MSAD configuration
Hi all, sorry if this is the wrong forum for this question. I am trying to configure a MSAD server with shared services.
I can do it easily with our Hyperion QA server, but in the PROD environment the configuration doesn't go ahead after the user config.
In the group config it just searches for about five minutes, then nothing happens.
If I add the config info from the QA server CSSConfig.xml file to the PROD one and reimport it, is there possibilty that it will work?
There is one more MSAD server already configured to the PROD and MSAD users are configured through native groups.
I want to know that if I import the CSSConfig.xml will the provisioning of the exisiting MSAD server users be affected?
Is reimporting the file same as adding the existing server again? Thanks a lot.
Hi John,
It means there is no need of admin user.
Suppose, if we creates one user id to query the AD, and after some time we change the password of the user id; we need to change the password in Shared Services also?
Thanks in Advance
Similar Messages
-
MSAD Configuration with Shared Services
Hi,
I have just sucessfully configured MSAD to the HFM SS but 1 concern is that anyone with the domain suer login is able to login to shared service although limited function are available. Is there anyway to control other users except my users to login?
I do not want to use Native to create user as it will means another set of password to rememberr for the users, would prefer they use their normal domain accoutn to login.
ThanksIn addition to other comments, users can only make changes in Shared Services if they have Shared services roles assigned. Also, we use MSAD with both local and AD groups, and as long as you know the effective rights, it works out fine either way. The Shared services roles are listed below (Security Administrator's Guide pp 135-136):
Administrator: Provides control over all products that integrate with Shared Services. It enables more
control over security than any other Hyperion product roles and should therefore be
assigned sparingly. Administrators can perform all administrative tasks in User
Management Console and can provision themselves.
This role grants broad access to all applications registered with Shared Services. The
Administrator role is, by default, assigned to the admin Native Directory user, which is
the only user available after you deploy Shared Services.
Directory Manager: Creates and manages users and groups within Native Directory.
Do not assign to Directory Managers the Provisioning Manager role because combining
these roles allows Directory Managers to provision themselves.
The recommended practice is to grant one user the Directory Manager role and another
user the Provisioning Manager role.
LCM Manager: Runs the Artifact Life-Cycle Management utility to promote artifacts or data across product environments and operating systems
Project Manager: Creates and manages projects within Shared Services
Create Integrations: Creates Shared Services data integrations (the process of moving data between
applications) using a wizard.
For Oracle's Enterprise Performance Management Architect, creates and executes data
synchronizations.
Run Integrations: Views and runs Shared Services data integrations.
For Performance Management Architect, executes data synchronizations.
Dimension Editor ( includes Dimension Viewer and Interactive Editor):
Creates and manages import profiles for dimension creation. Also, creates and manages
dimensions manually within the Performance Management Architect user interface or the
Classic Application Administration option.
Required to access Classic Application Administration options for Financial Management
and Planning using Web navigation.
Dimension Viewer can read or view dimensions. This role automatically maps to the
Dimension Reader access on dimensions.
Interactive Editor can modify members within a dimension, and grants dimension writer
access to all dimensions. Does not allow users to delete dimensions.
Note: Dimension Viewer and Interactive Editor roles are reserved for future use.
Application Creator (includes Analytic Services Application Creator, Financial Management Application Creator, Planning Application Creator, External Application Creator): Creates and deploys Performance Management Architect applications. Users with this
role can create applications, but can change only the dimensions to which they have
access permissions.
Required, in addition to the Dimension Editor role, for Financial Management and
Planning users to be able to navigate to their product’s Classic Application Administration
options.
When a user with Application Creator role deploys an application from Performance
Management Architect, that user automatically becomes the application administrator
and provisioning manager for that application.
The Application Creator can create all applications.
The Analytic Services Application Creator can create Generic applications.
The Financial Management Application Creator can create Consolidation applications
and Performance Management Architect Generic applications. To create applications,
the user must also be a member of the Application Creators group specified in Financial
Management Configuration Utility.
The Planning Application Creator can create Planning applications and Performance
Management Architect Generic applications.
The External Application Creator can create external views and export application views
but cannot export the library.
Note: External Application Creator role is reserved for future use. -
Shared Services hangs after MSAD configuration (9.2.0.2)
Hi all,
I am trying to configure MSAD with shared services. I successfully add the MSAD domain and then add it to the search order, being number 2 after native. I then restart HSS. When I go to open HSS or the framework login the whole thing just hangs. HSS does always start correctly. For testing purposes I am restoring the CSS file each time. I have tried 3 different user accounts so I doubt it is a permissions issue.
I have also tried configuring the MSAD domain, restart HSS, then adding it to the search order and restarting HSS. It made no difference.
Has anyone seen this before? The same domain has been added to a different instance of HSS on another server (DR) so I can't understand why it is hanging.
Many thanks in advance,
NathanAfter extensive testing with Oracle Hyperion the root cause was runnong HSS as a service following the configuration with MSAD. The config framework page displayed 9.2.0.2 as the version when it was actually 9.2.0.3 as confirmed by the HSS console. Apparently this problem can happen in 9.2.0.3.
Just thought I'd let you know the solution.
Nathan -
Shared Services MSAD Configuration
Hi
Can you please assist, the following error occurs on the Log when configuring MSAD user configuration
2010-08-25 15:47:45,742 ERROR [http-28080-Processor12] com.hyperion.css.web.config.util.extauth.CSSProperties.getSecurityAgent(Unknown Source) -- Error occured while loading the configuration file
2010-08-25 15:47:45,758 ERROR [http-28080-Processor12] com.hyperion.css.web.config.util.extauth.CSSProperties.getSsoMode(Unknown Source) -- Error occured while loading the configuration file
2010-08-25 15:47:45,758 ERROR [http-28080-Processor12] com.hyperion.css.web.config.util.extauth.CSSProperties.getSsoValue(Unknown Source) -- Error occured while loading the configuration file
Please adviseI have the exact same error :(
-
MSAD configuration with shared services issue?
Hi
i recently configured MSAD with shared services.but the problem is the hfm users are not in the same group in msad.so i am not getting all hfm users.so i configured 2 more msad groups.
now the problem is while configuring we have to give user name & password of any user in that group.here the password will change for every 45 days.and it is pratically not possible to have others password for the administrator to change for every 45 days in shared services.
is there any other solution for this problem.
HYperion 11.1.1.2
regards
bharat.tvCan you not set up an one service account that exists in all the groups and doesn't have its password expiring?
Cheers
John
http://john-goodwin.blogspot.com/ -
MSAD and EPM 11.1.2.1
Hi,
I have a question.
If there is MSAD configured with 11.1.2.1 is it somehow possible for user to change his MSAD password via EPM Workspace?
Best regards,
GregHi,
Once MSAD is configured, all the credentials are handled from MSAD server and maintained by MSAD Administrator only, the user dont have the permission to change the password...
Even the Hyperion - Power Administrator dont have the permission to touch and alter the MSAD user groups.
Thanks -
Hello All-
I have a Essbase application and i have MSAD configured with shared services. Now i want to have users be able to use their MSAD username & passowrd and at the same time i want to assign users the filter access for the indvidual
application. I have always done it in the planning application but i now want implement the same on just Essbase application. Now my question is where should i create my group in EAS or directly in shared service? My guess is that i
should create group in shared service assign as Essbase server access and then refresh the security via AAS and i should see the groups in AAS. Once i see the groups there how can i assign the filter security for the application . IS this
something that i need to do directly in AAS? Please advise!
Thanks!Hi,
Create the group in shared services, give the group the essbase role of "server access" and access to each essbase application.
Go into EAS, refresh security from shared services for all users.
Create filters in EAS for the essbase applications.
In shared services, expand application groups, essbase, right click the essbase application "assign access control", pick the user/group, assign the filter.
Cheers
John
http://john-goodwin.blogspot.com/ -
AD authentication against Shared Services failing randomly
We're seeing random failures in AD authentication against Shared Services both via the Excel Addin and via Maxl scripts.
SQL server (v 10.50.2500), Shared Services and OHS (v 11.1.2.2.303), and Essbase server (v11.1.2.2.104) are installed on the same physical box (16 cores, 192GB RAM) in a single-server configuration. It happens every few days at no fixed time and is resolved either by itself in a few hours, or by stopping and starting EPM services (Hyperion Foundation Services - Managed Server, OPMN service for Essbase, and OPMN service for OHS are stopped by running <Middleware_Home>\user_projects\epmsystem1\bin\stop.bat, and started by running start.bat).
While the AD authentication is down, nobody is able to connect (via the Excel Add-in or Maxl scripts) using their AD accounts and get the following error - "Analytical Services user [AD_user1] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]". Native authentication works at all times (even when AD authentication fails).
Although it seems to apply to an older version and to Planning/Workspace, we did look into "Error "EPMCSS-00301: Failed To Authenticate User. Invalid credentials" Intermittently When MSAD User Logs Into Workspace. (Doc ID 1389871.1)". But even after making the suggested changes, the problem persists. Any ideas what might be causing AD authentication to fail randomly like this? Below are some relevant portions of the logs -
From ESSBASE_ODL.log -
[2014-01-10T04:41:06.693-05:00] [ESSBASE0] [ERROR:32] [AGENT-1440] [] [ecid: 1388972435616,0] [tid: 6312] Essbase user [hyperion_admin] Authentication Fails against the Shared Services Server with Error [EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.]
[2014-01-10T04:41:06.693-05:00] [ESSBASE0] [WARNING:1] [AGENT-1003] [] [ecid: 1388972435616,0] [tid: 6312] Error 1051440 processing request [Login] - disconnecting
From SharedServices_Security_Client.log -
[2014-01-10T04:39:00.490-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required. [2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url. ad.weil.com:389. Verify MSAD user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
[2014-01-10T04:39:42.547-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 150] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration.
[2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:40:24.605-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.662-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-10T04:41:06.693-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
[2014-01-10T04:41:06.693-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 149] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
From console~Essbase1~EssbaseAgent~AGENT~1.log -
[Fri Jan 10 04:40:22 2014EPMCSS-00301: Failed to authenticate user. Invalid credentials. Enter valid credentials.
at com.hyperion.css.facade.impl.CSSAbstractAuthenticator.authenticateUser(CSSAbstractAuthenticator.java:658)
at com.hyperion.css.facade.impl.CSSAPIAuthenticationImpl.authenticate(CSSAPIAuthenticationImpl.java:69)
at com.hyperion.css.facade.impl.CSSAPIImpl.authenticate(CSSAPIImpl.java:102)
at com.hyperion.css.facade.impl.CSSAPIImpl.login(CSSAPIImpl.java:794)
at com.hyperion.css.facade.CSSAPIFacade.login(CSSAPIFacade.java:776) ]
Local/ESSBASE0///9180/Info(1042059)Server times are in sync. In fact, we see no such issues on the 9.3.1 environments (which are in the same server farm as the 11.1.2.2 environments).
We're using the same MSAD configuration we have in the 9.3.1 environments as follows -
Directory Server: Microsoft
Name: AD Host Name: ad.mycompany.com
Port: 389
SSL Enabled: unchecked
Base DN: DC=ad,DC=mycompany,DC=com
ID Attribute: objectguid (greyed)
Maximum Size: 200
Trusted: checked
Anonymous Bind: unchecked
User DN: ad\hyperion_admin
Append Base DN: unchecked
User RDN: blank
Login Attribute: cn
First name Attribute: givenName
Last name Attribute: sn
Email Attribute: mail
Object Class: person,organizationalPerson,user
Support Groups: checked
Group RDN: OU=groups
Name Attribute: CN
object class: group?member
I also tried disabling AD groups (Support Groups = unchecked), but I still see a random AD authentication failure. Below are logs based on automated retrievals using an AD account at 14:37, 17:37, 20:37 and 21:40 today. The first 2 worked fine, the 3rd failed, the fourth worked fine again. From SharedServices_Security_Client.log -
[2014-01-11T14:37:00.574-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 42] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 44] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 45] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T14:37:00.917-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T14:37:01.151-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 43] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
[2014-01-11T17:37:00.752-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 46] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 48] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 49] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T17:37:01.174-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T17:37:01.361-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 47] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required.
[2014-01-11T20:37:00.634-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:37:42.707-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-07047] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to get connection from connection pool for user directory AD. Error executing query. adweilcom:389. Verify user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-09102] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to initialize group cache for MSAD user directory AD. Error connecting to url . ad.weil.com:389. Verify MSAD user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [ERROR] [EPMCSS-00107] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.CSSManager] [SRC_METHOD: pingConfiguredProviders] Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.
[2014-01-11T20:38:24.748-05:00] [EPMCSS] [WARNING] [EPMCSS-10029] [oracle.EPMCSS.CSS] [tid: 51] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: run] Exception while building asynchronous group cache for user directory. EPMCSS-00107: Failed to refresh group cache. Some of configured user directories not initialized [AD]. Verify user directory configuration.. Verify Shared Services security user directory configuration..
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.util.jndi.pool.JNDIConnectionPool] [SRC_METHOD: getBorrowObject] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.JNDIHelper] [SRC_METHOD: getURLContext] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [WARNING] [EPMCSS-10033] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Skipping user directory {0} failed to communicate with server. {1}. No action required.
[2014-01-11T20:39:06.806-05:00] [EPMCSS] [ERROR] [EPMCSS-00301] [oracle.EPMCSS.CSS] [tid: 50] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.facade.impl.CSSAbstractAuthenticator] [SRC_METHOD: authenticateUser] Failed to authenticate user. Invalid credentials. Enter valid credentials.
[2014-01-11T21:40:41.799-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20330] [oracle.EPMCSS.CSS] [tid: 52] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheManager] [SRC_METHOD: getCache] Cache refresh started asynchronously. This is a status messages. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory Native Directory. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20005] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Asynchronously started user directory cache building for user directory AD. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20008] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.spi.impl.msad.MSADProvider] [SRC_METHOD: createCache] Group support is disabled for MSAD user directory AD returning empty cache map. Status message. No action required.
[2014-01-11T21:40:41.986-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 54] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory AD and size of group cache is 0. Status message. No action required.
[2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20007] [oracle.EPMCSS.CSS] [tid: 55] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.ProviderCacheThread] [SRC_METHOD: run] Group cache completed for user directory Native Directory and size of group cache is 19. Status message. No action required.
[2014-01-11T21:40:42.002-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20331] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Cache building is done for the providers, now started unifying the cache. This is a status messages. No action required.
[2014-01-11T21:40:42.080-05:00] [EPMCSS] [NOTIFICATION:16] [EPMCSS-20332] [oracle.EPMCSS.CSS] [tid: 53] [ecid: disabled,0] [SRC_CLASS: com.hyperion.css.cache.CacheThread] [SRC_METHOD: buildCache] Unify cache done and cache object set to the cache manager. This is a status messages. No action required. -
Hyperion Shared Services issue
Hi All,
We use Hyperion Planning 9.3.0.1. The servers were restarted yesterday and the services were started manually in the correct sequence. But I am having issues with MSAD users not been able to logon.
When I looked at the Shared Services I tried searching for user/groups in the MSAD directory but it says communication error. I understand that it could be a change in the MSAD configuration that might have broken the link, however when I look at the log file I find the following entries:
2009-04-27 14:25:28,141 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/workspace: Refer log in debug mode for details
2009-04-27 14:25:49,032 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:10080/eas: Refer log in debug mode for details
2009-04-27 14:25:53,188 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/HyperionPlanning/: Refer log in debug mode for details
2009-04-27 14:25:57,344 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/workspace: Refer log in debug mode for details
2009-04-27 14:26:19,109 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:10080/eas: Refer log in debug mode for details
2009-04-27 14:26:23,594 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/HyperionPlanning/: Refer log in debug mode for details
2009-04-27 14:26:28,313 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/workspace: Refer log in debug mode for details
2009-04-27 14:26:49,203 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:10080/eas: Refer log in debug mode for details
2009-04-27 14:26:53,453 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/HyperionPlanning/: Refer log in debug mode for details
2009-04-27 14:26:57,937 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/workspace: Refer log in debug mode for details
2009-04-27 14:27:10,687 [Timer-0] ERROR com.hyperion.cas.web.util.memory.CASUsedMemoryTracker.run(CASUsedMemoryTracker.java:27) - Memory in use[12880 kb] = Total memory available[793837 kb] - Free memory available[780957 kb]
2009-04-27 14:27:18,937 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:10080/eas: Refer log in debug mode for details
2009-04-27 14:27:22,984 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/HyperionPlanning/: Refer log in debug mode for details
2009-04-27 14:27:27,140 [Timer-1] ERROR com.hyperion.cas.server.task.CASInActiveContextPingerTask.run(CASInActiveContextPingerTask.java:52) - IOException occured while pinging app with registered context path: http://servername:19000/workspace: Refer log in debug mode for details
Recently there was an exercise done to change the Java heap size settings. I am wondering if it is related to that.
Thanks in advance,
Amol
Edited by: AmolDatt on Apr 27, 2009 7:05 PMHi,
Those error messages usually happen when Shared Services has just started up and before the other services have started, it sends out a ping to see if it gets a response from the other application servers, the pings will fail until the other services have started, once they have started them messages should disappear.
I would check that if any changes have happened to your MSAD or the account that shared services uses.
Cheers
John
http://john-goodwin.blogspot.com/ -
Shared Services Users Disappear from Groups
We have Native Groups in Shared Services that we added users from our MSAD directory to. Yesterday we found that the groups no longer have these users in them and IT did say they did some moves in the directory over the weekend. But I'm wondering if that would really cause SS to drop all the users from the groups like this.
Basically, no one is able to log in although we are testing adding users back to the groups and think that's working.
I just don't want to have to re-create our groups anytime our MSAD is updated.
I'd appreciate any help in understanding this better,
PaulOur MSAD administrators moved some OU's around one day and it caused a lot of problems for us since our Shared Services MSAD configuration setting for "User DN" had all the OU's hard coded or what have you. I had to change them to the same that the AD folks had changed them to, then restart everything.
So on the native side I can see how if they moved OU's around that could throw off what you had done. There's a utility which I've been too scared to use (probably harmless but I can't afford any mishaps) which tells Shared Services to search for MSAD changes and to force them through Shared Services, which is probably a nice thing to do once in a while especially when MSAD OU's are moved around. SS does not automatically poll for that type of change but you should be able to automate this.
There's an updatenativedir utility that you can read up on which might help. Don't forget to do backups first of all the security-related databases & files, etc. first.
Perhaps someone reading this is comfortable running UPDATENATIVEDIR and can help provide better guidance, if that's the issue here.
Karen -
Authentification from tow LDAP in webcenter spaces
My customer need to open authentification in webcenter spaces for all his employees and for his partners which are saved on tow different LDAP directory.
How can i do to allow authentification from this tow LDAP directory?
Regards.
CMNIn Weblogic Console,
Go to Security Realm - myrealm - Providers, select New
Type your new Realm name, for example MSAD,select type ActivityDirectoryAuthentication and OK.
In myrealm providers you'll see your new provider, click in reoder and put the new provider at first position. Do not restart server yet.
Select your new provider, in Commom tab select Control Flag as SUFFICIENT.
Go to Provider Specifc Tab, this is the configurantion tab, put your MSAD configuration.
The principal field is the user that bind in your MSAD to search your MSAD users.
User Base DN, is base that contains users.
User From Name Filter: (&(sAMAccoauntName=%u)(objectclass=user))
User Name Attribute: sAMAccountName.
Apply all configurations, go to myrealm providers, select DefaultAuthentication and change Control Flag to SUFFICIENT.
Restart you Admin and all your managed servers.
Hope that help you. -
Change in the shared services settings
Hi,
Recently the host name changed and I had to reconfigure the MSAD configuration. I restarted the Shared services and then restarted planning. I subsequently ran the userprovision.cmd to synchronise the users with Planning.
But the users still can't seem to be able to logon using their ids.
Do I need to restart all the services again?
Regards,
AmolHi,
Did you run the provisionusers.cmd or updateusers.cmd
It will be the updateusers.cmd that should update the users in planning to be in line with shared services.
Cheers
John
http://john-goodwin.blogspot.com/ -
Restaring Essbase OK without restarting other services
I'm on Hyperion Planning S 9.3.1 and I need to stop and start my essbase service and wondered if that can be done without restarting all the other related services. I have the restart order list for when I restart the Workspace/Rpts/WA/Planning/HSS services but am wondering where Essbase fits in this list.
Thanks for both replies! Things had gotten frozen up earlier today and I was hoping a quick essbase restart would have cleared it up. Before I got to that pretty much had to restart all my services to get things going again.
Over the last couple months, when our network gets over utilized it seems to be freezing up our environment. Weird thing is we have five MSAD sources (about 500 users). We have users from TN to MI to AK using our central servers.
When our network gets over utilized between two locations in MI (our HQ and a plant across the state) I go into HSS and pull properties for users and it nearly hangs or is real slow. Then this seems to ultimately effect my logging into EAS, the Excel Add-In and eventually the Workspace with an ID from either of those sites.
I can click the 'test' in HSS for each of those MSAD configurations and get successful test's but it's slow. Our TN connectivity and performance doesn't seem to be bothered during these events either which is weird. But since I'm hosed with two sets of our user base I have to restart which effects everyone.
I'm not sure where to dig into this further to identify the root cause of how this is happening or how HSS to Essbase. We've been on 9.3.1 for almost 2 years now and periodically have had to restart services but it's becoming more common and our IT had basically said our network is always going to be over utilized at time (which I understand) but I don't want to have to restart everything every time that happens. Any tips or areas/setting I might look at to make the environment more resistent to network instability? -
Shared Services: Multi-domain MSAD based configuration issue
Hello to All,
Can someone tell me how to configure MSAD to use two domains X and Y under one user directory D.
My actual configuration is based on the domain X and provides some MSAD users groups in D user directory.
But I need to provisionne another user that belong to another AD in a foreign domain Y.
A trusted relationship (approbation relationship) have been created between the two domains X and Y.
Is this kind of multi-domain configuration allowed in Shared Services?
If yes, how can I configure this?
OS: Solaris
Hyperion Shared Services 9.3.1
Thanks in advance for your helpThere are a couple of ways:
1) Add a new provider in Shared Services
2) Modify your current provider to go to a higher level in your domain which will likely require different parameters on your existing Active Directory provider
Option 2 is preferable if you see this will cascade and other domains will be needed and they are all under a global company domain.
Regards,
John A. Booth
http://www.metavero.com -
ALBPM Directory Service: Hybrid Configuration - MSAD Problems
I've successfully configured the Directory Service of an ALBPM (Enterprise Standalone) v6.0.4 #94069 installation to use a MS Active Directory (MSAD) service for ALBPM organization infomation. I can view participant, group and organizational unit information using the Process Administrator. However, I've noted:
<ul><li>The MSAD is swamped with (successful) authentication requests from the ALBPM directory service and
and I have had to stop the ALBPM 6.0 server to prevent disruption to our MSAD service.
</li>
<li>
Repeated warning messages in the ALBPM log about MSAD Contacts, listed in MSAD Groups, that cannot be found as ALBPM Participants. These messages do not appear for MSAD Users who are correctly shown as ALBPM Participants.
</li>
<li>
Repeated warning messages in the ALBPM log about MSAD Groups that cannot be found as ALBPM Groups where the MSAD Group definiton is such that the MSAD sAMAccountName value for the group is different to the MSAD name or cn value.
</li>
</ul>
Is anyone else using MSAD in their ALBPM directory service configuration? Have you seen similar issues? I've tried reporting this via Oracle Support, however, my impression is that others users do not have such problems using MSAD with ALBPM or Oracle BPM.
Thanks,
RobHi Rob,
Have a read of this http://download.oracle.com/docs/cd/E13154_01/bpm/docs65/admin_guide/index.html if you are using groups.
I'm using Novell eDirectory instead of AD but am also seeing a large number of requests from BPM. However, I've not had time yet to investigate to what these relate.
Thanks,
Mike,
Maybe you are looking for
-
Hi, My client needs mannual number range for booking all documents. Now I want to reset a vendor payment clearing document(i.e. vendor amt is net of w.holding taxes) as system does not allow to reset net of tax based cleared document. Pls. help. Rega
-
Hi Experts, Could you help me solve the issue. I feel inheritance is not working properly for me. I have checked the inheritance check box in doc splitting activation. When I post a FB50 document with 2 line items, one line item having profit center
-
Mdb : missing modules on Solaris 10 ??
I'm trying to debug a core using mdb. All of the web pages I look at show commands like "::ps" and "::pgrep". These would be great, but I don't see any of these when I enter "::dcmds" nor "::dmods -l". It looks like the "modules" are in /usr/lib/mdb/
-
Purchase requisition valuation price
Hi Gurus System prompts me to enter the valuation price in purchasing screen in the sales order when I select the item category TAS/TAB. I maintained the valuation price using MR21 but still does not pick it. Info record too exists. Is something thin
-
Hi All, I try to call a program in AS400. Is this possible with PI. I made a research and found that through JDBC (with jt400) we can connect. BUT can we call a program which is written in RPG or COBOL? Is this possible? Thanks.