OBIEE SSO with On Demand

Hello,
Has anyone attempted to integrate Oracle CRM On Demand with OBIEE before? I know CRM On Demand has a built in Analytics function, but we are looking at analyzing a large volume of sales data, and it would not be feasible (or possible?) to load that data into CRM On Demand. I want to embed OBIEE reports/dashboards within CRM On Demand using web applets.
1) Is there a way to create action links between OBIEE and CRM on Demand?
2) What about SSO between the two systems? I can easily pass the username to OBIEE via the URL if I'm using a web applet, but what about the password? I know I can bypass the password by using the DB username/password instead of :USER and :PASSWORD in the connection pool, but since this will be exposed to the internet, that's not such a good idea.
Thanks for any insights you can provide!
Joe

You can write some embeded code in OBIEE to authenticate using SSO and get the required OBIEE database credentials to do operations in OBIEE DB -- Venky CRMIT

Similar Messages

OBIEE SSO with authorization

Hi Gurus,
1)I have instance configured the SSO with windows Active Directory and OBIEE.
2)I also have another instance ( without SSO configured) with external table authentication( user name and password verification) and authorization( groups , which populate the session variables for data filtering) .
Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory
and external table groups.
The reason being , my groups are custom groups in external table, i do not want to maintain users in repository.
can you please give me pointers if the scenario is possible . Thanks in Advance
Thanks and Regards
Satya

Now my question is , i want a combination of Scenario 1 and Scenario 2. I want to have OBIEE SSO with Active directory and external table groups.I don't what your issue is? Just do SSO with AD and then load the groups in the GROUP init block via SQL. What is your actual issue?
In order to filter the data in reports you need to have the same group structure in Web Cat i guess ( correct me if i am wrong).Yes, although you don't need to use the same group names. Inm fact I prefer to have completely separate groups names, some for RPD security some for Web Catalog security. As long as the the groups exist in the proper location (RPD or Web Catalog) and they get assigned in the GROUP init block then OBIEE will be happy, they don't need to exist in both places.
2) Will not SSO populate the Remote_User variable rather than the USER variable by default.No, you have to tell OBIEE where to put the REMOTE_USER value. You can simply do SELECT ':USER' FROM DUAL or if you have your users defined in a table you can also authenticate that the user exists in this table SELECT ':USER' FROM USER_TABLE WHERE USER_ID = ':USER' which adds another layer of authentication to your SSO solution.

OBIEE SSO with BI Publisher integration

Hey everyone,
I did some searching and I found several threads in regards to bhe BI Publisher and OBIEE integration but so far nothing completely solved my problem.
Here's my situation.
Linux OS
Apache web server
OAS
OBIEE 10.1.3.3.2
We've got SSO implemented and it is going against active directory. In order to get that setup, we had to create the impersonator user, had it to the crendential store, setup the instance config correctly ,etc. Also, we had to install MOD_NTLM because Apache does not natively support NTLM like IIS does. Once we did that, the signle sign on works wonderfully and I'm logged directly into OBIEE Dashboards as my OS authenticated user.
As my OS user (which does not have an account in the RPD, only has an account in AD), I try to open BI Publisher from OBIEE going to More Products-> BI Publisher. I get the "Reporting Login: Login failed:" message. When I use the URL NQUser and NQPassword parameters to login as Administrator, I am able to log in just fine.
In BI Publisher, the security model is set to BI_SERVER and all the OBIEE Administrator passwords are updated and current. I've also tested the DSN connection string and created the super user. I've created the six XMLP_* roles as groups in the RPD and added both the Administrator user and the Impersonator user to the XMLP_ADMIN group. I'm starting to run out of ideas at this point. Am I missing a step here to get standard users to access BI Publisher?
I'd appreciate any help on this.
Thanks!
-Joe

What Group is the default user group for your OBIEE users? Log into Answers with your user account, then check value of Session variable GROUP.
You need to give the User group(s) permissions in BI Publisher. They will need permissions to Shared folders and OBIEE data source.

OBIEE SSO with AD@WIN03 Server: Can not login answers at all.

Hi All
No Answer found here, No problemos i will sort this out.
I am trying to configure SSO on following environment. But I am failing to log on answers using weblogic user.
Without ADAutho I am able to login but as soon as i setup the ADAuth with following information its failing.
OS: Windows 2003 Server
OBI: 11.1.1.7
Windows login: Administrator/Admin123 ( I have also created weblogic Windows user)
OBIEE Login: weblogic/Admin123
Hostname: test.dev.local
Host:
localhost
Port:
389
Principal:
CN=Administrator,CN=Users,DC=dev,DC=local
Credential:
password
Confirm Credential:
password
User Base DN:
CN=Users,DC=dev,DC=local
All Users Filter:
(&(cn=*)(objectclass=user))
User From Name Filter:
(&(cn=%u)(objectclass=user))
User Search Scope:
subtree
User Name Attribute:cn
User Object Class:
user
Use Retrieved User Name as Principal
unchecked
Group Base DN:
CN=Builtin,DC=dev,DC=local
All Groups Filter:
(&(Administrators=*)(|(objectclass=groupofUniqueNames)(objectclass=orcldynamicgroup)))
Group From Name Filter:
(&(Administrators=%g)(objectclass=group))
Group Search Scope:
subtree
Group Membership Searching:
unlimited
oracle.bi.system -> system.user = weblogic/Admin123
I have added Administrator and weblogic users under
weblogic Domain -> bifoundaton_domain -> Security -> Applicaton Role -> BISystem -> weblogic/Administrator
weblogic Domain -> bifoundaton_domain -> Security -> Security Provider Configuration -> Identity Store Provider
       user.login.attr = weblogic
       username.attr = weblogic
       virtualize = false
Please help where i am making mistake?
log:
46.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [85004] MDX Member Name Cache subsystem recovered entries: 0, size: 0 bytes.
49.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
49.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [13026] Error in getting roles from BI Security Service: 'An error message was received from the BI Security Service: oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.'
49.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] [46172] Database security store is not available, do not re-associate to this provider type.
49.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: fb0] nqsserver: Clustered Oracle BI Server started. Version: 11.1.1.7.0.
50.000+00:00] [NOTIFICATION:1] [] [] [ecid: 00iFv3bqAEyFg4WFLzbQ8A0000tW000000] [tid: 144c] [43071] A connection with Cluster Controller test.dev.local:9706 was established.
17.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-0000000000000074] [tid: 1148] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
17.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-0000000000000074] [tid: 1148] [nQSError: 43126] Authentication failed: invalid user/password.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: ce4] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: ce4] [nQSError: 43126] Authentication failed: invalid user/password.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 28c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 28c] [nQSError: 43126] Authentication failed: invalid user/password.
59.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 103c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
59.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 103c] [nQSError: 43126] Authentication failed: invalid user/password.
44.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 11d0] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
44.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 11d0] [nQSError: 43126] Authentication failed: invalid user/password.
15.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-000000000000025a] [tid: 17e4] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
15.000+00:00] [ERROR:1] [] [] [ecid: 73e4b32acf5b3b94:57149bf0:13fc5437f64:-8000-000000000000025a] [tid: 17e4] [nQSError: 43126] Authentication failed: invalid user/password.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 1658] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
29.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 1658] [nQSError: 43126] Authentication failed: invalid user/password.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 108c] oracle.bi.security.service.SecurityServiceException: SecurityService::validateSystemUserProfile [OBI-SEC-00101] System user validation failed - the system user profile could not be found in the identity store.
14.000+00:00] [ERROR:1] [] [] [ecid: 00iFv3bnU^dFg4WFLzbQ8A0000r8000000] [tid: 108c] [nQSError: 43126] Authentication failed: invalid user/password.
Thanks

Thats cool
just in case let me know [email protected]

OBIEE 11.1.1.6 SSO with OAM 11.1.1.5: OID 11.1.1.6 attribute problem

Hi Everyone!
I have configured a OAM(webgate)+OID+OBIEE+OHS system.
The OBIEE is protected via OHS(weblogic module) and webgate. It is working very well.
The OAM authenticates from OID(default user identity store).
The *"User Search Base"* is same ( *"cn=Users,dc=mydomain,dc=com"* ) in identity store and in OBIEE's OID authentication provider too.
The SSO is enabled in OBIEE and the providers are:
OID (Provider that performs LDAP authentication     1.0) SUFFICIENT
OAM Provider (Oracle Access Manager Identity Asserter     1.0) REQUIRED
DefaultAuthenticator     (WebLogic Authentication Provider     1.0) SUFFICIENT
DefaultIdentityAsserter
IF the *"User Name Attribute"* is *"cn"* in OAM's user identity store and the OBIEE's OID provider's *"user name attribute"* is *"cn"* (default) too, everything is working fine.
But I have to use *"orclSAMAccountName"* instead of *"cn"* (OAM and OID provider). And in this case I have the problem.
In the OBIEE's OID provider are:
All Users Filter: (&(orclSAMAccountName=*)(objectclass=person))
User From Name Filter: (&(orclSAMAccountName=%u)(objectclass=person))
User Name Attribute: orclSAMAccountName
I made a test user:
cn=test
sn=test_sn
orclsamaccountname=test_sama
uid=test_uid
krbprincipalname=test_krb
I can authenticate with test_sama in OAM, but OBIEE say: *"You are not logged in here: Oracle BI Server."*
The bi log shows that:
+Default (self-tuning)'> <BISystemUser> <> <00093dFuR^HFW7PMye7i6G00052S000Tt7> <1345642607333> <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
+oracle.security.jps.internal.api.jaas.AssertionException: javax.security.auth.login.FailedLoginException: [Security:090304]Authentication Failed: User test javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User test does not exist+
Why does search OBIEE the *"cn"* and why does not use the *"orclsamaccountname"* ?
Any idea???
Regards, Jani

Hello Jani,
This is a known issue in OBIEE 11.1.1.6.0 , Please refer to : OBIEE 11.1.1.6 Agent failed with Error Codes: IHVF6OM7:OPR4ONWY:U9IM8TAC [nQSError: 13039] The impersonator does not exist in the BI Security Service [ID 1446877.1]
We have configured OBIEE 11.1.1.6 on Linux and using Single Sign On (SSO) with Windows Native Authentication (WNA).
Configured AD Authenticator, selected sAMAccountName instead of CN for User Attribute. Enabled SSO in EM. When trying to access OBIEE Presentation services we have encountered the error below.
"You are not logged in here: Oracle BI Server."
When checking the biserver1 log file found : [Security:090300]Identity Assertion Failed: User OracleSystemUser does not exist
After applying the patch 13553428 on top of OBIEE 11.1.1.6.0 we have successfully logged into OBIEE Presentation services.
This works fine with OBIEE 11.1.1.5.0 and 11.1.1.6.1
Fixed in OBIEE 11.1.1.6.1. Apply Patch 13742915.
If you want to stay in OBIEE 11.1.1.6.0. Apply Patch 13553428.
Let me know if this solves the Asserter issue.
Pls mark if helpful or answered.
Thanks,
-SVS

What about the security we support when the BIA is not SSO with EBS

For the following security mode, if all of them need the SSO with EBS?
Operating Unit-Based Security for Oracle EBS
Inventory Org-Based Security for Oracle EBS
Ledger-Based Security for Oracle EBS
Business Group Org-Based Security for Oracle EBS
HR Org-Based Security for Oracle EBS
Human Resource Personnel Data Analyst Security for Oracle EBS
Employee-Based Security for Oracle EBS

well you could do the security in OBIEE as well, but why shouldn't you use SSO?

OBIEE 11g with Oracle EBS R12 implementation,Need to know Default Roles

Hi All,
Can anyone please let me know regarding any documentation or link where i can find all default OBIEE Group names and the relation of each Groups with Oracle EBS R12 roles and responsibility categorized by the Modules.
We need the Roles information for the following modules:
1. Supply Chain & Order Management
2. Procurement & spend
3. Finance
Thanks in advance. Please help.
Regards
Sudipta

Please see these docs.
Integrating Oracle Business Intelligence Applications with Oracle E-Business Suite [ID 555254.1]
What documentation do I need to review when installing and configuring a OBI Apps 7.9.6.x environment with EBS? [ID 1221764.1]
Master Note for OBIEE Integration issues with EBS, Siebel, SSO, Portal Server [ID 1248939.1]
Oracle SSO E-Business Suite Applications Integration with Oracle Business Intelligence [ID 553423.1]
Oracle EBS integration with OBIEE [ID 733137.1]
Document for implementing security OBIEE Apps with EBS and Siebel CRM as sources [ID 756851.1]
What Application must be chosen for Responsibility within EBS when integrating with OBIEE [ID 1246464.1]
Also, search Steven Chan's Blog and you should get couple of hits -- http://blogs.oracle.com/stevenChan/
Thanks,
Hussein

Softwares Needed to Acheive SSO with Webcenter Suite 11.1.1.2

Hi All
I have Installed Web center suite 11.1.1.2 on my Machine. Can anybody suggests, what are the softwares that i need to install inorder to achieve
Oracle SSO with E-Business Suite and OBIEE.
Regards
Nagaraju Manchala
Edited by: user11965597 on Sep 15, 2011 3:58 AM

Oracle Identity Management (OIM) is a collection of related products that provides identity and access management (IAM) services. These products includes
Oracle Access Manager (OAM), Oracle Identity Manager (OIM), Oracle Virtual Directory (OVD), Oracle Internet Directory (OID) etc. The purpose of all these products is to provide LDAP directory services and/or security services and/or SSO service. For detail of all related products of OIM, pls see following link:-
http://www.oracle.com/technetwork/middleware/id-mgmt/overview/index.html
OIM and IAM is always create confusion when you go to their download page. You need to download Identity Management (11.1.1.2.0) from http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html. OIM will give you following products when you install it:-
- OID
- OVD
- Oracle Identity Federation
- Oracle Directory Integration Platform
Also see installation guide:http://download.oracle.com/docs/cd/E12839_01/install.1111/e12002/overview.htm#sthref6
For new features of PS3, pls see http://www.oracle.com/technetwork/middleware/webcenter/overview/wcps3-highlights-284637.html
In PS4, Oracle removed few bugs.

10g - how to configure sso with iis-

hi, experts, I have followed Oracle® Business Intelligence Enterprise Edition Deployment Guide to configure SSO with IIS.
but I always meet this message.
Not Logged In
You are not currently logged in to the Oracle BI Server.
If you have already logged in, your connection might have timed out, or a communications or server error may have occurred
what steps are missing?
how to check?

hi, experts,
I checked C:\OracleBIData\web\log\sawlog0.log on the obi server (windows server 2003 standard).
at Thu Feb 17 14:48:46 2011 , I logined OBI on another machine (not via the browser on the obi server).
however, the log shows the login user is the administrator of the obiserver (obiserver\administrator ).
any setup on IIS are wrong? thank you very much!
=========================================================================================
Running job 'MinutelyMonitor' took 7422 milliseconds, 12.3% of job's frequency (60 seconds).
Type: Error
Severity: 40
Time: Thu Feb 17 14:48:46 2011
File: project/webodbcaccess/odbcconnectionimpl.cpp Line: 371
Properties: ConnId-1,1;ThreadID-1796
Location:
     saw.odbc.connection.open
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43001] Authentication failed for obiserver\administrator in repository Star: invalid user/password. (08004)
Type: Error
Severity: 42
Time: Thu Feb 17 14:48:46 2011
File: project/webconnect/connection.cpp Line: 276
Properties: ThreadID-1796
Location:
     saw.connectionPool.getConnection
     saw.subsystem.security.checkAuthenticationImpl
     saw.threadPool
     saw.threads
Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
---------------------------------------

SSO with Logon Ticket to non-SAP Unix based application

Hi all,
Anyone has implemented SSO with Logon Ticket to a Unix box ?
We need to achieve Single Sign On between our EP5.0 SP5 Portal and a third-party web application with a front-end on a Unix AIX machine with Apache.
We achieved SSO with non-SAP applications with Logon Tickets, but one was to an IIS system in another domain (we therefore used the standard Web Filter for IIS and declared it in usermanagement for cross-domain support) and another one running on Windows platform (we used the C libraries provided in the "Logon Ticket Toolkit": NT or Linux only).
From what we understand and found on the web sites, we cannot reuse any standard web filter (none for Unix, am I correct ???) and want to implement custom code using SAP libraries, if possible using Java
-> Are there any Java libraries that are available to both:
. verify the logon ticket with the deployed Portal public key
. decrypt/extract the authenticated username from this ticket ??
I've seen a mention of Java libraries, and Unix, in a SAP EP 6.0 document but I'm not sure where to find them...
Is the SAP Logon Ticket issued the same way in EP 5.0 and EP 6.0 ?
I managed to find something called SAPSSOEXT, for AIX, which contains some partial library and a sample, but it is dated 2000 !! Anyone has more information about this ?
Any hint is very much appreciated.
Thanks a lot
Olivier

Check these links for reference regarding AIX and Apache using X.509 certificates:
http://publib16.boulder.ibm.com/pseries/en_US/aixbman/security/cas_pki.htm
And just using cookies -
http://forums.devshed.com/archive/t-105611 (perl based)
You can also use mod_ssl built into your Apache to facilitate both certificate based authentication as well as encryption.
The mod_ssl route is most secure (because of the encryption), the IBM link is comprehensive but requires extra infrastructure (LDAP).
Nick
Nick

SSO with KRB/ADS on Enterprise Portal 7

Dear All
while i am trying to configure SSO with KRB/ADS on Enterprise Portal 7 i am getting this on the trace file..completed the configuration through SpNego and when i try to log in its promting for user name password..
i have attched the trace file extract for your advice..
Regards
Buddhike
#1.5 #001CC45E6DA0008000000004000054FC00044F76844D9013#1213270351029#com.sap.engine.services.security.authentication.logincontext#
sap.com/com.sap.security.core.admin
#com.sap.engine.services.security.authentication.logincontext#Guest#0####3e642d50387311ddc2a0001cc45e6da0#Thread[Thread-110,5,SAPEngine_Application_Thread[impl:3]_Group]#
#0#0#Error#1#/System/Security/Authentication#Plain###
LOGIN.FAILED User:N/A Authentication Stack:com.sun.security.jgss.accept
*Login Module                                                               Flag        Initialize Login      Commit     Abort      Details*1. com.sun.security.auth.module.Krb5LoginModule                            OPTIONAL    ok          exception             false      null#
#1.5 #001CC45E6DA0006E00000029000054FC00044F76844D95C5#1213270351029#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#sap.com/com.sap.security.core.admin#com.sap.engine.services.security.authentication.loginmodule.spnego.SPNegoLoginModule#Guest#0####3e669e50387311dda053001cc45e6da0#SAPEngine_Application_Thread[impl:3]_2##0#0#Error##Java###Acquiring credentials for realm KEELLS.INT failed
[EXCEPTION]
#1#GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
     at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
     at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
     at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
     at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
     at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.acquireCredentialsInCurrentThread(ConfigurationHelper.java:236)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper.access$000(ConfigurationHelper.java:29)
     at com.sap.security.core.server.jaas.spnego.util.ConfigurationHelper$RunnableHelper.run(ConfigurationHelper.java:337)
Caused by: com.sap.engine.services.security.exceptions.BaseLoginException: Access Denied.     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:297)
     at com.sap.engine.system.SystemLoginModule.login(SystemLoginModule.java:90)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:324)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
     at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
     at java.security.AccessController.doPrivileged(Native Method)
     at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
     ... 9 more
Caused by: com.sap.engine.services.security.exceptions.BaseSecurityException: Internal server error. An error log with ID [001CC45E6DA0008000000001000054FC00044F76844D8A3F] is created. For more information contact your system administrator.
     at com.sap.engine.services.security.login.ModulesProcessAction.run(ModulesProcessAction.java:156)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.services.security.login.FastLoginContext.login(FastLoginContext.java:181)
     ... 23 more

Hi,
please check if the options defined in the KRB5LoginModule are correct.
First of all check for the option prinicpal. Did you provide this option and also provided the correct value?
This error often occurs if you provided a wrong value for option prinicpal
Cheers

SSO with ITS & Webenabling WEBGui

Hello,
We have configured SSO with R/3 system. It works fine.
The requirement is, we have to webenable R/3 system thru SAP GUI For Windows and SAP GUI For HTML.
We are able to do both on developement environment where both R/3 and portal has got the same host names.
But in the qa environment, we are able to webenable R/3 with SAP GUI For Windows and the SSO also works fine. But when we try to using SAP GUI For Html, it asks for the username and pwd again. Here the portal and R/3 has different host names.
Otherwise the settings in dev and test are exactly the same. Has anybody got a clue why is it not working?
Regards,
Rukmani

Hi all,
it is always good to start with a good checklist. Here is probably the best one: https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/documents/a1-8-4/sso checklist.html
My suggestion is: do not skip even simple steps, sometimes problem appears there
Regards,
Pavol

SSO with EP 6.0 and R/3 as backened not working

Hi ,
I am implementing ESS in EP 6.0 and r/3 4.7c as backend. SSO is working with UIPWD. but when I try with LogonTickets it does not work.
I tried with ordinary SAP transaction SSO with logon tickets works. But through ITS if I call a ESS transaction service It asks me for login user and password.
What are the setting to be done in ITS for SSO towork. I have set the parameter
msapcomusesso2cookie = 1 in the global.svrc file.
I do not know what is wrong. Please help.
Regards,
Ramesh

Hi,
I am using a standalone ITS for a R/3 4.7 system.
How should I maintain a FQDN for ITS?
You are right,
now it is not of the format hostname.domain.com:port format. It is of the format hostname:port.
But where should I change this format. The host name of the system where the ITS is setup is <hostname> only.
can you please tell me as to where should I maintain the FQDN as the specific format you suggested.
Regards,
Ramesh

SSO with SAP logon tickets to non-SAP web app

I am trying to implement SSO to an oracle portal based web application using SAP logon tickets, but can't seem to find a way for it to work. I thought maybe it would be a web server filter, but am unsure if this would work for oracle portal. Anyone tried similar?
Cindy

Hi Cindy,
If it is EP6 SP2 probably you can checkout the following document.
http://service.sap.com/ep60
Go to Documentation Help>How-To-Guides>Current How To Guides section.
checkout the following how to guide.
Perform Cross Domain SSO with SAP Logon tickets zip file.
If you want the zip file please send an e-mail to
[email protected]
Regards
-Venkat Malempati

SSO with XI 3.1

I have BO XI 3.1 SP3 installed on a Windows 2008 4 bit server. I enabled SSO with Tomcat, it is working but not all the times.
I configured SSO, when users go to Infoview it dosen't prompt them for user credentials but this is not happening all the time. I would say 50% it doesn't, 50% it does prompt, it is not consistent. Any one has seen this problem.
Thanks.

What documentatin are you using, also what are the desktop OS's? SSO occurs on the client workstation and when intermittent issues occur usually it's the client however their are some best practices that are in the current documentation. KB 1483762 should be used if possible.
Regards,
Tim

OBIEE SSO with On Demand

Similar Messages

Maybe you are looking for