OBIEE / AD integration - [OBI-SEC-00022] Identity found ... but could not be authenticated

A quick blog post to record for future Googlers a problem I encountered today. I was configuring OBIEE to use Microsoft Active Directory (MSAD) as an Authentication Provider, following the instruction's in Mark's blog post.

After completing the setup, I could see my AD users in Web Logic Console under Users and Groups but logins to analytics with an AD user failed. In the bi_server1-diagnostic.log was the entry

[OBI-SEC-00022] Identity found jbloggs but could not be authenticated

The problem was that my Principal user (let's call it ADBusInt) was outside of the AD region which I'd identified with Base User DN. This meant that OBIEE could find the user's AD account (jbloggs) successfully (in the specified Base User DN), but not the ADBusInt account which is required to complete authentication. 

The solution was to broaden Base User DN to include the area of the AD which hosted my Principal user too.