OBIEE / AD integration – [OBI-SEC-00022] Identity found … but could not be authenticated
August 15th, 2012 by Robin Moffatt
A quick blog post to record for future Googlers a problem I encountered today. I was configuring OBIEE 11.1.1.6 to use Microsoft Active Directory (MSAD) as an Authentication Provider, following the instruction’s in Mark’s blog post.
After completing the setup, I could see my AD users in Web Logic Console under Users and Groups but logins to analytics with an AD user failed. In the bi_server1-diagnostic.log was the entry
[OBI-SEC-00022] Identity found jbloggs but could not be authenticated
The problem was that my Principal user (let’s call it ADBusInt) was outside of the AD region which I’d identified with Base User DN. This meant that OBIEE could find the user’s AD account (jbloggs) successfully (in the specified Base User DN), but not the ADBusInt account which is required to complete authentication.
The solution was to broaden Base User DN to include the area of the AD which hosted my Principal user too.
Tags: active directory, msad, obi-sec-00022, obiee, security
August 17th, 2012 at 4:29 am
One thing I’ve found with this, though, is that in a company with a very large AD (like the one I work for *cough*), you really need to keep the scope tight, otherwise logins take awhile. I’m not sure where the proper balance for this lies, since I’m not an AD admin, but I think it makes sense to say that you’ll want to plan this out carefully, versus just plug-into AD at a broad level and go.
April 17th, 2013 at 2:26 pm
Hi,
I would like to know how HDFS can be connected to OBI directly, without using the RDBMS concept? do we have any method/options to carry out the same?