OBIEE 12c Can't authenticate with AD in Answers but can in weblogic console

[Brian Simms]

We can't get AD to work with OBIEE answers in our new 12c environment. It does work when we try to login to weblogic console or EM. The error message we are getting is:

[nQSError: 13057] Error From BI Security Service: oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid..

[Naga Shankar]

Hi

Did you add virtualize = true in the EM security configuration ? are you able to add the AD users to the application roles ?

[Adrian Ward]

Brian

We had the same problem with 12.2.1 but upgraded to the latest and it was solved

Adrian

On Tuesday, 18 October 2016, Brian Simms <sim...@miamioh.edu> wrote:

We can't get AD to work with OBIEE answers in our new 12c environment.  It does work when we try to login to weblogic console or EM.  The error message we are getting is:

[nQSError: 13057] Error From BI Security Service: oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid..

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterpri...@googlegroups.com
To unsubscribe from this group, send email to
obiee-enterprise-met...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-met...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ASL]

We don't add AD users to application roles; however we associate AD groups to application roles so access is controlled through our AD groups application.

[Brian Simms]

Hi thanks for replying.  Yes, we did add virtualize = true.  We are able to add ad groups to the application roles.

On Wednesday, October 19, 2016 at 4:01:55 AM UTC-4, Naga Shankar wrote:

[Naga Shankar]

Ok , could you check all the deployments if they are active , like WSM-PM and also any errors in the managed server when the services startup?

[Brian Simms]

Thanks for the reply Adrian.  We are on 12.2.1.1.  I see there is a 12.2.1.2 out there.  Hmm, surprised we wouldn't have gone with the newest one but maybe it was just released.

-Brian

On Wednesday, October 19, 2016 at 9:31:49 AM UTC-4, Adrian Ward wrote:

Brian

We had the same problem with 12.2.1 but upgraded to the latest and it was solved

Adrian

On Tuesday, 18 October 2016, Brian Simms <sim...@miamioh.edu> wrote:

We can't get AD to work with OBIEE answers in our new 12c environment.  It does work when we try to login to weblogic console or EM.  The error message we are getting is:

[nQSError: 13057] Error From BI Security Service: oracle.webservices.provider.ProviderException: javax.xml.ws.WebServiceException: [OBI-SEC-00111] FailedAuthentication: BI Security access is denied - web service credentials are invalid..

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsub...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-methodology+unsub...@googlegroups.com.

[Naga Shankar]

Hi 

Could you please check if the AD provider is in the top of the providers list and the control flag is "sufficient"?

[Brian Simms]

It looks like all the deployments are up and active.

We do have an error in one of the log files:

"The LDAP authentication provider named "xyz" failed to make a connection to LDAO server at ldaps://xxx.xxx.xxx:636, the error cause is: General SSLEngine problem." 

Any thoughts?

Thanks again.

-Brian

[Brian Simms]

Yes, great ideas, thanks again for replying.

Indeed the AD provider is at the top of the list and the control flag is set to 'sufficient'.

-Brian

[Stewart Bryson]

When you installed 12c, what did you choose during the bar import portion? Did you choose Sample App Lite for example? Or an empty bar file? Or a prebuilt jar from the 11g environment?

This matters because it determines the default set of application roles created in the new 12c environment.

Stewart

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to

obiee-enterpri...@googlegroups.com

To unsubscribe from this group, send email to

obiee-enterprise-met...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-met...@googlegroups.com.

[Brian Simms]

Hi Stewart,

Thanks for the reply.  Hope the world is treating you well.

We believe we did choose the sample app lite during the install.

-Brian

On Wednesday, October 26, 2016 at 10:20:44 AM UTC-4, Stewart Bryson wrote:

When you installed 12c, what did you choose during the bar import portion? Did you choose Sample App Lite for example? Or an empty bar file? Or a prebuilt jar from the 11g environment?

This matters because it determines the default set of application roles created in the new 12c environment.

Stewart

On Oct 26, 2016, at 9:02 AM, Brian Simms <sim...@miamioh.edu> wrote:

Yes, great ideas, thanks again for replying.

Indeed the AD provider is at the top of the list and the control flag is set to 'sufficient'.

-Brian

On Tuesday, October 25, 2016 at 6:39:48 PM UTC-4, Naga Shankar wrote:

Hi 

Could you please check if the AD provider is in the top of the providers list and the control flag is "sufficient"?

On Thursday, October 20, 2016 at 1:32:28 AM UTC+5:30, Brian Simms wrote:

Hi thanks for replying.  Yes, we did add virtualize = true.  We are able to add ad groups to the application roles.

On Wednesday, October 19, 2016 at 4:01:55 AM UTC-4, Naga Shankar wrote:

Hi

Did you add virtualize = true in the EM security configuration ? are you able to add the AD users to the application roles ?

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterpri...@googlegroups.com
To unsubscribe from this group, send email to

obiee-enterprise-methodology+unsub...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-methodology+unsub...@googlegroups.com.

[Stewart Bryson]

Have you had to customize app roles in any way up until now to turn on basic functionality?

obiee-enterprise-met...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--- 
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-met...@googlegroups.com.

[Simms, Brian]

I'm not aware of any customizations that we have ever had to make to the application roles.  I think we did add one for BI Publisher purposed but I think that was standard practice.

-Brian

obiee-enterprise-methodology+unsubs...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--- 
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-methodology+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
-- 
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to
obiee-enterprise-methodology+unsub...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

--- 
You received this message because you are subscribed to the Google Groups "OBIEE Enterprise Methodology Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to obiee-enterprise-methodology+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to

obiee-enterprise-methodology@googlegroups.com

To unsubscribe from this group, send email to
obiee-enterprise-methodology+unsub...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---

You received this message because you are subscribed to a topic in the Google Groups "OBIEE Enterprise Methodology Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/obiee-enterprise-methodology/ADdAUh2qOjQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to obiee-enterprise-methodology+unsub...@googlegroups.com.

[Ganesh Nagarajan]

Check if you have the “All BI Users” added in the Home >Summary of Security Realms >myrealm >Realm Roles >Edit Global Role

[Ganesh Nagarajan]

On Thursday, March 16, 2017 at 5:09:34 AM UTC-5, Ganesh Nagarajan wrote:
> Check if you have the “All BI Users” added in the Home >Summary of Security Realms >myrealm >Realm Roles >Edit Global Role

For some reason the whole content wasn't copied here. Here is the detail for my above statement.

Lets, say my MSAD LDAP server (infra.ldap.org) and every employee is part of this Directory Server(DS). We have several groups for the OBIEE project(Like analyst, developer, Datawarehouse admin and so on) created for members. ALL BI Users is a tree of all the group and this group defines who can access OBIEE and it's components. So technically we create a group ALL BI USERS and add all of the other OBIEE groups to it. Then all we did was added all these groups in AD and then map the application roles in OEM.

For your reference, I am listing out the conditions I set in the WLS for AD provider

This is my User filter
CN=All BI Users,OU=Oracle BI,OU=Business Intelligence,OU=xyzIT,OU=Organizational Units,DC=infra,DC=ldap,DC=org

User Base DN: CN=users,DC=infra,DC=ldap,DC=org

User From Name Filter: (&(cn=%u)(objectclass=user))

Group Base DN: OU=Oracle BI,OU=Business Intelligence,OU=xyzIT,OU=Organizational Units,DC=infra,DC=ldap,DC=org
Group From Name Filter: (&(cn=%g)(objectclass=group))

Group Search Scope: subtree
Group Membership Searching: unlimited
Max Group Membership Search level: 0
Use Token Groups For Group Membership Lookup: check
Static Group Name Attribute: cn
Static Group Object Class: group
Static Member DN Attribute: member
Static Group DNs from Member DN Filter: (&(member=%M)(objectclass=group))

[Simms, Brian]

Hi Ganesh,

Thanks for the reply.  

We actually figured out our problem after trying many different things.

The key was changing the 'Key Store' on the BI Server to:

Custom Identity and Java Standard Trust

We did not think to try this option at first because we were trying to use SSL for Active Directory, not for the OBIEE application.  But this was without question the change that made things start working.

Thanks for all the feedback!

-Brian

[Ganesh Nagarajan]

Oh that's great. I am using a demo cert here and I have seen this issue when ./ssl.sh internalssl false and setting it to true. So by default WLS keep it to Custom Identity and Java Standard Trust.

Good Luck !!

obiee-enterprise-methodology+unsubs...@googlegroups.com

For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en

All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/).  Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to a topic in the Google Groups "OBIEE Enterprise Methodology Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/obiee-enterprise-methodology/ADdAUh2qOjQ/unsubscribe.

To unsubscribe from this group and all its topics, send an email to obiee-enterprise-methodology+unsubs...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
You received this message because you are subscribed to the Google
Groups "OBIEE Enterprise Methodology Group" group.
To post to this group, send email to
obiee-enterprise-methodology@googlegroups.com
To unsubscribe from this group, send email to
obiee-enterprise-methodology+unsub...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/obiee-enterprise-methodology?hl=en
 
All content to the OBIEE EMG lies under the Creative Commons Attribution 3.0 Unported License (http://creativecommons.org/licenses/by/3.0/). Any content sourced must be attributed back to the OBIEE EMG with a link to the Google Group (http://groups.google.com/group/obiee-enterprise-methodology).

---
You received this message because you are subscribed to a topic in the Google Groups "OBIEE Enterprise Methodology Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/obiee-enterprise-methodology/ADdAUh2qOjQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to obiee-enterprise-methodology+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,
Ganesh Nagarajan