LDAP/SSO with Crypt?

Is it possible to have the SSO authenticating via LDAP with passwords encrypted with crypt? (UNIX) If so, how do I do that?

Gaurav, a bit of clarification from my part :-D
Okay, I just thought that the bind it performs is done by the proxy user who then retrieves the user password in encrypted form. My question is if it is possible to have encrypted user passwords in the DIT
and how to tell the SSO/LDAP-thingy to pipe the result through crypt.
null

Similar Messages

SSO with Custom LDAP

This is the landscape :-
Web Application / Portal at Oracle Web Center Suite (WCS).
SAP BO 4.0
Authentication using Custom LDAP & SSO with Trusted Authentication.
Used OpenLDAP for authentication via RadiantOne VDS as the proxy.
Activities :
Authenticate the BO users with OpenLDAP via RadiantOne.
Synchronize the BO user group from OpenLDAP via RadiantOne.
Used openDocument.jsp to open WEBI reports.
Problems :
We configure the LDAP as Custom. Attributes mapping as default.
When BOE trying to connect the RadiantOne VDS & create user u201Cuser01u201D which already exists in the OpenLDAP server. It throws the exception :
"An internal error has occurred in the secLdap plugin.u201D
When trying to create user that does not exist in LDAP. It throws the exception :
u201CThe secLdap plugin failed to get the dn for the user notuser.u201D
Please advise us how to resolved this internal error if we want to SSO with custom LDAP !!
Thanks & regards,
Herries E

Hi,
Herrie, Roland is correct, OpenLDAP is not supported and you can run into problems if you want to escalate issues in the future. The customer must have that into account.
However, LDAP is pretty standard and usually you just need to make sure that the attribute mappings is correct.
Are users correctly created when you map an LDAP group?
Are you able to manually authenticate using LDAP? You can use the CMC page and select authentication LDAP
When you have confirmed that LDAP manual authentication is working, you can set up Trusted Authentication. Check first that the system is working just using QUERY_STRING:
https://service.sap.com/sap/support/notes/1593628
When trusted auth is confirmed to work, you can configure the parameters that Radiant users to pass the user: cookies, web session, etc.
Regards,
Julian

LDAP AD with SSO XI 31

Hi everybody
I´m trying to configure LDAP AD with Single Sign On but in BO documentation only can find that this is possible with SiteMinder.
Somebody plz can tell me how Configure LDAP SSO with SiteMinder? and if exists another way to do this without SiteMinder.
Thanks.
BO: XI 3.1
SO: Windows Server 2003
LDAP AD

siteminder is a 3rd party app and configuration should be sought through their company's docs.
If you have users that are authenticated with siteminder then we can auto log them into BO by either configuring the LDAP - siteminder plugin to the siteminder web agent. Requires 6x web agent running in 4x compatibility mode with a shared secret enabled.
We can also pass the usernames using trusted authentication. requires the user parameter that siteminder uses to store the username (usually sm-user).
If you plan to keep your CMS on windows then SSO is a piece of cake no and no 3rd party programs would be required. With the CMS on "nix" you will need to authenticate prior to accessing the BO system for any type of SSO. Honestly SSO is not the right description in both cases above it's trusted auth (passwords are never negotiated just usernames passed).
Regards,
Tim

Auto Logon with LDAP SSO

Hi All,
I am having EHP1 for NW 7.3 installed on windows 2008 R2 and I am trying to do SSO with ADS.
I am following the steps as below :
1. Created administrator user user1 and disabled "Use Kerberos DES encryption type for this Account" and checked "Password never expire option"
2. setspn -a HTTP/javahost.mydomain.com user1
3. Logged into javahost:port/nwa
4. Generated Keytab file in Domain server:
ktab -a [email protected] -k keytab
5. Imported the keytab into the JAVA system :
http://javahost:port/spnego
Kerberos Realm--> edit --> Keys--> Update Keys -> uploading keytab file --> browse --> selected file and IMPORT --> Save.
6. Activate the REALM.
7. Adjusted the authentication stack:
EvaluateTicketLoginModule     SUFFICIENT
SPNegoLoginModule              OPTIONAL
CreateTicketLoginModule       SUFFICIENT
BasicPasswordLoginModule     REQUIRED
CreateTicketLoginModule       REQUIRED
-->Save.
8. Did the settings in the browser.When tried to open the URL http://<server>:<port>/XMII/Menu.jsp
I am getting a windows authentication message as in the attached screen shot (Windows_auth)
After that I can see the Logon page
I am able to Login through LDAP User credentials.
But how to by pass Logon page to directly go to Menu page?.
Is there any other settings to be done at Server or net weaver level to Auto Authenticate?

Hi All,
I tried some workarounds which helped to skip Login page.
But I it still prompts Windows security and "Upload Protected Area" boxes to enter credentials as shown in pictures.
Please Help out to resolve this Issue.
Regards,
Vinothkumar G.

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

LDAP SSO to database in XI3.1

Hi All,
We are using XI3.1 and trying to find a solution for configuring LDAP single sign on to database and have not been able to find any material on that matter.
Is it possible to configure LDAP SSO to database (Oracle 11) natively? Or is there a third party tool like siteminder that can make that configuration work? Please let me know.
Thanks,
V

It should work natively.
In the CMC > Authentication > LDAP there is an option for propogate credentials at logon time. This option will cause LDAP users to have their username/pw cached in their user account (in fields called DBuser/DBpass). Then you must configure your reports to use these fields. If using reports based of universes you need to set the universe connection to use DB credentials, if crystal then it's a bit more complicated and you may need to log a case to get the instructions.
If using SSO on the front end with siteminder or trusted auth then the LDAP propogate option will not work (it requires users to key in their user/pw).
Regards,
Tim

BO XI 3.1 SP3 SSO with CMC and Webi Rich Client

Hello,
Is it possible in BO XI 3.1 SP3 to use SSO with CMC and Webi Rich Client ?
It works fine with InfoView, Designer and Desktop Intelligence.
Regards

Hi,
What kind of SSO authentication are you trying to set up? (AD, LDAP,...)
I think it's AD regarding your command line.
But be aware that in SSO, you don't need to configure the command line to run the client.
Have a look at the following guide.
[Configuring Manual Kerberos Authentication and-or SSO in Distributed Environments with XI 3.1 SP3.pdf|https://bosap-support.wdf.sap.corp/sap/support/sapnotes/public/services/attachment.htm?iv_key=002007204200000183782010&iv_version=0005&alt=2BCE4CB10DF674B172F4F3F7B32A284F49333135358877720E883731B332AF34CACD2AB52C0A2C8DCACA09084EF4CB494E4E0F2ECE8E2F89772908C9CE70CD2DF77675F7F2D1750C09514BCECFCFCE4C8DCF4BCC4DB5F575F4F4F3F57771F571F6F70B01B25D83D4120B0A722092A599504EB16D715E3E00&iv_guid=DF838310BFAAE8F1B486001A64C54696]
Regarding accessing CMC with SSO, it's not recomended at all as if you break this access, than you can't connect anymore to the CMC and modify settings.
Regards,
Philippe
Edited by: Philippe Tavares on Feb 15, 2011 4:11 PM

Weblogic SSO with AD - My Try - What's wrong?

Dear All
I'm trying to setup Weblogic to Authenticate using AD and have SSO with a Windows workstation(joined to the domain).
I just setup an Active Directory(Win2K3), a Windows XP(SP2) and a Linux System(CentOS5) with Weblogic 10.3.
I'm wondering what is wrong with my configuration. I can only logon on Adminstration Console using weblogics local users, and even with entering username(those which created on AD) and password AD Authentication does not work.
Anyone has simliar experiance or any clue?
Appreciated
TIA
Cheers
Here is the setup:
The domain is: example.com and machines are: dc.example.com (AD), winclient.example.com (Windows XP joined to the example.com domain) and weblogic.example.com (CentOS with Weblogic 10.3 installed)
The hosts file on all three machines are filled with their FQDN, Machine Name and corresponding IP addresses. They all have ping working successfully between each two of them. Firewalls are checked to be off.
These are the steps I came through based on documentation I could found on the net:
h1. 0. Configuring Your Network Domain to Use Kerberos
In Linux Machine(Weblogic Server) edit Kerberos configuration file for appropriate values:
*/etc/krb5.conf*
\[logging\]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
\[libdefaults\]
default_realm = EXAMPLE.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des_cbc_crc
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime =28800
forwardable = yes
\[realms\]
EXAMPLE.COM = {
kdc = 192.168.1.193:88
admin_server = dc
default_domain = EXAMPLE.COM
\[domain_realm\]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
\[kdc\]
profile = /var/kerberos/krb5kdc/kdc.conf
\[appdefaults\]
autologin = true
forward = true
forwardable = true
encrypt = true
pkinit = {
allow_pkinit = false
h1. 1. Create two users on AD: "New->User" with "User must change password at next logon" option cleared (not tidked)
weblogic (for weblogic service) (with password = "password1")
weblogicusr (the user which should access Weblogic Administration Console) ("password2")
* Note that group membership of these two users are left default.(Domain Users)
h1. 2. For "weblogic" & "weblogicusr" user set these Account Optiones:
- Use DES encryption types for this account (ticked)
- Do not require Kerberos preauthentication (cleared)
* then reset the password again for "weblogic" (with password = "password1") and "weblogicusr" (with "password2").
h1. 3. Create Service Principal Names for Weblogic Server and User on Win2K3 machine:
- >setspn -a host/weblogic.example.com weblogic
- >setspn -a HTTP/weblogic.example.com weblogic
here is the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogic
Registered ServicePrincipalNames for CN=weblogic,CN=Users,DC=example,DC=com:
HTTP/weblogic
host/weblogic
HTTP/weblogic.example.com
host/weblogic.example.com
and
- >setspn -a HTTP/weblogic.example.com weblogicusr
and the result
C:\Documents and Settings\Administrator.DC>setspn -L weblogicusr
Registered ServicePrincipalNames for CN=Weblogic User,CN=Users,DC=example,DC=com:
HTTP/weblogicsrv.example.com
HTTP/weblogicsrv
h1. 4. Create the keytab file for Weblogic Server:
On AD machine issue:
(ktpass from MS Windows Support Tools)
>ktpass -princ host/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.host.keytab
>ktpass -princ HTTP/[email protected] -pass password1 -mapuser weblogic -out c:\temp\weblogic.HTTP.keytab
(ktab from JRE 6)
>ktab -k c:\temp\weblogic.keytab -a [email protected]
Password for [email protected]:*password1*
Done!
Service key for [email protected] is saved in c:\temp\weblogic.keytab
** Note I could not kinit successfully merely with weblogic.host.keytab and/or weblogic.HTTP.keytab, I got this error +"Key table entry not found while getting initial credentials"+ how ever the keytab I created using ktab("weblogic.keytab") works fine in this case, so I decided to merge whole three of them into a keytab.
>\[root@weblogic keytabs\]# kinit -k -t weblogic.host.keytab [email protected]
>kinit(v5): Key table entry not found while getting initial credentials
h1. 5. Port and Merge keytabs
Then I ported these three files to the Linux Machine(weblogic.example.com): weblogic.host.keytab, weblogic.HTTP.keytab and weblogic.keytab
and merged into one keytab:
ktutil: "rkt weblogic.host.keytab"
ktutil: "rkt weblogic.HTTP.keytab"
ktutil: "rkt weblogic.keytab"
ktutil: "wkt weblogic-keytab"
ktutil: "q"
* then put the result keytab "weblogic-keytab" somewhere in Weblogic Path:
>/root/bea/user_projects/domains/base_domain/kerberos
h2. 5.1 Test the keytab and kerberos configuration
>\[root@weblogic keytabs\]# kinit -k -t weblogic-keytab [email protected]
>\[root@weblogic keytabs\]# klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: [email protected]
>
>Valid starting Expires Service principal
>09/04/09 16:16:42 09/05/09 00:16:42 krbtgt/[email protected]
>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
h1. 6. Creating a JAAS Login File
Create krb5Login.conf and put it in here: "/root/bea/user_projects/domains/base_domain/kerberos/"
krb5Login.conf
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=*"[email protected]"* useKeyTab=true
keyTab=*/root/bea/user_projects/domains/base_domain/kerberos/weblogic-keytab* storeKey=true;
h1. 7. Modify startup options
add these option to "/root/bea/user_projects/domains/base_domain/bin/startWebLogic.sh"
h2. 7.1 Kerberos
-Djava.security.krb5.realm=EXAMPLE.COM
-Djava.security.krb5.kdc=dc.example.com
-zjava.security.auth.login.config=$PATHTOKRB/krb5Login.conf
-Djavax.security.auth.useSubjectCredsOnly=false
-Dweblogic.security.enableNegotiate=true h2. 7.2 Debug
-DDebugSecurityAdjudicator=true
-Dweblogic.debug.DebugSecurityAtn=true
-Dsun.security.krb5.debug=true
-Dweblogic.StdoutDebugEnabled=true";
-Dweblogic.log.StdoutSeverity=Debugh1. 8. Configuring the Identity Assertion Provider
In Weblogic Administration I created a Security Realm called "example.com" with everything default and made it default. Then restarted the Weblogic Server.
Again in Administation Console did this to example.com Security Realm:
h2. 8.1 -> Prividers: Add 3 Providers
Negotiate     WebLogic Negotiate Identity Assertion provider     1.0
     DIA     WebLogic Identity Assertion provider     1.0
     AD     Provider that performs LDAP authentication     1.0 (Active Directory provider)
     Default     WebLogic Authentication Provider     1.0
h2. 8.2 -> Change the default parameters
h3. 8.2.1 Negotiate     WebLogic Negotiate Identity Assertion provider
-> Base64 Decoding Required: false (No Change, but shouldn't it be true and how to change?)
-> Form Based Negotiation Enabled: Removed the tick
h3. 8.2.2 DIA     WebLogic Identity Assertion provider (no changes)
(no changes)
h3. 8.2.3 AD     Provider that performs LDAP authentication (Active Directory provider)
-> Control Flag: *SUFFICIENT*
-> User Name Attribute: *sAMAccountName*
-> Principal: *HTTP/[email protected]*
-> Host: *192.168.1.193*
-> User Base DN: *CN=Users,DC=example,dc=com*
-> Propagate Cause For Login Exception: *ticked*
-> Group Base DN: *CN=Users,DC=example,dc=com*
-> Credential: *password1*
* others left with their default values.
h1. 9. Configuring an Internet Explorer Browser
On Windows XP machine (winclient.example.com):
h2. 9.1 Configure Local Intranet Domains
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Sites:
> "Include all sites that bypass the proxy server" *ticked*
> "Include all local (intranet) sites not listed in other zones" *ticked*
- then in -> Advanced Dialog Box added this:
> weblogic.example.com
h2. 9.2 Configure Intranet Authentication
- In Internet Explorer, Tools > Internet Options -> the Security tab -> Local intranet -> Custome Level:
> In the Security Settings dialog box -> the User Authentication section.
> "Automatic logon only in Intranet zone" *ticked*
h2. 9.3 The Proxy Settings
No proxies are enabled
h2. 9.4 Enable Integrated Windows Authentication
- In Internet Explorer, Tools > Internet Options -> Advanced tab -> Security section:
> "Enable Integrated Windows Authentication" *ticked* by default
Edited by: Mehdi Sarmadi on Sep 4, 2009 5:51 AM

I found something in Logfile:
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <LDAP Atn Login username: weblogicusr>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <new LDAP connection to host 192.168.1.193 port 389 use local conne
ction is false>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:
""}>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <connection failed netscape.ldap.LDAPException: error result (49);
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece^@>
<Sep 4, 2009 6:17:39 PM IRDT> <Debug> <SecurityAtn> <BEA-000000> <[Security:090294]could not get connection>
According to this post: Re: WL10.3 and SSO and Active Directory
a correct ldap connection should look like this:
<LDAP Atn Login username: Administrator>
<userExists? user:Administrator>
<new LDAP connection to host 10.10.0.254 port 389 use local connection is false>
<created new LDAP connection LDAPConnection { ldapVersion:2 bindDN:""}>
<connection succeeded>
*<getConnection return conn:LDAPConnection {ldaps://10.10.0.254:389 ldapVersion:3 bindDN:"HTTP/[email protected]"}>
<getDNForUser search("CN=Users,DC=DOMAIN,dc=local", "(&(&(cn=Administrator)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>xist>*
Moreover, I turned AD's debug logging and this is what happens when I try to login with a AD user: Why "Anonymous Logon"?!
Event Type:     Information
Event Source:     NTDS LDAP
Event Category:     LDAP Interface
Event ID:     1535
Date:          9/4/2009
Time:          6:47:07 PM
User:          NT AUTHORITY\*ANONYMOUS LOGON*
Computer:     DC
Description:
Internal event: The LDAP server returned an error.
Additional Data
Error value:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Any help would be greatly appreciated

LDAP authentication with MD5 passwords

Hi,
in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
I know it is to be done with {crypt} storage scheme.
This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
Thanks in advance,
Kristof

Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

Oracle Forms 11g SSO with OID and IAM

What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
We want the OID to store and authenticate Users for username and password logins to the database, then
ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
in Enterprise Manager.
Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
for registration and Password reset?
Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
different and IAM can help or is required for this type of SSO to work.
Any help?
Edited by: Kirch on Apr 30, 2013 7:39 AM

Hi,
According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
Thanks,
Scott
http://pitss.com/us

OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

Hi Everyone!
I have configured a OAM(webgate)+OID+OBIEE+OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It is working very well.
The OAM authenticates from OID(default user identity store).
The *"User Search Base"* is same ( *"cn=Users,dc=mydomain,dc=com"* ) in identity store and in OBIEE's OID authentication provider too.
The SSO is enabled in OBIEE and the providers are:
OID (Provider that performs LDAP authentication     1.0) SUFFICIENT
OAM Provider (Oracle Access Manager Identity Asserter     1.0) REQUIRED
DefaultAuthenticator     (WebLogic Authentication Provider     1.0) SUFFICIENT
DefaultIdentityAsserter
IF the *"User Name Attribute"* is *"cn"* in OAM's user identity store and the OBIEE's OID provider's *"user name attribute"* is *"cn"* (default) too, everything is working fine.
But I have to use *"orclSAMAccountName"* instead of *"cn"* (OAM and OID provider). And in this case I have the problem.
In the OBIEE's OID provider are:
All Users Filter: (&(orclSAMAccountName=*)(objectclass=person))
User From Name Filter: (&(orclSAMAccountName=%u)(objectclass=person))
User Name Attribute: orclSAMAccountName
I made a test user:
cn=test
sn=test_sn
orclsamaccountname=test_sama
uid=test_uid
krbprincipalname=test_krb
I can authenticate with test_sama in OAM, but OBIEE say: *"You are not logged in here: Oracle BI Server."*
The bi log shows that:
+Default (self-tuning)'> <BISystemUser> <> <00093dFuR^HFW7PMye7i6G00052S000Tt7> <1345642607333> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
+oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
Why does search OBIEE the *"cn"* and why does not use the *"orclsamaccountname"* ?
Any idea???
Regards, Jani

Hello Jani,
This is a known issue in OBIEE 11.1.1.6.0 , Please refer to : OBIEE 11.1.1.6 Agent failed with Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] The impersonator does not exist in the BI Security Service [ID 1446877.1]
We have configured OBIEE 11.1.1.6 on Linux and using Single Sign On (SSO) with Windows Native Authentication (WNA).
Configured AD Authenticator, selected sAMAccountName instead of CN for User Attribute. Enabled SSO in EM. When trying to access OBIEE Presentation services we have encountered the error below.
"You are not logged in here: Oracle BI Server."
When checking the biserver1 log file found : [Security:090300]Identity Assertion Failed: User OracleSystemUser does not exist
After applying the patch 13553428 on top of OBIEE 11.1.1.6.0 we have successfully logged into OBIEE Presentation services.
This works fine with OBIEE 11.1.1.5.0 and 11.1.1.6.1
Fixed in OBIEE 11.1.1.6.1. Apply Patch 13742915.
If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
Let me know if this solves the Asserter issue.
Pls mark if helpful or answered.
Thanks,
-SVS

Softwares Needed to Acheive SSO with Webcenter Suite 11.1.1.2

Hi All
I have Installed Web center suite 11.1.1.2 on my Machine. Can anybody suggests, what are the softwares that i need to install inorder to achieve
Oracle SSO with E-Business Suite and OBIEE.
Regards
Nagaraju Manchala
Edited by: user11965597 on Sep 15, 2011 3:58 AM

Oracle Identity Management (OIM) is a collection of related products that provides identity and access management (IAM) services. These products includes
Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Virtual Directory (OVD), Oracle Internet Directory (OID) etc. The purpose of all these products is to provide LDAP directory services and/or security services and/or SSO service. For detail of all related products of OIM, pls see following link:-
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html
OIM and IAM is always create confusion when you go to their download page. You need to download Identity Management (11.1.1.2.0) from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html. OIM will give you following products when you install it:-
- OID
- OVD
- Oracle Identity Federation
- Oracle Directory Integration Platform
Also see installation guide:http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/overview.htm#sthref6
For new features of PS3, pls see http://www.oracle.com/technetwork/middleware/webcenter/overview/wcps3-highlights-284637.html
In PS4, Oracle removed few bugs.

AM SDK SSO with AM server running in Realm mode throws exception

Hi All,
we have a web application which does SSO with AM server using AM SDK APIs. Following is the code snippet.
SSOTokenManager ssoMgr = SSOTokenManager.getInstance();
SSOToken token = ssoMgr.createSSOToken(request);
boolean tokenValid = ssoMgr .isValidToken(token);
AMUser amuser = null;
if (!tokenValid) {
MStoreConnection amsc= new AMStoreConnection(token);
amuser = amsc.getUser(token.getPrincipal().getName());
String uid = amuser.getStringAttribute("uid");
This code works perfectly fine with AM running in Legacy mode. But throws following exception with AM running in Realm mode.
com.iplanet.am.sdk.AMException: Unable to get attributes from data store.
at com.iplanet.am.sdk.ldap.DirectoryServicesImpl.getAttributes(DirectoryServicesImpl.java:791)
at
com.iplanet.am.sdk.ldap.CachedDirectoryServicesImpl.getAttributes(CachedDirectoryServicesImpl.java:823)
at
com.iplanet.am.sdk.ldap.CachedDirectoryServicesImpl.getAttributes(CachedDirectoryServicesImpl.java:625)
at
com.iplanet.am.sdk.AMObjectImpl.getStringAttribute(AMObjectImpl.java:669)
at
com.sun.comms.client.security.sso.impl.AMSSOProvider.SingleSignOn(AMSSOProvider.java:73)
at
com.sun.comms.client.web.sso.SSOFilter.doFilter(SSOFilter.java:154)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:75)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:181)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:177)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
at
com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
We have created a realm with sunDS datastore where all our application users data is stored. Same LDAP is used as authentication module (AM auth module) in realm.
--Balamurugan.

Hi All,
we have a web application which does SSO with AM server using AM SDK APIs. Following is the code snippet.
SSOTokenManager ssoMgr = SSOTokenManager.getInstance();
SSOToken token = ssoMgr.createSSOToken(request);
boolean tokenValid = ssoMgr .isValidToken(token);
AMUser amuser = null;
if (!tokenValid) {
MStoreConnection amsc= new AMStoreConnection(token);
amuser = amsc.getUser(token.getPrincipal().getName());
String uid = amuser.getStringAttribute("uid");
This code works perfectly fine with AM running in Legacy mode. But throws following exception with AM running in Realm mode.
com.iplanet.am.sdk.AMException: Unable to get attributes from data store.
at com.iplanet.am.sdk.ldap.DirectoryServicesImpl.getAttributes(DirectoryServicesImpl.java:791)
at
com.iplanet.am.sdk.ldap.CachedDirectoryServicesImpl.getAttributes(CachedDirectoryServicesImpl.java:823)
at
com.iplanet.am.sdk.ldap.CachedDirectoryServicesImpl.getAttributes(CachedDirectoryServicesImpl.java:625)
at
com.iplanet.am.sdk.AMObjectImpl.getStringAttribute(AMObjectImpl.java:669)
at
com.sun.comms.client.security.sso.impl.AMSSOProvider.SingleSignOn(AMSSOProvider.java:73)
at
com.sun.comms.client.web.sso.SSOFilter.doFilter(SSOFilter.java:154)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:230)
at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:75)
at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:181)
at java.security.AccessController.doPrivileged(Native Method)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:177)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:288)
at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:271)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:202)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:94)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:206)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:150)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:632)
at
org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:577)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:571)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:1080)
at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:272)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.invokeAdapter(DefaultProcessorTask.java:637)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.doProcess(DefaultProcessorTask.java:568)
at
com.sun.enterprise.web.connector.grizzly.DefaultProcessorTask.process(DefaultProcessorTask.java:813)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.executeProcessorTask(DefaultReadTask.java:341)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:263)
at
com.sun.enterprise.web.connector.grizzly.DefaultReadTask.doTask(DefaultReadTask.java:214)
at
com.sun.enterprise.web.connector.grizzly.TaskBase.run(TaskBase.java:265)
at
com.sun.enterprise.web.connector.grizzly.ssl.SSLWorkerThread.run(SSLWorkerThread.java:106)
We have created a realm with sunDS datastore where all our application users data is stored. Same LDAP is used as authentication module (AM auth module) in realm.
--Balamurugan.

Help - SPENGO - Microsoft SSO with WLS 9.2

Friends,
I am trying to integrate Microsoft SSO with WLS with SPENGO. I followed the steps given in http://edocs.bea.com/wls/docs92/secmanage/sso.html and even in 8.x documentation where I had to create a LDAP authenticator etc.
However, instead of SPENGO token, I get the NTLM token. It looks like when Kerberos fails, WLS tries to invoke NTLM. But I am not sure where I am doing wrong. It would be great if someone could look at the following logs and suggest some workaround.
<<WLS Kernel>> <> <> <1183957002830> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
<<WLS Kernel>> <> <> <1183957002830> <000000> <CERT auth type found for webapp>
<<WLS Kernel>> <> <> <1183957002830> <000000> <All request headers:>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Language : en-us>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: UA-CPU : x86>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Encoding : gzip, deflate>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Host : 10.31.252.182:7001>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Connection : Keep-Alive>
<<WLS Kernel>> <> <> <1183957002862> <000000> <Negotiate filter: new session, no negotiation has started>
<<WLS Kernel>> <> <> <1183957002862> <000000> <PrincipalAuthenticator.getChallengeToken will use common security service>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <Unauthorized, sending WWW-Authenticate: Negotiate>
<<WLS Kernel>> <> <> <1183957003268> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
<<WLS Kernel>> <> <> <1183957003268> <000000> <CERT auth type found for webapp>
<<WLS Kernel>> <> <> <1183957003268> <000000> <All request headers:>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Language : en-us>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: UA-CPU : x86>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Encoding : gzip, deflate>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Host : 10.31.252.182:7001>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Connection : Keep-Alive>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Cookie : JSESSIONID=0nRcGRQKvcpzV8wQPVX584Pxwly4GrpTdQGGGYGGb4Z62Rs1GLVv!542382297>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Authorization : Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
<<WLS Kernel>> <> <> <1183957003268> <000000> < processing header: Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
<<WLS Kernel>> <> <> <1183957003283> <000000> <SPNEGONegotiateToken.discriminate: not Application Constructed Object, not SPNEGO NegTokenInit token>
<<WLS Kernel>> <> <> <1183957003283> <000000> <Token not supported by Negotiate Filter, ignoring: NTLM>

Another question.
When you configure Spnego and sso, do you also need to configure an active directory authenticator ??
I think I have the SSO part working - it does kerberos authentication and gets the username, howerver after taht it fails because it tries to do an LDAP authentication with that username.
<LDAP Atn Login username: kerbuser01>
<[Security:090300]Identity Assertion Failed: User kerbuser01 does not exist
Any pointers ?

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

LDAP/SSO with Crypt?

Similar Messages

Maybe you are looking for