OBI 11.1.1.6.SSO
962905Nov 8 2012 — edited Nov 30 2012Hello All,
I am trying to configure Windows Native authentication for OBIEE 11.1.1.6 per the "Configuring authentication and SSO with Active Directory and Windows Native Authentication in Oracle Business Intelligence Enterprise Edition” Oracle Support Note ID 1274953.1
Created the JAAS login module and named it krb5login.conf and modified the krb5.conf in Linux Server /etc folder.Modified the Weblogic Start up script setDomainEnv.sh
Also I have web.xml and weblogic.xml to configure BI for SSO. The user trying to login are members of BI Users.
Enabled the SSO for Windows Native Authentication in Enterprise Manager Security tab.
Configured the Client Machine for Single Sign on as per the TechNote note.
=====================================================================================================
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
=====================================================================================================
Troubleshooting the Error 401 - Unauthorized :
1. The Weblogic Kerberos config file is incorrect so that although kinit verifies your machine can authenticate with the AD server, Weblogic cannot.
Recheck the settings in krb5login.conf, and setDomainEnv.cmd (see section above entitled “Configure Weblogic Login Module”)
knit is Authenticating to AD using Kerberos V5.
2. Your client is not correctly configured - have you added the Weblogic server URL (e.g. http://: bieesvr1.xyz2.com:9704/analytics/) to the Intranet
zone and set the Automatic logon in Intranet zone setting? (see the section above entitled “Configure the client for single sign-on”)
Have tried configuring Internet Explorer , Mozilla firefox and Google Chorme for SSO but not success till now.
3. You're not logged into the AD domain on the client - you need to login to Windows on the client machine as an account in your AD domain (e.g.
XYZCORP\jsmith)
I have logged in to the AD domain I just configured.
4. Your user account is not a member of the group(s) you specified in the principal element(s) in weblogic.xml. N.B. these groups must exist in the AD
domain (see section above entitled “Configure BI Analytics App to request SPNEGO Authentication”)
I am part of the group that has been created for the SSO Role which is configured in the weblogic.xml as principal name.
I am stuck and trying to analyze the biserver.out log file
Please let me know if anyone faced similar issue whilst configuring kerberos SSO for OBIEE 11g.