Hyperion Hub external authentication issue

Similar Messages

• Essbase 6.5 External Authentication Issue!! Urgent Please!!

  Hi all,
  I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
  I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
  I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
  "User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
  Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
  Its kinda Urgent. so any replies for the same will be appreciated.
  Thanks and Regards,
  Vikram

  Vikram,
  Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
  Here is the Sample CSS
  <spi>
            <provider>
                 <msad name="full360">
                      <trusted>false</trusted>
                      <url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
                      <userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
                      <password>full@360</password>
                      <authType>simple</authType>
                      <identityAttribute>dn</identityAttribute>
                      <maxSize>1000</maxSize>
                      <user>
                           <loginAttribute>sAMAccountName</loginAttribute>
                           <nameAttribute>dn</nameAttribute>
                      </user>
                      <group>
                           <nameAttribute>cn</nameAttribute>
                           <objectclass>
                                <entry>group?member</entry>
                           </objectclass>
                      </group>
                 </msad>
  Download this toll "http://www.ldapbrowser.com/download.htm"
  LDAP browser to get the perfact DN information.
  Let me know the status
  Ravikant

• PHP external authentication issue

  Trying to login to AFCS connection using external authentication.
  PHP file generates a key correctly and everything seems to fine up until i get to using the key inside flex.
  at the login stage i get the following error in the console trace from the library login call
  As far as i can tell everything is right... how can i tell what is wrong with the authentication key?
  AFCS Beta Build # : 1.1
  requestInfo https://connectnow.acrobat.com/{roomname}?exx=eDp7dXRmOF9lbmNvZGUoZGFyaXVzKX06OmRtOmFnZW50ZG06aHR0cHM6Ly9jb25uZWN0bm93LmF jcm9iYXQuY29tL2hpaW50ZXJmYWNlL2RtOjEwMDo4N2NmNWUwMjIzZTVhMmFkYzI2MmY4MDVlNWJmMWVlM2Y4OTJlY 2Qx&mode=xml&x=0.2519759591668844
  #THROWING ERROR# bad authentication key

  There are a few mistakes in the key. There is some PHP 'code' in it (wrong string expansion ?) and you are using a full URL instead of the room name.
  If you want more details send me a private message, but you should check the way you call the get authentication token method.

• OID External Authentication issue

  Hi..
  I have configured synchronization profile to import users from TDS to OID using DIP but it does not work as change log is not enabled on TDS side.
  Now i have configured External Authentication Plugin and i craeted same users in in TDS and also in OID but external authenctication does not work.
  Can you please point out if i missing some point or is synchronization profile is must for External Authentication.
  Find the product version details -
  OID 11.1.1.6
  Tivoli Directory Server 6.1
  Regards
  Santosh
  Edited by: user601746 on Jan 8, 2013 1:02 AM

  Got the solution.
  I used bootstrap loading to create users from TDS to OID then configure external authentication..works fine... :)

• External Authentication issue

  Hi All
  In Shared services I have 'Configured User directories' with the SQl server database. I could connect and get all the users from SQl server . I can see that there are items under User Directories 1.Native Directory 2.SQl server . The serach order is also set. I have restared the Shared services. Now how can i make the use of SQl server users ? .
  From Console I have done the "Externalize users " for Essbase server. I have refreshed the security from shared services.
  Now I should be able to login in console using the SQl server users .. isnt it ? How can I do that ? How can i use the SQl server users to login into EAS and essbase server? . I also provisioned the SQl server user in Shared services and given the Administrator priveleges to Analytic server.
  Please help me.

  Hi,
  1. As you see the newly added "user directory", It must be added properly. But,to re confirm your configuration of SQL server user directory. Do test it ( there is an option to "test" it ,when you go to 'use directory' within shared services.
  2. After you have added, you have told that you have restarted shared services. But ,when you configure a new user directory, I would recommend you to restart shared services along with the other application related services ( like essbase, planning).
  3. Now, if you want to use the users of newly configured User directory, search the user from the directory and assign the roles/preveleges . Then try to login into systems( shared services , planning or essbase ...etc).
  Revert for further clarity.
  Sandeep Reddy Enti
  HCC
  http://hyperionconsultancy.com/

• Hyperion Hub Required for External Authentication?

  Need to use external authentication for three products, Essbase 7.1.2, Analyzer and Reports. Do you have to use Hyperion Hub?

  Also, can you use mixed mode, some users using Essbase Native and some using Active Directory or a combination of Active Directory and NTML?

• AD External Authentication Plug-In verification issue

  We are working on a Proof of Concept instance to integrate MS AD with OID for the first time for E-Biz 11i.
  1) I completed the bulk load of all the existing users from AD to OID successfully
  2) completed enabling the syncrhonization profile
  3) Ran the txkrun.pl successfully
  4) However i wanted to check the External authentication plug-in and i get the below issue.
  How to debug ldapcompare ? Where is the logfile for ldapcompare ?
  ldapcompare -h OID_Host -p 389 -D "cn=orcladmin" -w ******* -b "cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us" -a userPassword -v abcdefgh
  The value abcedefgh is not contained in the attribute userPassword in DN cn=lastname\, firstname,ou=consultants,ou=users,ou=usaeast,dc=adadmin,dc=lps,dc=netsrv,dc=us.
  An ldapbind on the same AD server is successful, but ldapcompare is failing.

  I get invalid credentials. Though the network password is correct. I feel its somewhere i messed up the 3rd party plug-in configuration. Is there a method to get debug information for ldapcompare command ?
  From metalink NOTE : 277382.1
  "When using the above command, ldapcompare binds to OID using the OID admin user (typically "cn=orclAdmin") and password. Then it provides the AD username and requests that the value supplied as AD-USER-PASSWORD be compared to whatever is stored in AD username's userPassword attribute. Because OID does not store a value in its own user entries/userPassword attributes for AD-synchronized entries, this ldapcompare call will cause OID to invoke the plug-in and verify the userPassword value in AD instead.
  If the plug-in works, the ldapcompare should return a message saying that the given password is contained in the userpassword attribute, e.g.
  "

• Issue with configuring Hyperion HUB 7.1.2 with SQLSERVER 2005

  Hello Experts,
  One of my customer has an issue with configuring Hyperion HUB 7.1.2 with SQLSERVER 2005.
  "We are trying to configure the SQL server 2005 database with Hyperion hub and we are unable to get the cofiguration completed. We suspect the driver class (hyperion.jdbc.sqlserver.SQLServerDriver) used in the domain.xml (path \Hyperion\HyperionHub\7.2.1\deployments\Tomcat\4.1.30\) is not helping to connect with sql server 2005. We would appreciate if you can provide new driver class which we can included while deploying the app under the web server."
  Please suggest. Thanks in advance
  Regards,
  Sonu

  Hi
  Please redeploy only the Web Server under shared service. It has to be redeployed once EPMA and others are configured.
  Thanks
  Rupak
  Mantra to Win | WinMantras.com | http://hyperion.winmantras.com

• User authentication issues when auth by external radius server

  We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
  ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
  When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
  The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
  No site added as it's an internal IP address....

  We tend to use FF in a corporate environment to manage our networking devices (firewalls/switches/routers etc). Came across a bizarre problem under the following conditions:
  ZyXEL Network Switch (GS2200-24) uses external authentication (RADIUS) to allow management and accounting of who makes changes.
  When logging into the switch with FF, we get repeated prompts for user authentication. Eventually the user is logged in (and no it's not a typo!). Looking through the dev console in the beta, it seems to get a 401 unauthorised back from the switch once it tries to load another html file.
  The browser *should* be presenting the same credentials to each called page within the site, it doesn't seem to :-(
  No site added as it's an internal IP address....

• External authentication for Essbase 7.1.6.

  Hi all,
  We are trying to set up external authentication for Essbase 7.1.6. We have a customized version of Essbase which does not use DLL. we do not have a Hyperion Hub or any CSS set up. All we have is an authentication module from the vendor to be used instead of the DLL. As per the documents provided to us all we have to do is change the cfg file to include the AUTHENTICATIONMODULE setting. Does anyone has any experience with this? What all parameters do we need to pass to Active Directory for this to work? Please help.
  Thanks.
  Vish.

  You could create a maxl script that replaces the filters, when you call the maxl script you could pass in a variable such as YR08 and use that variable in the script.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Essbase analytic services 7.1.5 & external authentication

  Hi,
  first off, you have to excuse me for being a total newbie in the field of Essbase ;)
  We are currently trying to move our external authetication from Novell eDirectory via LDAP to Microsoft Active Directory. We use the LDAP authentication module with the following string in essbase.cfg "AuthenticationModule LDAP essldap.dll x".
  Reading the documentation for external authentication (x_auth.pdf) we came to the conclusion that we "needed" the Hub installed. Talking to Hyperion support told us that use of the Hub with our version was very unusual.
  Is it possible to configure the CSS authentication module to use a .xml file configured for our Microsoft AD and simply forget about the hub? If so, does the following lines look correct to you:
  essbase.cfg:
  "AuthenticationModule CSS file://localhost/D:/Program/ESSBASE/bin/css_config.xml"
  css_config.xml:
  <msad name="msad1">
  <trusted>false</trusted>
  <url>ldap://ADDC_server:389/ou=contoso, dc=COMPANY, DC=LOCAL</url>
  <userDN>cn=Administrator</userDN>
  <password>wordpass</password>
  <authType>simple</authType>
  <authProtocol>ssl</authProtocol>
  <identityAttribute>dn</identityAttribute>
  <user>
  <url>ou=Users</url>
  <loginAttribute>cn</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  <entry>person</entry>
  <entry>organizationalPerson</entry>
  <entry>user</entry>
  </objectclass>
  Trying to add or copy a user in the Essbase Administration Services enterprise view gives us the following error:
  "Error: 1051203 Single Sign On External Authentication is Disabled"
  That tells me that we need to configure SSO in the css_config.xml file, but i have not found any examples for Analyzer but only for OBIEE.
  Is there anybody at this forum that have achieved what we are striving for?
  Best Regards,
  Johannes

  Hi,
  Something must wrong in your css.xml, I am not sure if you can get any further logging...
  here is an example of a css.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <css xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <spi>
  <provider>
  <msad name="msad1"> <trusted>false</trusted>
  <url>ldap://ldapserver:389/dc=CompanyName,dc=com</url>
  <userDN>CN=#######,OU=Security Accounts,OU=IT,DC=CompanyName,DC=com</userDN>
  <password>########</password>
  <authType>simple</authType>
  <identityAttribute>dn</identityAttribute>
  <user>
  <loginAttribute>sAMAccountName</loginAttribute>
  <fnAttribute>givenname</fnAttribute>
  <snAttribute>sn</snAttribute>
  <emailAttribute>mail</emailAttribute>
  <objectclass>
  </objectclass>
  </user>
  <group>
  <url>cn=LostAndFound</url>
  </group>
  </msad>
  </provider>
  </spi>
  <searchOrder>
  <el>msad1</el>
  </searchOrder>
  <token>
  <timeout>60</timeout>
  </token>
  <logger>
  <priority>ERROR</priority>
  </logger>
  </css>
  If you are still struggling you could try an ldap browser to see if you can connect with the details you are trying.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• External Authentication won't correctly set USER name or Role

  I am using JAVA under Google App Engine for my backend and attempting to log a user into a room using external authentication. I can connect and get into the room just fine my issue is with the user infomation once I am logged in. The user has a null username and ID (possibly generated) and thier role is set to zero (or at least not high enough to publish). If the room is set to auto-Promote then I do have the ability to publish (this is what I would expect) but still I needed the user to have a role of owner (so they can create nodes).
  Here is a little of the java on the back end (I removed my shared secret):
  public String getRoomToken(String roomID, String userName, String userID, int userRole)      {
             try {               
                           Session session = am.getSession(roomID);
               return session.getAuthenticationToken(..., "Bob", "TestID", 100);               
                           //return session.getAuthenticationToken(..., userName, userID, userRole);          
                        } catch (Exception e) {
                 // TODO Auto-generated catch block
                                 e.printStackTrace();
                      return null;
  getAuthenticationToken is hardely changed from what is in the AFCS.java in the examples folder but here it is in any case
  /**      * get an external authentication token      */
  public String getAuthenticationToken(String accountSecret, String name, String id, int role) throws Exception
       if (role < UserRole.NONE || role > UserRole.OWNER)
           throw new Error("invalid-role");
          String token = "x:" + name + "::" + this.account
           + ":" + id + ":" + this.room + ":"+ Integer.toString(role);
          String signed = token + ":" + sign(accountSecret, token);
          // unencoded      
                 //String ext = "ext=" + signed;       
                 // encoded
         String ext = "exx=" + Utils.base64(signed);
         return ext;
  This should work. My Shared secret is removed above but I doubt that is the problem as my app does authenticate just fine it just throws an exception telling me I don't have the required permissions to publish when I try to do anything. while observing from the DevConsole I see a user in the room but they are marked as null. Note that non-external authentication works just fine. If I hardcode my login creds in AdobeHSAuthenticator I can get in just fine with no issue. Also if the room I get an authenticationToken for does not match the roomURL I connect to with ConnectSessionContainer I will fail to login correctly like I would expect. So I know my credentials are getting to the AFCS and being decrypted correctly (as I can only authenticate for the room I send in that credential token) but for some reason it simply won't set my role and username/userid correctly.  Any help would be great, this has caused me a great deal of grief for days now...
  Thanks guys...
  Ves

  Well this is wierd I was trying to set this up so that I could get the log output on that run and I ended up changing
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{Application.application.parameters['token'] as String}"/>
  to
  <rtc:AdobeHSAuthenticator id="auth" authenticationKey="{token}"/>
  and adding a preinitialize function of:
  protected function preInit():void
              templateID = Application.application.parameters['room'];
               token = Application.application.parameters['token'];
  oddly enough it now works like a charm now. It is still disconcerting that I was able to actually enter the room even though my token was somehow corrupted (that probably isn't intened behavior). If this shows up agian I will try and track down the particulars and send you guys an email as an FYI. thanks for the help....
  Ves

• External Authentication in EAS using MSAD

  <p>We use MSAD for our external authentication and it works fine ifthe user logon names are set up a certain way in MSAD. However,some of them are set up differently and Essbase won't allow us touse external authentication for them. Is there a setting somewherein Essbase that can be changed to allow more than one user logonname format coming from MSAD?</p>

  <p>Hi Krista,</p><p> </p><p>Unfortunately u cannot specify two formats to authenticate. If iunderstand correclty you want to identify a user in MSAD by morethan one feild, as far as i know essbase external authenticationthe xml file cannot use more than one feild.</p><p> </p><p>your most probable solution to this would be to add the feildyou are using in your xml file to all users using essbase inMSAD.</p><p> </p><p>Please use the following link if you need furtherinformation.</p><p> </p><p>http://dev.hyperion.com/techdocs/essbase/essbase_712/Docs/techref/techref.htm#config/security/configure/config.htm</p><p> </p><p>here is the sample active directory format.</p><p> </p><p><msad name="<b><a href="ldapserver.htm">msadServer</a></b>"> <trusted><b><ahref="trust.htm">false</a></b></trusted> <url><b><ahref="provurl.htm">ldap://host<img src="i/expressions/face-icon-small-tongue.gif" border="0">ortNo/DIT</a></b></url><userDN><b>cn=UserName</b></userDN><password><b>UserPassword</b></password> <user><url><b>ou=people</b></url></user> <group> <url><b>ou=Groups</b></url> </group></msad></p>

• External Authentication

  Hi,
  We need to be able to support external authentication to Oracle 8i. The system we develop is based on a J2EE architecture framework and is being deployed on the BEA Weblogic 8 under SUN Solaris. Currently we are using Oracle Type 4 thin driver. The database is already configured to support OPS$ accounts but we are having problems implementing it in Java. Any suggestions or recommendations? Does somebody have experience implementing it?
  Thanks in advance,
  Mike

  <p>Did you tried copying the dll file to the places where neededand add the path to the dll file in your system environmentvariables.</p><p> </p><p>I had these issues and i copied the dll file whereever the errormessage was looking for it and it worked absolutely fine.</p><p> </p><p>Hope this helps !</p>

• External Authentication with Server 2008 R2

  Has anyone had success configuring External Authentication on Windows Server 2008 R2? We are using Hyperion Enterprise 6.5.1.
  Thank you.

  Was there ever an answer on this, having problems with setup using same versions