OBIEE SSO with authorization

Hi Gurus,
1)I have instance configured the SSO with windows Active Directory and OBIEE.
2)I also have another instance ( without SSO configured) with external table authentication( user name and password verification) and authorization( groups , which populate the session variables for data filtering) .
Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory
and external table groups.
The reason being , my groups are custom groups in external table, i do not want to maintain users in repository.
can you please give me pointers if the scenario is possible . Thanks in Advance
Thanks and Regards
Satya

Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory and external table groups.I don't what your issue is? Just do SSO with AD and then load the groups in the GROUP init block via SQL. What is your actual issue?
In order to filter the data in reports you need to have the same group structure in Web Cat i guess ( correct me if i am wrong).Yes, although you don't need to use the same group names. Inm fact I prefer to have completely separate groups names, some for RPD security some for Web Catalog security. As long as the the groups exist in the proper location (RPD or Web Catalog) and they get assigned in the GROUP init block then OBIEE will be happy, they don't need to exist in both places.
2) Will not SSO populate the Remote_User variable rather than the USER variable by default.No, you have to tell OBIEE where to put the REMOTE_USER value. You can simply do SELECT ':USER' FROM DUAL or if you have your users defined in a table you can also authenticate that the user exists in this table SELECT ':USER' FROM USER_TABLE WHERE USER_ID = ':USER' which adds another layer of authentication to your SSO solution.

Similar Messages

OBIEE SSO with BI Publisher integration

Hey everyone,
I did some searching and I found several threads in regards to bhe BI Publisher and OBIEE integration but so far nothing completely solved my problem.
Here's my situation.
Linux OS
Apache web server
OAS
OBIEE 10.1.3.3.2
We've got SSO implemented and it is going against active directory. In order to get that setup, we had to create the impersonator user, had it to the crendential store, setup the instance config correctly ,etc. Also, we had to install MOD_NTLM because Apache does not natively support NTLM like IIS does. Once we did that, the signle sign on works wonderfully and I'm logged directly into OBIEE Dashboards as my OS authenticated user.
As my OS user (which does not have an account in the RPD, only has an account in AD), I try to open BI Publisher from OBIEE going to More Products-> BI Publisher. I get the "Reporting Login: Login failed:" message. When I use the URL NQUser and NQPassword parameters to login as Administrator, I am able to log in just fine.
In BI Publisher, the security model is set to BI_SERVER and all the OBIEE Administrator passwords are updated and current. I've also tested the DSN connection string and created the super user. I've created the six XMLP_* roles as groups in the RPD and added both the Administrator user and the Impersonator user to the XMLP_ADMIN group. I'm starting to run out of ideas at this point. Am I missing a step here to get standard users to access BI Publisher?
I'd appreciate any help on this.
Thanks!
-Joe

What Group is the default user group for your OBIEE users? Log into Answers with your user account, then check value of Session variable GROUP.
You need to give the User group(s) permissions in BI Publisher. They will need permissions to Shared folders and OBIEE data source.

OBIEE SSO with On Demand

Hello,
Has anyone attempted to integrate Oracle CRM On Demand with OBIEE before? I know CRM On Demand has a built in Analytics function, but we are looking at analyzing a large volume of sales data, and it would not be feasible (or possible?) to load that data into CRM On Demand. I want to embed OBIEE reports/dashboards within CRM On Demand using web applets.
1) Is there a way to create action links between OBIEE and CRM on Demand?
2) What about SSO between the two systems? I can easily pass the username to OBIEE via the URL if I'm using a web applet, but what about the password? I know I can bypass the password by using the DB username/password instead of :USER and :PASSWORD in the connection pool, but since this will be exposed to the internet, that's not such a good idea.
Thanks for any insights you can provide!
Joe

You can write some embeded code in OBIEE to authenticate using SSO and get the required OBIEE database credentials to do operations in OBIEE DB -- Venky CRMIT

OBIEE SSO with AD@WIN03 Server: Can not login answers at all.

Hi All
No Answer found here, No problemos i will sort this out.
I am trying to configure SSO on following environment. But I am failing to log on answers using weblogic user.
Without ADAutho I am able to login but as soon as i setup the ADAuth with following information its failing.
OS: Windows 2003 Server
OBI: 11.1.1.7
Windows login: Administrator/Admin123 ( I have also created weblogic Windows user)
OBIEE Login: weblogic/Admin123
Hostname: test.dev.local
Host:
localhost
Port:
389
Principal:
CN=Administrator,CN=Users,DC=dev,DC=local
Credential:
password
Confirm Credential:
password
User Base DN:
CN=Users,DC=dev,DC=local
All Users Filter:
(&(cn=*)(objectclass=user))
User From Name Filter:
(&(cn=%u)(objectclass=user))
User Search Scope:
subtree
User Name Attribute:cn
User Object Class:
user
Use Retrieved User Name as Principal
unchecked
Group Base DN:
CN=Builtin,DC=dev,DC=local
All Groups Filter:
(&(Administrators=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
Group From Name Filter:
(&(Administrators=%g)(objectclass=group))
Group Search Scope:
subtree
Group Membership Searching:
unlimited
oracle.bi.system -> system.user = weblogic/Admin123
I have added Administrator and weblogic users under
weblogic Domain -> bifoundaton_domain -> Security -> Applicaton Role -> BISystem -> weblogic/Administrator
weblogic Domain -> bifoundaton_domain -> Security -> Security Provider Configuration -> Identity Store Provider
       user.login.attr = weblogic
       username.attr = weblogic
       virtualize = false
Please help where i am making mistake?
log:
46.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [85004] MDX Member Name Cache subsystem recovered entries: 0, size: 0 bytes.
49.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
49.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [13026] Error in getting roles from BI Security Service: 'An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.'
49.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [46172] Database security store is not available, do not re-associate to this provider type.
49.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] nqsserver: Clustered Oracle BI Server started. Version: 11.1.1.7.0.
50.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: 144c] [43071] A connection with Cluster Controller test.dev.local:9706 was established.
17.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-0000000000000074] [tid: 1148] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
17.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-0000000000000074] [tid: 1148] [nQSError: 43126] Authentication failed: invalid user/password.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: ce4] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: ce4] [nQSError: 43126] Authentication failed: invalid user/password.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 28c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 28c] [nQSError: 43126] Authentication failed: invalid user/password.
59.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 103c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
59.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 103c] [nQSError: 43126] Authentication failed: invalid user/password.
44.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 11d0] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
44.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 11d0] [nQSError: 43126] Authentication failed: invalid user/password.
15.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-000000000000025a] [tid: 17e4] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
15.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-000000000000025a] [tid: 17e4] [nQSError: 43126] Authentication failed: invalid user/password.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 1658] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 1658] [nQSError: 43126] Authentication failed: invalid user/password.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 108c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 108c] [nQSError: 43126] Authentication failed: invalid user/password.
Thanks

Thats cool
just in case let me know [email protected]

OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

Hi Everyone!
I have configured a OAM(webgate)+OID+OBIEE+OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It is working very well.
The OAM authenticates from OID(default user identity store).
The *"User Search Base"* is same ( *"cn=Users,dc=mydomain,dc=com"* ) in identity store and in OBIEE's OID authentication provider too.
The SSO is enabled in OBIEE and the providers are:
OID (Provider that performs LDAP authentication     1.0) SUFFICIENT
OAM Provider (Oracle Access Manager Identity Asserter     1.0) REQUIRED
DefaultAuthenticator     (WebLogic Authentication Provider     1.0) SUFFICIENT
DefaultIdentityAsserter
IF the *"User Name Attribute"* is *"cn"* in OAM's user identity store and the OBIEE's OID provider's *"user name attribute"* is *"cn"* (default) too, everything is working fine.
But I have to use *"orclSAMAccountName"* instead of *"cn"* (OAM and OID provider). And in this case I have the problem.
In the OBIEE's OID provider are:
All Users Filter: (&(orclSAMAccountName=*)(objectclass=person))
User From Name Filter: (&(orclSAMAccountName=%u)(objectclass=person))
User Name Attribute: orclSAMAccountName
I made a test user:
cn=test
sn=test_sn
orclsamaccountname=test_sama
uid=test_uid
krbprincipalname=test_krb
I can authenticate with test_sama in OAM, but OBIEE say: *"You are not logged in here: Oracle BI Server."*
The bi log shows that:
+Default (self-tuning)'> <BISystemUser> <> <00093dFuR^HFW7PMye7i6G00052S000Tt7> <1345642607333> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
+oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
Why does search OBIEE the *"cn"* and why does not use the *"orclsamaccountname"* ?
Any idea???
Regards, Jani

Hello Jani,
This is a known issue in OBIEE 11.1.1.6.0 , Please refer to : OBIEE 11.1.1.6 Agent failed with Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] The impersonator does not exist in the BI Security Service [ID 1446877.1]
We have configured OBIEE 11.1.1.6 on Linux and using Single Sign On (SSO) with Windows Native Authentication (WNA).
Configured AD Authenticator, selected sAMAccountName instead of CN for User Attribute. Enabled SSO in EM. When trying to access OBIEE Presentation services we have encountered the error below.
"You are not logged in here: Oracle BI Server."
When checking the biserver1 log file found : [Security:090300]Identity Assertion Failed: User OracleSystemUser does not exist
After applying the patch 13553428 on top of OBIEE 11.1.1.6.0 we have successfully logged into OBIEE Presentation services.
This works fine with OBIEE 11.1.1.5.0 and 11.1.1.6.1
Fixed in OBIEE 11.1.1.6.1. Apply Patch 13742915.
If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
Let me know if this solves the Asserter issue.
Pls mark if helpful or answered.
Thanks,
-SVS

SAP BO WebI Report on top of BI Bex Query with Authorization Variable

Hi,
We are trying to restrict row level data using BI 7.0 analysis authorization concept. We have an authorization variable in the Bex query and is working perfect in Bex Analyzer as well as in RSRT.
Now we are trying to achieve the same thing in BO webI. We created an Universe using Authentication Mode SSO. We are on BOXI 3.1 and implemented SSO. When we try to run the query in WebI we get the error
"A database error occured. The database error text is: Error in MDDataSetBW.GetCellData..(WS 10901)"
Just for testing purpose, when we use query filter in WebI and use Values from List, it is showing only the authorized value it supposed to show and runs well with that value selected. But we have to achieve this without the query filter in WebI.
So are we missing some thing here or any patch issue? Please share if you have done this type of reports in BO.
Thanks in advance for your help.
Moorthy.

Yes I did run MDXTEST and it gives error as 'you do not have sufficient authorization'. The reason it is giving, I guess and we are debugging that to confirm, is first it looks for 0BI_ALL and throws error which is not the case in Bex. See the following trace in RSRT trace.
InfoObject Properties Defined
Reading of Directly Assigned Authorizations
Direct Assignment Does Not Include Universal Authorization 0BI_ALL
Reading the Indirect Assignments with Authorization Object S_RS_AUTH
Does user have OBI_ALL?
No, the User Does Not Have Universal Authorizion 0BI_ALL
Negative Entry in SU53 Result of Failed Check for 0BI_ALL
Indirect assignments found; no universal authorization
Reduction of Authorization Dimensions on Characteristics in InfoProvider
Reduction Successful
Thanks!
Moorthy

What about the security we support when the BIA is not SSO with EBS

For the following security mode, if all of them need the SSO with EBS?
Operating Unit-Based Security for Oracle EBS
Inventory Org-Based Security for Oracle EBS
Ledger-Based Security for Oracle EBS
Business Group Org-Based Security for Oracle EBS
HR Org-Based Security for Oracle EBS
Human Resource Personnel Data Analyst Security for Oracle EBS
Employee-Based Security for Oracle EBS

well you could do the security in OBIEE as well, but why shouldn't you use SSO?

OBIEE 11g with Oracle EBS R12 implementation,Need to know Default Roles

Hi All,
Can anyone please let me know regarding any documentation or link where i can find all default OBIEE Group names and the relation of each Groups with Oracle EBS R12 roles and responsibility categorized by the Modules.
We need the Roles information for the following modules:
1. Supply Chain & Order Management
2. Procurement & spend
3. Finance
Thanks in advance. Please help.
Regards
Sudipta

Please see these docs.
Integrating Oracle Business Intelligence Applications with Oracle E-Business Suite [ID 555254.1]
What documentation do I need to review when installing and configuring a OBI Apps 7.9.6.x environment with EBS? [ID 1221764.1]
Master Note for OBIEE Integration issues with EBS, Siebel, SSO, Portal Server [ID 1248939.1]
Oracle SSO E-Business Suite Applications Integration with Oracle Business Intelligence [ID 553423.1]
Oracle EBS integration with OBIEE [ID 733137.1]
Document for implementing security OBIEE Apps with EBS and Siebel CRM as sources [ID 756851.1]
What Application must be chosen for Responsibility within EBS when integrating with OBIEE [ID 1246464.1]
Also, search Steven Chan's Blog and you should get couple of hits -- http://blogs.oracle.com/stevenChan/
Thanks,
Hussein

Oracle Forms 11g SSO with OID and IAM

What versions of OID and Access Manager are required to get an Oracle Forms and Reports 11.1.1.2 application
on Weblogic 10.3.2 configured for Oracle SSO using OID authentication?
We want the OID to store and authenticate Users for username and password logins to the database, then
ultimately by user Certificate authentication in OID. I have OID 11.1.1.2 installed and SSO enabled for Forms
in Enterprise Manager.
Is Access Manager required for Forms SSO with OID authentication to work or just to allow user interaction
for registration and Password reset?
Things mention OAM 10.4.3 and others talk about IAM 11g for Forms 11.1.1.2 SSO to work with OID.
We did this back in Oracle Forms and OID 10g with JSP and LDAP to setup users but I understand 11g is
different and IAM can help or is required for this type of SSO to work.
Any help?
Edited by: Kirch on Apr 30, 2013 7:39 AM

Hi,
According to Oracle's certification matrix found at http://www.oracle.com/technetwork/middleware/downloads/fmw-11gr1certmatrix.xls, Oracle Forms 11.1.1.2 is not supported to use any Oracle Access Manager (OAM) version. OAM is a component of IAM. It is only supported with Oracle SSO 10.1.4.x. The best solution would be to upgrade the Forms and Reports environment to either 11gR2 (11.1.2.1) or to the latest 11gR1 patchset 11.1.1.7. Both versions are compatible with OAM 11.1.1.7.0 and OID 11.1.1.7.0 where only Forms 11gR2 (11.1.2.1) is compatible with OAM 11.1.2.0 and OID 11.1.1.7.0. That would be the best solution as we have ran into configuration problems in the past with using Oracle SSO 10.1.4.x.
Since OID 11.1.1.2.0 is already installed, you should be able to patch it up to 11.1.1.7.0.
For user authentication in OID, it is required to have OAM or Oracle SSO as both products use WebGate or mod_osso agents for authentication and authorization. For purposes of allowing end users to register accounts and password reset, you will either need to also install another IAM component called Oracle Identity Manager (OIM) or create a customized SSO login page that can be coded to perform these actions. I believe there are some examples available on the Internet.
Thanks,
Scott
http://pitss.com/us

Softwares Needed to Acheive SSO with Webcenter Suite 11.1.1.2

Hi All
I have Installed Web center suite 11.1.1.2 on my Machine. Can anybody suggests, what are the softwares that i need to install inorder to achieve
Oracle SSO with E-Business Suite and OBIEE.
Regards
Nagaraju Manchala
Edited by: user11965597 on Sep 15, 2011 3:58 AM

Oracle Identity Management (OIM) is a collection of related products that provides identity and access management (IAM) services. These products includes
Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Virtual Directory (OVD), Oracle Internet Directory (OID) etc. The purpose of all these products is to provide LDAP directory services and/or security services and/or SSO service. For detail of all related products of OIM, pls see following link:-
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html
OIM and IAM is always create confusion when you go to their download page. You need to download Identity Management (11.1.1.2.0) from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html. OIM will give you following products when you install it:-
- OID
- OVD
- Oracle Identity Federation
- Oracle Directory Integration Platform
Also see installation guide:http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/overview.htm#sthref6
For new features of PS3, pls see http://www.oracle.com/technetwork/middleware/webcenter/overview/wcps3-highlights-284637.html
In PS4, Oracle removed few bugs.

Help - SPENGO - Microsoft SSO with WLS 9.2

Friends,
I am trying to integrate Microsoft SSO with WLS with SPENGO. I followed the steps given in http://edocs.bea.com/wls/docs92/secmanage/sso.html and even in 8.x documentation where I had to create a LDAP authenticator etc.
However, instead of SPENGO token, I get the NTLM token. It looks like when Kerberos fails, WLS tries to invoke NTLM. But I am not sure where I am doing wrong. It would be great if someone could look at the following logs and suggest some workaround.
<<WLS Kernel>> <> <> <1183957002830> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
<<WLS Kernel>> <> <> <1183957002830> <000000> <CERT auth type found for webapp>
<<WLS Kernel>> <> <> <1183957002830> <000000> <All request headers:>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Language : en-us>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: UA-CPU : x86>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Accept-Encoding : gzip, deflate>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Host : 10.31.252.182:7001>
<<WLS Kernel>> <> <> <1183957002830> <000000> < Header: Connection : Keep-Alive>
<<WLS Kernel>> <> <> <1183957002862> <000000> <Negotiate filter: new session, no negotiation has started>
<<WLS Kernel>> <> <> <1183957002862> <000000> <PrincipalAuthenticator.getChallengeToken will use common security service>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.service.ChallengeIdentityAssertionTokenServiceImpl.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <com.bea.common.security.internal.legacy.service.ChallengeIdentityAssertionProviderImpl$ChallengeIdentityAsserterV2Adapter.getChallengeToken(WWW-Authenticate.Negotiate)>
<<WLS Kernel>> <> <> <1183957002862> <000000> <Unauthorized, sending WWW-Authenticate: Negotiate>
<<WLS Kernel>> <> <> <1183957003268> <000000> <NegotiateIdentityAsserterServletAuthenticationFilter.doFilter() called>
<<WLS Kernel>> <> <> <1183957003268> <000000> <CERT auth type found for webapp>
<<WLS Kernel>> <> <> <1183957003268> <000000> <All request headers:>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept : image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Language : en-us>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: UA-CPU : x86>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Accept-Encoding : gzip, deflate>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: User-Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Host : 10.31.252.182:7001>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Connection : Keep-Alive>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Cookie : JSESSIONID=0nRcGRQKvcpzV8wQPVX584Pxwly4GrpTdQGGGYGGb4Z62Rs1GLVv!542382297>
<<WLS Kernel>> <> <> <1183957003268> <000000> < Header: Authorization : Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
<<WLS Kernel>> <> <> <1183957003268> <000000> < processing header: Negotiate TlRMTVNTUAABAAAAB7IIogoACgAvAAAABwAHACgAAAAFAs4OAAAAD0RFU0tUT1BGRURFUkFUSU9O>
<<WLS Kernel>> <> <> <1183957003283> <000000> <SPNEGONegotiateToken.discriminate: not Application Constructed Object, not SPNEGO NegTokenInit token>
<<WLS Kernel>> <> <> <1183957003283> <000000> <Token not supported by Negotiate Filter, ignoring: NTLM>

Another question.
When you configure Spnego and sso, do you also need to configure an active directory authenticator ??
I think I have the SSO part working - it does kerberos authentication and gets the username, howerver after taht it fails because it tries to do an LDAP authentication with that username.
<LDAP Atn Login username: kerbuser01>
<[Security:090300]Identity Assertion Failed: User kerbuser01 does not exist
Any pointers ?

SSO with ASA and CITRIX

Hi,
don't know whether this is the right forum, but i will try to ask my question in hope that somebody can give me an answer:
I installed an ASA Security Appliance with WebVPN feature to connect to an internal Citrix Server farm. All authentication and authorization information are handled by a SecureACS, which is connected to ADS. All works fine. But now i want to Single-Sign-On to the citrix farm, means that the authentication information has to pass to citrix without entering the information twice...
Is there anybody out there who got this working?? SSO with basic authentication to an Apache webserver works just fine...
Which authentication informations are required for the Citrix Web Interface??
Thanx in advance!
Bernd

My custpomer is using pure http between the citrix server and the citrix client, they want to access through the vpn concentrator using the webvpn feature, after checking the citrix metaframe option on the vpn concentrator, when they try to access the client hangs on and the error that we get is ssl should be installed on the citrix server, as we use ssl between the client and vpn concentrator, my question is could citrix be accessed via pure http between the citrix server and the client in this case how to fix this error, or are we obliged to use ssl even between the citrix server and the client.

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

SSO with KRB/ADS on Enterprise Portal 7

Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module                                                               Flag        Initialize Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
     at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
     ... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
     at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
     ... 23 more

Hi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers

OBIEE SSO with authorization

Similar Messages

Maybe you are looking for