen and after entering Portal userid/password we should access the administration screen without afftecting our External Authentication configuration for URL http://<WEb Server host>/irj
Thanks in Advance
Thanks with Regards
Deelip Kumar

Hi Deelip,
my earlier post referred to an additional authscheme that you may have created. If you have done so, please remove it. If you have checked this, there still is a predelivered authscheme called header, wich references a login stack called header. This login stack template does not exist as a default.
In this case, you may have assigned this authscheme (header) to some component, like an iview. How this works is explained in the docs <a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/f91fba71ae48309e4267b4a36fa47b/frameset.htm">here</a> and<a href="http://help.sap.com/saphelp_erp2005vp/helpdata/en/54/a334ed5bbfd5488b8cdd67b2c594a9/frameset.htm">here</a> for example.
If you have done so, this reference to the authscheme header may trigger the lookup of the login stack template called header, which does not exist and thus leads to the error.
For detailed error analysis, I would recommend to search the security log and the portal logs for indications where the source of this error might be.
Regards,
Patrick

PHP external authentication

Hi:
Has anyone successfully implemented a php based external
authentication using cocomo in an AIR application? I am having a
hard time following the documentation provided with the cocomo SDK.
This is what I have in place:
An AIR application which lets users inside using a login and
password which they registered for. The login/registration system
is a PHP5/MySQL5 backend. I saw the examples section for External
Authentication and couldn't what the hills was going on there.
I know this may sound very "noob" but can anyone walk me
through or provide a step-by-step tutorial. I am working on an
awesome AIR application and will soon release it for free once I
get this social media part integrated into it. Please help me out
guys.
Thank you very much in advance.
Praneet

Hi Nigel:
Thank you very much for replying to my post. Ok, so this is
what I understood from your post and what I am going to do:
1.) send the username to the PHP script using HTTPService
2.) my PHP script will contain the code attached to this post
3.) in my MXML file this is what I have
quote:
private function init():void {
//roomURL = Application.application.parameters["roomURL"];
//authToken =
Application.application.parameters["authToken"];
//cSession.login();
cocomoService.send();
private function cocomoResult():void {
Alert.show(cocomoService.lastResult.authkey.toString());
authToken = cocomoService.lastResult.authkey.toString();
auth.authenticationKey = authToken;
cSession.login();
]]>
</mx:Script>
<mx:HTTPService id="cocomoService" url="
http://localhost/mycocomo.php"
result="cocomoResult()" method="POST">
<mx:request xmlns="">
<user>some user in my database</user>
<role>100</role>
</mx:request>
</mx:HTTPService>
<rtc:AdobeHSAuthenticator id="auth"/>
<session:ConnectSessionContainer
roomURL="
http://connectnow.acrobat.com/myapp/myroom"
id="cSession"
authenticator="{auth}"
autoLogin="false">
4.) and nothing happens. Although the Alert popup shows me
the reply I got back from my localhost which does seem like an
authToken to me...I can paste the authtoken here if it is ok to..
Thanks in advance.
Praneet

External authentication validation failed

Today i ran he validate.sh to make sure everything is correct.
FAILED
EXT: External Authentication
Check MSAD external authentication provider configuration
88 seconds
Error: EPMCSS-00735: Failed to get users from user directory MSAD. Error executing query. Interrupted during LDAP operation. Verify MSAD user directory status and configuration.
Recommended Action: Check that the external provider is accessible and configured correctly in Shared Services
I got the above error message in the validation report. Everything else is green. But for the external authentication i can able to login, serach user, serach group, provision the new user, add new user. what is the error in my configuration? what could be the possible reason for the error?
System Detail: OS: LINUX, ORALE EPM 11.1.2.1, MSAD Directory,

If you can view the external users in Shared Services and the functionality is working then I would not be too concerned about the validation message.
Cheers
John
http://john-goodwin.blogspot.com/

External Authentication in EAS using MSAD

We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?

Hi Krista, Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild. your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD. Please use the following link if you need furtherinformation. http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm here is the sample active directory format. <msad name="<a href="ldapserver.htm">msadServer</a>"> <trusted><ahref="trust.htm">false</a></trusted> <url><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></url><userDN>cn=UserName</userDN><password>UserPassword</password> <user><url>ou=people</url></user> <group> <url>ou=Groups</url> </group></msad>

Use of groups on External Authentication.

Hi All, I'm triying to use Active Directory groups instead of users in order to authenticate users on ODI 11.1.1.6.
Unfortunately ODI seems to be prepared to use MS AD users, but groups.
Does anybody configure LDAP to authenticate users and got it working with groups?
Thanks and regards!

ODI 11g supports external authentication for users only.

WebVPN using External Authentication

I have a VPN concentrator 3005 that is configured for WebVPN which works great if I login with a local user.
I would like to authenticate my users through our LDAP. I created a SSLusers group that is setup for external authentication. The SSLusers group works fine when I use the Cisco VPN client to connect (I enter the group name/password in the text boxes, when it connects it asks for the username/password).
In the logs it shows that it is checking for the user in the Internal server, I want to point it to my ACS box. I feel like there is a check box somewhere that I am missing that tells the concentrator 'if I can't find the user in my local database, check the external authentication server'.
Any advice on how to get the external authentication working with the WebVPN would be most appreciated. Thanks in advance.

Thanks Daniel for the suggestion. I tried to add the above, but still received the same error. Is there an additional checkbox that needs to be marked for the base group to search the radius server?
Authentication rejected: Reason = User was not found
handle = 686, server = Internal, user = bobeldde, domain =
It appears to work ok if I login with 'bobeldde#ssl';where the ssl group is configured for Radius Authentication.

Essbase security Migration from native mode to external authentication

Hi!!
I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
this direction would be really helpful.
What is the best way of migrating huge user base from native directory to setting up for external authentication,
this is the first time move from native to external authentication, If anyone who has done this will be helpful.
steps to setup , maxl based migration will be helpful or utility based.
Thanks

When you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
For your question ::
Yes the first piece is correct, our security is in native mode.
and we want to convert to shared services security mode,
The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
Your input will guide me in the direction.
Thanks

Essbase analytic services 7.1.5 & external authentication

Hi,
first off, you have to excuse me for being a total newbie in the field of Essbase ;)
We are currently trying to move our external authetication from Novell eDirectory via LDAP to Microsoft Active Directory. We use the LDAP authentication module with the following string in essbase.cfg "AuthenticationModule LDAP essldap.dll x".
Reading the documentation for external authentication (x_auth.pdf) we came to the conclusion that we "needed" the Hub installed. Talking to Hyperion support told us that use of the Hub with our version was very unusual.
Is it possible to configure the CSS authentication module to use a .xml file configured for our Microsoft AD and simply forget about the hub? If so, does the following lines look correct to you:
essbase.cfg:
"AuthenticationModule CSS file://localhost/D:/Program/ESSBASE/bin/css_config.xml"
css_config.xml:
<msad name="msad1">
<trusted>false</trusted>
<url>ldap://ADDC_server:389/ou=contoso, dc=COMPANY, DC=LOCAL</url>
<userDN>cn=Administrator</userDN>
<password>wordpass</password>
<authType>simple</authType>
<authProtocol>ssl</authProtocol>
<identityAttribute>dn</identityAttribute>
<user>
<url>ou=Users</url>
<loginAttribute>cn</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
<entry>person</entry>
<entry>organizationalPerson</entry>
<entry>user</entry>
</objectclass>
Trying to add or copy a user in the Essbase Administration Services enterprise view gives us the following error:
"Error: 1051203 Single Sign On External Authentication is Disabled"
That tells me that we need to configure SSO in the css_config.xml file, but i have not found any examples for Analyzer but only for OBIEE.
Is there anybody at this forum that have achieved what we are striving for?
Best Regards,
Johannes

Hi,
Something must wrong in your css.xml, I am not sure if you can get any further logging...
here is an example of a css.xml
<?xml version="1.0" encoding="UTF-8"?>
<css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<spi>
<provider>
<msad name="msad1"> <trusted>false</trusted>
<url>ldap://ldapserver:389/dc=CompanyName,dc=com</url>
<userDN>CN=#######,OU=Security Accounts,OU=IT,DC=CompanyName,DC=com</userDN>
<password>########</password>
<authType>simple</authType>
<identityAttribute>dn</identityAttribute>
<user>
<loginAttribute>sAMAccountName</loginAttribute>
<fnAttribute>givenname</fnAttribute>
<snAttribute>sn</snAttribute>
<emailAttribute>mail</emailAttribute>
<objectclass>
</objectclass>
</user>
<group>
<url>cn=LostAndFound</url>
</group>
</msad>
</provider>
</spi>
<searchOrder>
<el>msad1</el>
</searchOrder>
<token>
<timeout>60</timeout>
</token>
<logger>
<priority>ERROR</priority>
</logger>
</css>
If you are still struggling you could try an ldap browser to see if you can connect with the details you are trying.
Cheers
John
http://john-goodwin.blogspot.com/

Export shared service active users (provision for Hyperion)only using MSAD.

Hi..
I m using Hyperion 9.x . and using active directory in shared services.
while i m using importexport utility to export the active users list with provisioning.
Issue is :
Hyperion external authentication have all users of Active directory but i need to export only active users which are provisioned for Hyperion projects .
I dont need the complete users list .
Also i m unable to export the provisioning of users in exported file.
Please can you help me in getting the correct export statement for the above.
Thank you very much

Thanks John !!
I am using the following statement for 9.3.0 but not getting provisioning section in exported file.
Only users/Groups/Roles are there in exported file.
Please help me to overcome the problem .
importexport.css=file:/C:/Hyperion/SharedServices/9.3/AppServer/InstalledApps/WebLogic/8.1/css.xml
importexport.cmshost=HSS machine name
importexport.cmsport=58080
importexport.username=User name **User name i m using is Active Directory user with administrative rights in Hyperion**
importexport.password=password
importexport.enable.console.traces=true
importexport.trace.events.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/trace.log
importexport.errors.log.file=C:/Hyperion/common/utilities/CSSImportExportUtility/importexport/errors.log
importexport.locale=en
# export operations
export.fileformat=csv
export.file=C:/export.csv
export.internal.identities=true
export.MSAD.user.passwords=true
export.provisioning.all=true
export.delegated.lists=false
export.user.filter=*@MSAD
export.group.filter=*@MSAD
export.role.filter=@MSAD
export.producttype=*
export.provisioning.apps=*
Thank you very much
Vivek Jaiswal
Edited by: user11966901 on May 25, 2010 8:16 PM
Edited by: user11966901 on May 25, 2010 8:19 PM
Edited by: user11966901 on May 25, 2010 8:20 PM

Essbase External Authentication

Anybody know where can I find more information about Essbase External Authentication?Particularly about LDAP Authentication?I read about it from dbag.pdf,but there is little resource.And I can't correctly set our "cognos LDAP Authentication" as new Essbasee application Authentication.I don't know whether it is because the AUTHENTICATIONMODULE parameter I wroten is wrong.Our cognos LDAP setting is: Default Directory Server: Host: 192.168.2.120:389 BaseDN: o=Cognos,c=CA Default Namespace: Use irectory server default Your local cache is disabled.In essbase.cfg file I write:AuthenticationModule LDAP essldap.dll x o=Cognos,c=CA,@192.168.2.120:389Is it right?Any help is appreciated.

Hi,
Remember, order of the user repositories does matter when you have same username in both of them.
You need to set MSAD repository in the first order here, I understand.
than you need to copy provisions from native directory to MSAD.
Regards,
Ahmet

Error while Configuring AD external authentication plug in

Hi
While configuring Active directory external authentication plug I am getting following error
OID Active Directory Plug-in Configuration
Please make sure Database and OID are up and running.
Please enter Active Directory host name: clmad101.ad.company.com
Do you want to use SSL to connect to Active Directory? (y/n) n
Please enter Active Directory port number [389]: 389
Please enter DB connect string:SQLPLUS sys/manager1 @infradb.ad.company-.com @md61nthiims1.ad.company.com:1521
Please enter ODS password:
Please enter confirmed ODS password:
Please enter OID host name: md61nthiims1.ad.company.com
Please enter OID port number [389]: 389
Please enter orcladmin password:
Please enter confirmed orcladmin password:
Please enter the subscriber common user search base [orclcommonusersearchbase]:
CN=Users,dc=ad,dc=company,dc=com
Please enter the Plug-in Request Group DN:
Please enter the exception entry property [(!(objectclass=orcladuser))]: (|(!obj
ectclass=orcladuser))(cn=orcladmin))
Do you want to setup the backup Active Directory for failover? (y/n) n
Installing Plug-in Packages ...
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Usage: SQLPLUS [ [<option>] [<logon>] [<start>] ]
where <option> ::= -H | -V | [ [-C <v>] [-L] [-M <o>] [-R <n>] [-S] ]
<logon> ::= <username>[<password>][@<connect_identifier>] | / | /NOLOG
<start> ::= @<URL>|<filename>[.<ext>] [<parameter> ...]
"-H" displays the SQL*Plus version banner and usage syntax
"-V" displays the SQL*Plus version banner
"-C" sets SQL*Plus compatibility version <v>
"-L" attempts log on just once
"-M <o>" uses HTML markup options <o>
"-R <n>" uses restricted mode <n>
"-S" uses silent mode
Registering Plug-ins ...
adding new entry cn=adwhencompare,cn=plugin,cn=subconfigsubentry
adding new entry cn=adwhenbind,cn=plugin,cn=subconfigsubentry
Done.
Is there anythign wrong in the DB connect string??
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
> sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.pls
To check the plug-in debugging log, enter:
> sqlplus system/manager
SQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
> sqlplus system/manager
SQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
> sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.pls
E) Dump the plug-in profile to make sure it is enabled and configured correctly:
> ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"
please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

External Authentication on Windows

Guys, this is driving me crazy.
I had an external user configured on my Oracle 9.2.0.5 database on a Windows 2003 Server.
It was working, I use it to make dump backups.
Now, without any change on any oracle param or bounce it just stoped working.
I have two instances, for one it's working, for the other it's not.
Both instances are on the same server (so I'm using the same sqlnet.ora file with NTS authentication).
Today I removed and recreate the user on both instances, but I keep getting the same problem.
create user "OPS$DOMAIN\ORABACKUP" identified externally
default tablespace users
temporary tablespace temp
The parameters are the same on both instances:
os_authent_prefix string OPS$
os_roles boolean FALSE
remote_login_passwordfile string EXCLUSIVE
remote_os_authent boolean FALSE
remote_os_roles boolean FALSE
Do you have any ideas of why this could happen??
Is there another parameter related to external authentication that I don't know?
Thanks!

Was there ever an answer on this, having problems with setup using same versions

PHP external authentication issue

Trying to login to AFCS connection using external authentication.
PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
at the login stage i get the following error in the console trace from the library login call
As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
AFCS Beta Build # : 1.1
requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
#THROWING ERROR# bad authentication key

There are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
If you want more details send me a private message, but you should check the way you call the get authentication token method.

External authentication using MSAD

Similar Messages

Maybe you are looking for