Migrating Security from Native to External Authentication mode Servers

Similar Messages

• Moving from Native to External Authentication - Hyperion Shared Services

  Hello Experts/John.
  We are planning to move from native directory authentication to external (MSAD) authentication mechanism.
  For that we have planned as below...
  1) We will configure MSAD with our present Shared services.
  2) Export the users using import-export utility from native directory.
        Replace the user's name in csv file with their respective AD user name. This will get modified along with the group/roles.
        Re-load the modified csv file so that new users will come into effect.
  3) Change the authentication preferences.
  4) Remove the passwords from the native directory, so that all authentication happens thru AD and basis roles that are stored
  in shared services users will able to see respective application with their desired priv.
  As I said this the approach we are thinking. Kindly suggest us whether we are on right path or this will cause any problem in production..
  We are on using EPM 11.1.1.3 on Win 2003 platform.
  Seeking your guidance.
  Thanks

  Forget to mention that we are currently working on EPM 11.1.1.3 version on win 2003 environment...

• How to migrate security from 1 bobj instance to another

  Hi ,
  I have a requirement
  how to migrate security from 1 bobj instance to another
  Please help me for the same .
  Regards,
  Abhishek

  Are you using Win AD groups or Enterprise groups to apply security?
  What is the BO version of source and Destination?

• Unable to connect to environment after migrating Security from BPC 7.5 to BPC 10.1

  Hi Experts,
  We are working on BPC 7.5 to BPC 10.1 NW migration and after migrating the environment, we are unable to connect to environment.
  While trying to access, we are getting the following error:
  After taking a backup of the necessary environment in BPC 7.5 NW we are carrying out the 2 steps in the BPC 10.1 NW box:
  Step 1 : Tcode UJBR - Restore the environment in BPC 10.1
  Results: This is working fine.
  Step 2: Program UJT_MIGRATE_75_TO_101 - Running the migration utility in BPC 10.1 to make the objects compatible with BPC.
  2.1 Execute without Security Mapping
  Results:
  This is working fine. We are able to connect to the Environment and access the dimensions and models.
  2.2 Execute with only Security Mapping
  Results:
  After this step, we are not able to access the environments and are getting the Logon error.
  cannot get model "" in environment "xxxxxx" from Admin module
  The logon attempt failed; contact your administrator.
  If you have any options to resolve this error, it would be great.
  Else, we will have to re-build the entire security design manually.
  Regards,
  Sushant Pradhan

  Hi Andy,
  Thanks for your response. Yes, my id has SAP_ALL authorization.
  Still unable to access the environment after migrating security.
  To make things less complicated, we went back to BPC 7.5 NW - deleted all unwanted user ids, we kept only 3 user ids. Then, we took backup of application set and restored it in BPC 10.1.
  We created a mapping file of those 3 user ids in BPC 10.1 as NW user ids and executed the Migration utility. Again we have same error.
  Regards,
  Sushant Pradhan.

• Error migrating Security from Shared Services.

  Hi,
  I was using Hyperion Planning 9.3.1's in Import/ Export utility in D:\Hyperion\common\utilities\CSSImportExportUtility\cssimportexport\importexport\CSSExport.bat. I'm trying to export Security from Shared Services into xml format. I get the following error message:
  Malformed \uxxxx encoding
  Anyone with similar experiences? Hyperion's impexp.pdf makes the steps so complicated!!

  Answering my own question:
  Since I am in Windows, I was using backslashes in my paths when I updated file:
  importexport.properties
  The error went away after I changed the backslashes to forward slashes in all paths.

• Migrating security from 11.1.1.3 to 11.1.2.2 and EIS Export issue in 11.1.2.2

  Hello All,
  We are currently using Hyperion 11.1.1.3 on Windows Server 2003 Ent. Edn. 32 bit.
  Now we are planning to upgrade to 11.1.2.2 but we are doing a fresh install because we are upgrading OS also to 2008R2 Server 64 bit.
  1. For Testing purpose we have installed and configured successfully on Windows Server 2008 R2 64bit.
  For Security migration: I just exported security in 11.1.1.3 and imported to 11.1.2.2, migration status showing as "Failed"
  But usres are migrated to 11.1.2.2.
  Can you please let me know how to perfrom security migration from 11.1.1.3 to 11.1.2.2
  Error
  Error in migrating artifact, "/Native Directory/Users".
  EPMCSS-02614: Failed to get user by identity native://nvid=911?USER. User not found. Verify Native user directory configuration.
  Error in migrating artifact, "/Native Directory/Users".
  EPMCSS-02614: Failed to get user by identity native://nvid=aa9322e19afe6bf1:-4bf27cb6:12ff20cff91:3cfa?USER. User not found. Verify Native user directory configuration.
  Error in migrating artifact, "/Native Directory/Users".
  EPMIE-00020: Failed to update user brobinson during import. Invalid identity for user. Please ensure that the user is available in the system with the identity specified in the import file.
  2. Another known issue with EIS Import/Export option with 2008R2 64bit Server.
  Can you please let me know is there any workaround for this?
  Thanks,
  Prathap

  Have a read of the following support doc - "Migrating Native Users and Groups Via Lifecycle Management (LCM) Fails (Doc ID 1379619.1)"
  For EIS you can install on 32bit OS and then you should be able to export/import, then you can point the 64bit to the relational db, alternatively it may be possible to point to the existing db as I doubt anything much has changed with the EIS database structure between those versions.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Migrate security from production to test platform

  Is there a method by which security that exists on production platform, can be migrated back to the test platform (groups, users & passwords, and application filters)?Thanks

  HiThere is a security utility available on this website, that allows for importing and exporting all security etc.This is the simplest way to complete.Hope this helps.Andy Kingwww.analitica.biz

• Essbase security Migration from native mode to external authentication

  Hi!!
  I want some guidance on setting up security, all the users are currently in Native user mode and Native groups.
  Now we want to migrate to external mode, current version of hyperion is 11.1.1.3, any steps to follow in
  this direction would be really helpful.
  What is the best way of migrating huge user base from native directory to setting up for external authentication,
  this is the first time move from native to external authentication, If anyone who has done this will be helpful.
  steps to setup , maxl based migration will be helpful or utility based.
  Thanks

  When you say native mode do you mean that that essbase security is in native mode and you want to convert to shared services security mode,or do you mean you are using shared services securtiy with native users and you want to use an external directory like MSAD.
  For your question ::
  Yes the first piece is correct, our security is in native mode.
  and we want to convert to shared services security mode,
  The request involves moving from essbase native mode to Shared services native user mode (moving all the existing users, groups and existing provisioning)
  The next stage is moving from Shared services native user mode to external directory. (moving all the existing users, groups and existing provisioning)
  Your input will guide me in the direction.
  Thanks

• Data Level Security from rpd to Weblogic Server

  Hi,
  Req: To implement data level security through weblogic or external authenticator OID
  Current implementation: Created a grop in rpd UserG and configured permission settings with respect to subject area and assigned this group to users.
  such that, When User1 log in he will see his data and when User2 log in repective data
  New implementaion: We have to achive this data level security through weblogic or external authenticator OID
  How to acheive this?
  Thanks in advance!
  Satheeshkumar

  You can choose where to get the groups from either database or any provider and map them to Application roles in EM, but you would have to set up your data restrictions thru Application roles in RPD on your Facts and Dims based on your requirement.
  Now if your looking for bringing External groups using BISQLGroupProvider then refer to:
  How-to: OID Authentication with Groups Stored in an External Database Table - OBIEE 11g ~ Ask John OBIEE - Oracle Busine…
  For database groups with users mapped in it those tables then you can refer to:
  Jonathan's Tech Journey: OBIEE 11g Security part 1
  Hope this helps.
  SVS

• Shared Services External Authentication using LDAP in 9.3.1

  Hi,
  I have installed Hyperion Shared Services with native directory. And now planning to setup external authentication using LDAP. I need some guidance to understanding how the external authentication works.
  Questions:
  1. Is it possible to setup Shared Services to use both Native and LDAP user directory? What I mean is some users will be able to login using Native directory, and some others will need to login using User Directory (external authentication).
  2. For User Directory (say we use LDAP), when the user is added into Shared Services, can they be assigned with Groups created in Native directory? We want to explore to use just the external authentication and define all of the groups within shared services.
  If not possible, can we manage the Groups of the User directory using shared services? How is the groups work with external authentication?
  Any feedback would be much appreciated.
  Thanks,
  Lian

  Hi,
  Yes you can use both Native and external authentication. When you add the external provider the native is left by defaut anyway.
  Yes you can add your external users to native groups. You can also provision the groups in the AD if you wish.
  Gee

• Migrating SSRS custom security from 2008 R2 to SQL Server 2012

  Hi,
  We have built custom security in SSRS 2008 R2 and now we are migrating it to SSRS 2012. We are facing an issue, it always throws Security exception below and when we are changing
  web.config file to below line we are getting "500 Internal server error". Tried everything, no luck... can someone please assist here whether we need to rewrite entire custom security code and then migrate it to SSRS 2012 custom
  security. Any help here much appreciated
  <authentication mode="Forms">
        <forms loginUrl="logon.aspx" name="sqlAuthCookie" timeout="60" path="/"></forms>
      </authentication>   
      <identity impersonate="false" />
  Regards,
  Harish 

  Hi yashmitl,
  In your case, please running the following command to check the current URL reservations on http.sys.
  netsh http show urlacl
  Then, please delete the URL reservation by executing the following command try to resolve the issue.
  netsh http delete urlacl <url>
  There is a similar issue, you can refer to it.
  http://social.technet.microsoft.com/Forums/en-US/d5204dd3-e26d-4592-8ef0-a94005fc46a5/the-url-has-already-been-reserved?forum=sqlreportingservices
  Hope this helps.
  Regards,
  Alisa Tang
  Alisa Tang
  TechNet Community Support

• Oracle Security - External Authentication

  The requirement is to enable the user to allow access to DB by making the user enter the user name and password only once while accessing the Cognos reports. (Cognos is a BI tool). So the user will enter the username and password at the time he accesses the Cognos application, after this there should not be any logons to access DB.
  Cognos stores the user name and password in a LDAP store (in NDS residing on Windows 2000 Advanced Server). So, the question is, can Oracle leverage on the user information stored in the LDAP for Cognos? The external authentication provided by Oracle suggests that if the user info store can be in LDAP provided it is in OID.
  Please let me know if this can be achieved and if so, where can I get details about the same.

  According to the 8.1.7 documentation:
  "Enterprise user security provides single sign-on to Oracle8i using interoperable X.509 v3 certificates over Secure Sockets Layer (SSL) v3, and supports the following LDAP-compliant directory services:
  Oracle Internet Directory Release 2.0.5 or later
  Microsoft Active Directory "
  So it sounds like they do not support Novell's LDAP implementation.
  Here's a page on managing Enterprise Users http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/network.817/a85430/asomeus.htm
  Here's a page on managing OS Authentication -http://technet.oracle.com/doc/windows/server.815/a68694/output/ch10.htm
  I just finished writing a chapter on OS Authentication in my Oracle security book. I would stay away from OS Authentication unless you have a small number of users. I have not yet researched Enterprise Users, but the concensus seems to be that they provide a much more robust solution.

• HT201250 i bought a new mac, and i want to migrate data from my old pc external drive to my mac how is this done

  Just Recently bought a new Mac, because my old PC crashed again, ( finished w/ microsoft) but now i would like to migrate data from my external drive i used on my PC to my new Mac. i loaded the Migration assitant from utilities but didnt see how to migrate the data from this external drive. which is a SEgate drive. any ideas.

  Just in case you are not aware of this, you can probably use your external drive, which you presumably now no longer need for your PC, as the backup drive using the Mac's Time Machine. If you still have any Windows specific files that you want to keep, it is really easy to partition the drive so that you can keep Windows files and Mac files in different partitions.

• There is an inconsistency between the authentication mode of target web application and the source web application after migrating to claims

  I've had my farm upgraded from SP2010 to SP2013 for over 6 months now and all is well, however, I was refreshing my staging environment from production and I noticed that one of the databases still shows these errors when I run test-spcontentdatabase:
  Category             : Configuration
  Error             : False
  UpgradeBlocking : False
  Message           : The [SharePoint Web App] web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against
  a windows classic authentication mode.
  Remedy              : There is an inconsistency between the authentication mode of target web application and the source web application. Ensure that the authentication mode setting in upgraded web application is the
  same as what you had in previous SharePoint 2010 web application. Refer to the link "http://go.microsoft.com/fwlink/?LinkId=236865" for more information.
  This doesn't make sense considering I converted the production web application to claims during the upgrade and then verified all sites were working with claims logins. I also verified that existing AD user identities were converted to claims by checking out
  the database tables. Yet test-spcontentdatabase still thinks there is a mismatch here.
  My farm is SP1 and no further CUs. The point of this particular refresh is so I can update to the November CUs in my test farm. Anyone else see this? Seems like it's a bug/safe to ignore because my stuff is working.
  Thanks,
  Aaron

  See:
  http://thesharepointfarm.com/2014/11/test-spcontentdatabase-classic-to-claims-conversion/
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Invoking 'active directory external authentication plug-in'  from login.jsp

  Hi
  I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
  Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
  Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
  For this requirement, we have 'active directory external authentication plug-in' installed on server.
  What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
  kindly let me know

  Hi
  I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
  Then i serach using the user name in ldap directory.
  NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
  as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.