OBIEE 11g Integration With Active Directory

Having just installed 11g in a Windows 2008 I thought I would share the experience.

It was actually fairly simple, but there were a couple of gotchas.

Thankfully Oracle produced a white paper on this in December last year, which I will show extracts of below:

  

Introduction

The paper examines how to configure Oracle Business Intelligence Enterprise Edition (Oracle BI EE) 11.1.1.3.0 to use Windows Server Active Directory (AD) as an LDAP Authentication source and how to use Windows Native Authentication (WNA) in an SSO environment.

The aim is to describe the configuration and setup required so that users may log on to their Windows PCs and access Oracle BI EE via a standard web browser with no further authentication required on their part – Windows Native Authentication and Oracle Weblogic will be doing the hard work to authenticate users to Oracle BI EE using their standard network logins without further troubling authorised users of the system.

There are several steps to be performed in Active Directory itself, in the Weblogic Server hosting Oracle BI EE, in the Oracle BI EE web app and finally on the client machine(s) from which you wish users to access Oracle BI EE using Windows Native Authentication SSO.

The steps in the document have been tested with Oracle BI EE version 11.1.1.3.0 and Active Directory 2008 (Windows Server 2008).

Stage 1: Using Active Directory as a User store

Before we can think about having clients authenticate using Single Sign On from machines in the AD domain, first we must configure Oracle BI EE to recognise the AD domain as a valid user store to authenticate Oracle BI EE users against. This is a standalone operation in its own right – once we have completed this section, XYZ Corp users will be able to log in to Oracle BI EE using the same credentials as they use to log in to the Windows domain.

NB this also requires Group information to be stored in Active Directory – i.e. once authenticated in this way, the system will expect users to be organised in AD groups. So users must be assigned to groups in Active Directory, rather than assigning Group/Role information in INIT blocks, as was the case in Oracle BI EE 10g. AD groups can then be assigned to Application Roles in Enterprise Manager to provide access to functions of the system.

What you need to know

To complete this stage, we need the following pieces of information:

Active Directory Server name/port: we need the name of the AD server and the port on which it’s listening for LDAP requests (defaults to 389). So in our example scenario this is addc.xyzcorp.com:389

Base DN: the base LDAP path from which all searches start for users and groups. In our example scenario, this is: CN=Users,DC=xyzcorp,DC=com 

for the Users Base DN and

CN=Builtin,DC=xyzcorp,DC=com

for the Groups Base DN.

GUID attribute: attribute in LDAP used to represent the GUID of users and groups (defaults to objectguid for Active Directory)

DN/Password for LDAP Principal: the LDAP DN for the user we will connect to Active Directory as when retrieving information about LDAP users. In our example scenario, this is: CN=jsmith,CN=Users,DC=xyzcorp,DC=com

We’ll also need the password for the user, obviously. NB the user need not be an administrative account, but it does need to have sufficient privileges to be able to make arbitrary queries on the LDAP tree.

Configuring Active Directory Authenticator in Weblogic

Log on to the Weblogic Admin console at http://bieesvr1.xyz2.com:7001/console

On the left hand side of the screen is a Domain Structure menu. Select “Security Realms” then on the main page, click on the link for the domain security realm (default “myrealm”), then the Providers tab in the main screen, followed by the Authentication subtab.

Click the “Lock and Edit” button in the top left of the WLS Admin console so we can create a new authentication provider, then click the New button at the bottom of the table of current Authentication Providers in the main screen.

 

 

  

In the Create New Authenticator screen, type in a suitable name (ADAuthenticator in the example below) and select the type as ActiveDirectoryAuthenticator, then click OK.

You’ll now be taken back to table of authentication providers, with your new provider at the bottom and the DefaultAuthenticator at the top. Click on the link to DefaultAuthenticator to edit its properties.

 

 

In the Common Authentication Provider Settings screen, change the Control Flag drop-down from REQUIRED to SUFFICIENT and click on the Save button. For further information on the implications of these settings, consult the Weblogic Server documentation on “Configuring Authentication Providers” at http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/atn.htm#i1204568 which contains a detailed explanation of these settings 

Go back to the table of authentication providers and click on the link to your new provider (ADAuthenticator in the example) to edit its properties. 

In the Common Authentication Provider Settings screen, change the Control Flag drop-down from OPTIONAL to SUFFICIENT and click on the Save button

  

Next select the Provider Specific tab to bring up the options which apply specifically to connecting to an Active Directory LDAP authentication store. This is where we need specific information about the AD store we’re trying to connect to.

Host Name of the AD server addc.xyzcorp.com  
Port Port the AD server is listening for LDAP requests on 389
Principal the LDAP DN for the user we will connect to Active Directory as when retrieving information about LDAP users CN=jsmith,CN=Users,DC=xyzcorp,DC=com
Credential/Confirm credential password of the principal specified in the stage above welcome1
User Base DN LDAP query used to find users in AD CN=Users,DC=xyzcorp,DC=com
User Name Attribute Attribute used to specify user name in AD – defaults to cn. Do not change unless you know your AD is configured to use a different attribute for user name. If you do change it, see the section on Changing user/group name attributes below cn
User Object class   user
Group base DN  LDAP query to find groups in AD – NB only groups defined under this path will be visible to Weblogic CN=Builtin,DC=xyzcorp,DC=com
GUID attribute The attribute used to define object GUIDs in AD objectguid

Reordering Providers

Return to the main Authentication Provider screen (Security Realms->myrealm->Providers->Authentication). Click the Reorder button, then select the tickbox next to your ActiveDirectoryAuthenticator (ADAuthenticator in our example), then use the shuttle control to put the ActiveDirectoryAuthenticator at the top of the list.

Changing User/Group Name Attributes

If your AD server uses a different attribute for User Name you will need to change the User Name attribute from the default “cn”. If you do change this attribute, you will also need to change the settings for AllUsersFilter and UserFromNameFilter as shown in the table below (using the example of the user name being stored in an attribute called AnOtherUserAttribute)

Attribute Name Default Setting Required New Setting
UserNameAttribute cn AnOtherUserAttribute
AllUsersFilter (&(cn=*)(objectclass=person)) (&(AnOtherUserAttribute =*)(objectclass=person))
UserFromNameFilter (&(cn=%u)(objectclass=person)) (&(AnOtherUserAttribute =%u)(objectclass=person))

For UserName Attribute only, you also need to add two properties to the Identity Store configuration (user.login.attr and and username.attr) to tell it about the attribute you’re expecting to get user name from (it defaults to using “uid” if none is specified). These settings are reached via the Security Provider Configuration screen, which is accessed via Enterprise Manager. Select Weblogic Domain -> bifoundation_domain->(right click) Security -> Security Provider Configuration.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This brings up the main Security Provider Configuration screen, find the Identity Store Provider section in the middle of the screen and select the “Configure…” button to bring up the Identity Store Configuration screen. Click on the green + icon to add the new properties to the Identity Store and as stated above, two new properties need to be added, user.login.attr and username.attr, both set to the value of the alternate user name attribute.

 

 

On install, Oracle BI EE creates an internal account in the Weblogic LDAP store, BISystemUser, which is used for service-to-service authentication. The credentials of this account are stored in the Credential Store under the system.user key. Before you proceed any further you need to point this system.user key to a set of credentials available in Active Directory.

You can if you wish use the credentials of an existing user, however we would recommend creating a user account explicitly for this purpose – this is not an ordinary user account but rather a set of credentials used to authenticate services within the system to each other.

Whether you decided to use an existing account or create a new one, the process for changing the system.user is the same.

 
In Enterprise Manager, select Weblogic Domain -> bifoundation_domain->(right click) Security -> Credentials, this brings up the Credential Store configuration screen. Select the oracle.bi.system map, expand it and select the system.user key. Reset the username and password to your chosen account credentials – the example below shows resetting to a new bisystemuser 

account created in Active Directory to replace the BISystemUser account in the default WLS LDAP referenced by the Default Authenticator.

Next you need to ensure your new system user account is part of the BISystem Application Role.

In Enterprise Manager, select Weblogic Domain -> bifoundation_domain->(right click) Security ->Application Roles. This brings up the Application Roles configuration screen.
In the drop-down box labelled “Application Stripe to Search”, select “obi” and press the green “play” button next to the Role Name text box.

This will bring up a list of application roles, one of which should be BISystem account created in Active Directory to replace the BISystemUser account in the default WLS LDAP referenced by the Default Authenticator.

Next you need to ensure your new system user account is part of the BISystem Application Role In Enterprise Manager, select Weblogic Domain -> bifoundation_domain->(right click) Security Application Roles. This brings up the Application Roles configuration screen

In the drop-down box labelled “Application Stripe to Search”, select “obi” and press the green “play” button next to the Role Name text box. This will bring up a list of application roles, one of which should be BISystem

Select BISystem, and click the “Edit” button to edit the application role.

 

 

 

 

 

 

 

 

In the Edit Application Role screen, scroll down to the Users section and click on the button marked “Add User”.

An Add User dialog will appear. Either type your system user username into the User Name box or for a full list of users, leave it blank.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Again, click the green “Play” button next to the text box and a list of users will appear in the “Available Users” selection box.

Select the name of your system user account and use the shuttle control to move it into the list of Selected Users. Click OK to dismiss the Add User dialog.

Back in the main Edit Application Role Screen, click the OK button in the top right of the screen to apply the changes to the BI System Application Role.

The final stage of configuring the new system user is to ensure they are part of the Weblogic Global Admin role.

Log into Weblogic Admin console

Select Security Realms from the left-hand menu, click on the link to your security realm in the main screen (e.g. myrealm), then select Roles and Policies from the tabs along the top 

In the list of roles, click on the plus sign to expand Global Roles, then Roles, then click on the link marked View Role Conditions for the Admin Role.

Ensure the conditions specified will match your user, either directly, or by virtue of a group they belong to (e.g. condition may be User = bisystemuser or Group=Administrators

If you have made any changes, click the Save button. Changes should be applied immediately

If you have made any changes, click the Save button. Changes should be applied immediately

Once you have changed the system user credentials in this way, you will need to restart the BI Server and BI Presentation Server before  these changes will take effect. The easiest way to do this is via Enterprise Manager – select Business Intelligence and Restart All Components.

Mapping Active Directory Groups to Application Roles

Access to functions within Oracle BI is controlled via Application Roles. For a detailed discussion of the purpose and function of the Application Roles, please see the product documentation, for now it will suffice to say that in order for your Active Directory domain users to be able to use the system, they (or rather the groups they are in) need to be mapped to Application Roles.

The process for doing this is as for assigning the system user to the BISystemRole, described above, with the exception that we map groups to the role, not just an individual user.

Testing your changes

Once you’ve restarted Weblogic, check that you can still log into the Weblogic Administrative Console as the Weblogic admin user you specified during install.

Next check you can log in to Oracle BI using the credentials of one of the Active Directory users.

 

Source:

Oracle White Paper:  Dec 2010.  Configuring authentication and SSO with Active Directory and Windows Native Authentication in Oracle Business Intelligence Enterprise Edition. 

References

[1] Oracle® Fusion Middleware Security Guide for Oracle Business Intelligence Enterprise Edition 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/toc.htm

[2] Configuring Single Sign-On with Microsoft Clients

http://download.oracle.com/docs/cd/E12839_01/web.1111/e13707/sso.htm

[3] Java GSS-API Troubleshooting Guide

http://download.oracle.com/javase/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html

[4] Microsoft support note on enabling DES encryption on Windows 2008 and Windows 7

http://support.microsoft.com/kb/977321

[5] Microsoft TechNet setspn overview

http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

[6] Securing Oracle Weblogic Server

http://download.oracle.com/docs/cd/E14571_01/web.1111/e13707/toc.htm

4 thoughts on “OBIEE 11g Integration With Active Directory

  1. Pingback: OBIEE 11g Integration With Active Directory – Part 2 | The Majendi OBIEE Experience

  2. Adrian

    Hi,

    Thanks for the helpful article. I would like to inquire if you manage to setup more than one active AD at a time.

    So let’s say user A is AD1 and user B is in AD2 and we connect both ADs to Weblogic. Is there anyway so both users can login?

    Thanks.

  3. Ed

    Hi, good tutorial. What about configuring two Active Directory Authenticators. I have both working (ie, I can see the users in ‘users & Groups’) however I can only log into BI with which ever is highest in the list.

    Any Ideas?

Leave a Reply