Integrating Kerberos authentication with OBIEE

Similar Messages

• Integrated Windows Authentication with a WebSphere Cliente

  Hi all,
  I need to write a web service client that connects to a .NET Web Service that is configured to use Integrated Windows Authentication (NTLM).
  I'm using the IBM WebSphere Runtime environment for the client and using the web service client wizard in the RSD 6.0.1.
  When I try to call a method in the .NET web service, I get the error shown below. If I configure the .NET web service to permit Anonymous Access, my client works fine.
  Does anybody know if the WebSphere web services engine supports Integrated Windows Authentication? If so, how can I configure my cliente to pass my credentials? Do people use this type of authentication if the web service will be called by non Windows clientes or is it better to use Basic Authentication with HTTPS or digital certificates?
  I've read that Apache Axis can be configured to use integrated windows authentication (http://people.etango.com/~markm/archives/2005/11/21/using_apache_axis_with_integrated_windows_security.html) by using a different HTTP transport class (CommonsHTTPSender).
  Thanks in advance!
  Craig
  [14/06/06 10:06:56:805 GMT-03:00] 00000031 enterprise I WSWS3243I: Info: Mapping Exception to WebServicesFault.
  [14/06/06 10:06:56:821 GMT-03:00] 00000031 enterprise I TRAS0014I: The following exception was logged WebServicesFault
  faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.generalException
  faultString: java.lang.StringIndexOutOfBoundsException
  faultActor: null
  faultDetail:
  java.lang.StringIndexOutOfBoundsException
       at com.ibm.ws.webservices.engine.WebServicesFault.makeFault(WebServicesFault.java:179)
       at com.ibm.ws.webservices.engine.transport.http.HTTPSender.invoke(HTTPSender.java:490)
       at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:218)
       at com.ibm.ws.webservices.engine.PivotHandlerWrapper.invoke(PivotHandlerWrapper.java:218)
       at com.ibm.ws.webservices.engine.WebServicesEngine.invoke(WebServicesEngine.java:274)
       at com.ibm.ws.webservices.engine.client.Connection.invokeEngine

  Here's a project ( [http://spnego.sourceforge.net/protected_soap_service.html|http://spnego.sourceforge.net/protected_soap_service.html] ) that shows how to write a soap client that can connect to a soap web service with integrated windows authentication turned on.

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Integrating Google Earth with OBIEE

  Hi
  Does anyone know how to integrate google earth with OBIEE ? I know how google maps work, but i am not looking for that.
  Any help would be awesome !!!
  Thanks

  we can integrate with LDAP with the help of below link
  http://oraclebizint.wordpress.com/2007/10/10/oracle-bi-ee-101332-using-ldapoid-authentication/
  Regards
  Venkata

• Integration of weblogic with obiee:: please help

  I/O error while reading domain directory
  Posted: May 11, 2011 9:58 PM Edit Reply
  I have created a server under admin server. Actually i was trying to integrate weblogic server with obiee.. as i am very new to weblogic i cudn't find the reason for the error.
  I have created a server under admin server. Actually i was trying to integrate weblogic server with obiee.. as i am very new to weblogic i cudn't find the reason for the error.
  while i am starting the server which i created i am getting this error
  error details i will give below.. Thanks for any help and i will highly appreciate it.
  Description: Starting OBIEE server ...
  Status: FAILED
  Begin Time: 5/12/11 10:14:36 AM IST
  End Time: 5/12/11 10:14:37 AM IST
  Exception: I/O error while reading domain directory
  While starting node manager iam getting this error
  SEVERE: Fatal error in node manager server
  java.net.BindException: Address already in use: JVM_Bind
  at java.net.PlainSocketImpl.socketBind(Native Method)
  at java.net.PlainSocketImpl.bind(PlainSocketImpl.java:383)
  at java.net.ServerSocket.bind(ServerSocket.java:328)
  at javax.net.ssl.impl.SSLServerSocketImpl.bind(Unknown Source)
  at java.net.ServerSocket.<init>(ServerSocket.java:194)
  at java.net.ServerSocket.<init>(ServerSocket.java:150)
  at javax.net.ssl.SSLServerSocket.<init>(SSLServerSocket.java:84)
  at javax.net.ssl.impl.SSLServerSocketImpl.<init>(Unknown Source)
  at javax.net.ssl.impl.SSLServerSocketFactoryImpl.createServerSocket(Unkn
  own Source)
  at weblogic.nodemanager.server.SSLListener.init(SSLListener.java:76)
  at weblogic.nodemanager.server.NMServer.start(NMServer.java:206)
  at weblogic.nodemanager.server.NMServer.main(NMServer.java:377)
  Thank you.

  Hi Lavnya,
  Please can you have a look at the URL's
  /people/jayakrishnan.nair/blog/2005/03/10/integration-of-sap46c-with-bea-weblogic-server
  Provides different options to connect:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/adc7c390-0201-0010-ebb2-c8687bbb7bfc
  regards
  Vijaya

• Kerberos authentication with Apache Kerberos Module

  Hi,
  Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
  However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
  I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
  GET: http://www.myhost.com/protected_page.html
  HOST: www.myhost.com
  AUTHENTICATE: negotiate XXXXX
  However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
  Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
  Thanks for any help or advice,
  Neil.

  Here are your options:
  1) Configure Krb5LoginModule programmatically.
  If the environment variable KRB5CC_NAME points to the ticket cache location,
  (which is updated each time), you can configure the Krb5LoginModule
  programmatically and set the "ticketCache" option to the value obtained
  from KRB5CC_NAME.
  Refer to following docs for details:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
  2) Use native Kerberos from the platform
  Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
  NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
  you will not be able to use this option.
  For details refer to following docs:
  http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
  Seema

• Kerberos Authentication with Duet

  Hi Experts,
  I'm trying to configure Kerberos authentication on WAS 6.40.
  I've used the SPNego wizard and it completed successfully, however, when testing the authentication on the duet server by going to http://duet.server:port/osp/TicketIssuer, the page just hangs. There's no error, but nothing happens either.
  I then used the Diagnostics Tool provided by SAP and found the following strange thing:
  ====================================================
  7.com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ClientTest
  2008/03/27 15:05:49 class com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ClientTest
  This test is supposed to act as a browser that tries to access application* on
  the J2EE engine that requires SPNego/Kerberos authentication. It expects as an
  input username and password of a Windows user. With these credentials using
  the Kerberos configuration of the J2EE engine the test acquires Kerberos token
  for this user that is wrapped afterwards into SPNego token. This SPNego token
  is then used for the HTTP requests to the J2EE engine. Before starting the
  requests the severities of the following trace locations on the J2EE engine
  are set to ALL: "com.sap.security.core.server.jaas", "System.out" and
  "System.err". After the requests are executed all trace messages generated in
  this time span and with the above mentioned trace locations are collected and
  added to the output of the test.
  - The test currently supports only User Admin application and Portal.
  This test is applicable only for SUN JDK.
  Unable to resolve host: dmin
  Please, enter J2EE host name ( not IP and not localhost ): 
  Please, enter Windows user for <<domain>>: 
  Please, enter password for <<user>>: 
  Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
  [Krb5LoginModule] user entered username: <<user>>
  ====================================================
  The green underlined line is the problem and is highlighted in yellow in the diagtool's output. 
  The J2EE hostname is not "dmin"
  Could someone tell me where this value is stored so I can fix it?
  <removed_by_moderator>
  Thanks.
  Edited by: Julius Bussche on Mar 28, 2008 9:01 AM

  Hi Marcel,
  You are correct. We managed to resolve the problem a few days ago.
  The problem was on the AD side where the duet user did not have the correct SPN.
  Thanks.
  Kind regards,
  Viven

• Integrated windows authentication with Oracle access manager 10g

  Hi SSo guys,
  Our project requirement is as follows:
  We have two applications Ebiz 11.5.10.2 and OBIEE10g and we are supposed to integrate IWA for both the applications
  so as per the below note OAM integration with IWA only works for the applications using IIS.
  So can we protect both the applications in OAM 10g and point those applications to two html pages say http://IIS hostname/ebiz and http://IIS hostname/OBIEE and protect those two resorces in OAM suing IIS webserver?
  As per the note :
  Doc ID 1072204.1 specify
  Excerpt from this doc:
  #-begin-
  OAM accomplishes IWA by using an OAM Webgate on the IIS Web Server that uses a hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization. Behind the scenes, the IIS WebGate utilizes the UseIISBuiltinAuthentication parameter, by default, this value is false. IWA can only be achieved when this attribute is set to true on an IIS WebGate. This is not a valid parameter for any other OAM WebGate.
  #-end-

  It should be this way:
  Ebiz:
  1. Integrate OAM with OASSO
  2. Register OASSO and OID with Ebiz11.5.10.2
  3. Protect the resource in OAM
  4. Verify if authentication is successful for this resource.
  Obiee:
  1. Integrate OBIEE with OAM
  2. Verify if authentication is successful for this resource.
  IWA:
  1. Install IIS webser and webgate
  2. Create authentication scheme which protects / of IIS web server.
  Create a Form Authentication Scheme(this scheme should protect OBIEE and EBiz resource) which will have challenge redirect to IIS web server where IWA is configured and / is protected.
  Login Flow:
  1. User tries to access ebiz or obiee resource.
  2. Form Authentication Scheme will challenge redirect to IIS web server where IWA is configured.
  3. As IWA is configured. User will be automatically get ObSSOCookie.
  4. User gets redirected back to the requested resource.
  There is a My oracle support doc which talks in details about this setup.

• Issue in integrating Essbase cubes with OBIEE

  Hi
  I am trying to use Essbase cubes as datasource in OBIEE for generating reports,but the issue is in generating , No columns in fact table of cube in BMM layer.
  Outline of cube is
  Revel(cube)
  (Hierachies)
  Time Time <5> (Label Only)
  Item <54> (Label Only) (Two Pass)
  DepInst <20> (Label Only)
  SFA_Flag <2>
  Deduction_Flag <2>
  Rating_Category <6>
  PD_Band <9>
  Product <17>
  Entity <4>
  CR_Agency <5>
  I am confused how to generate reports without measures in fact table.
  Regards
  Sandeep

  Hi Sandeep,
  in that case it's as I thought:
  Or did you just not specify any measure hierarchy?You tried this...
  In BMM layer i made this dimension as fact and tried to create reports but not use....which isn't the way. First of all your cube seems to be built quite bizarre since it doesn't even provide a default measure hierarchy so I'd have your Essbase guys check that.
  As for the OBIEE side: the key is the physical layer. BMM's already too late. In the physical cube object, you must define one of the hierarchies as the measure hierarchy (since your cube doesn't seem to provide it; see above):
  [http://hekatonkheires.blogspot.com/2010/02/obieeessbase-how-to-handle-missing.html]
  Cheers,
  C.

• Problem with Integration Essbase cube with obiee

  Hi Everyone,
  I am in a OBIEE where i need to use Essbase cubes as source for generating OBIEE reports.I am able to import the cube successfuly into Physical layer and when i drag it into BMM layer its getting splitted up into Facts,dimensions and hierachies. No measure in fact table of cube in BMM layer. What i got to know was all the meaures what all needed for reporting are into one hierachy and when i get it into BMM layer its getting converted into Dimension. Here i tried to generate reports by making dimension as fact but no use.
  Please suggest me ,any other ways to get it.
  Regards
  Sandeep Artham

  Don't [double-post|http://forums.oracle.com/forums/thread.jspa?threadID=1019323&tstart=50] please!
  The answer's already there...[http://hekatonkheires.blogspot.com/2010/02/obieeessbase-how-to-handle-missing.html]
  Cheers,
  C.

• Integrating windows authentication with Sun ACCESS MANAGER

  Hi,
  I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
  I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
  How to do this.
  Thanks in advance
  Maruthi

  Hi!
  Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
  http://developers.sun.com/identity/reference/techart/sharepoint.html
  Christoph

• Integrating RADIUS authentication with JAAS ???

  Hi,
  I have username/password JAAS authentication in my application.
  Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
  I am in the process of defining a login module for RADIUS.
  Is there any opensource login module existing for RADIUS ??
  After defining the RADIUS login module where to configure the multiple authentication policies ??
  Thanks,
  Dyanesh.

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Safari on Windows - Kerberos Authentication

  Am facing issues with Kerberos authentication with Safari on windows. IE, Chrome and FF works. Compared the wireshark traces and found that kerberos request made by IE, chrome etc is for server name : HTTP/myappname, while the same for Safari is krbtgt/diffdomain. Safari request for krbtgt/diffdomain fails with unknown principal name error. Seems to be Safari not reusing the TGT and trying to get a new TGT and that too for a different domain. Any thoughts please?

  Hi.
  Read here  >  Apple apparently kills Windows PC support in Safari 6.0
  Use Chrome, IE or Firefox.

• Windowns dll file for Kerberos Authentication

  Hi,
  I am implementing Kerberos Authentication with Windows x64. The SAP Post installation guide metions that gx64krb5.dll file needs to copied under <Drive>:\%windir%\system32. It also metions that the file need to be downloaded from SAP Note 352295,.But "An SAP note with the number requested could not be found". Any other place from where I can download the file.
  Regards
  Deb

  Okay, I found my PDF copy of [Note 352295|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=352295], and it contains the links to download the files from sapnet for both 64 and 32 bit.
  Here is the link for the 64 bit:
  https://service.sap.com/~sapidb/012003146900000310652008E/win64sso.zip
  And just in case anyone reading this thread needs to get to the 32 bit:
  https://service.sap.com/~sapidb/012003146900000310642008E/win32sso.zip