OBIEE 11g: Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1274953.1]
https://support.oracle.com/epmos/faces/DocContentDisplay?id=1274953.1
Debug, debug, debug....
This blog entry may also help you find the cause of different error messages when trying to get kinit, keytab files, etc. to work - it's not specific to OBIEE, but it was really useful to me:
http://idmrockstar.com/blog/2012/05/wna-kerberos-setup-with-oam-11g-lessons-learned/
This is a good source of troubleshooting assistance:
OBIEE 11g: How To Check each Configuration Step when Configuring Authentication and SSO with Active Directory and Windows Native Authentication [ID 1390127.1]
https://support.oracle.com/epmos/faces/ui/km/DocumentDisplay.jspx?id=1390127.1
If it doesn't work it is most probably due to a configuration error. Trust me. Review your installation.
To add to complexity, in some cases you might have a load balancer between the user and the OBIEE server. Try checking this blog post out, it tells us how to use ktutil to merge several keytab files together:
http://oraclelabspace.blogspot.dk/2012/01/configurining-sso-using-kerberosspnego.html
Here are some tips that I have found helpful - some are mine, some are borrowed from others. This list is a work in progress, as you always learn something new...
- If you feel confident that you know you are in complete control of Weblogic, and have taken some shortcuts and done things differently than in the Oracle Technote because "you know it works", try again. To make sure all your components are configured correctly, follow the technote step by step. Do not do things differently until you get it to work. Then, when you get it to work, start doing things your way. When in trouble, it is good to get confirmation that it does work, and if you have issues, it will be easier and quicker for Oracle Support to understand your issue.
- Building the war file and ear file. I had issues with this first time around, as I am no java expert, and did not know the jar utility too well. This is the command that works for me on a Linux installation:
jar -cvfm analytics.war META-INF/MANIFEST.MF * > out.txt
jar -cvfm analytics.ear META-INF/MANIFEST.MF * > out.txtBasically what we are doing is telling jar to take all the files in the folder and add them to analytics.ear/war and to use the manifest file in the META-INF folder (and not to generate a new one). Redirecting output to a text file will let you check if there are any errors when creating the war and ear files.
- Check that krb5Login.conf is completely correct and has no hidden characters
- Get an LDAP Browser software. JXplorer og Softerra LDAP browser are quite good.
- Test your Group & User filters in the LDAP browser to make sure it works as expected.
Edit 2013-Aug-02
There is a new web application that you can deploy on your AdminServer to check that the settings like MSAD SPN, configuration files, host names, etc. are correct. It is called SPNEGOcheck and can be downloaded from MOS, see note [1390127.1]. It's a bit crude but give basic information on your different settings.https://support.oracle.com/epmos/faces/DocContentDisplay?id=1390127.1
This goes hand-in-hand with the "old" BI Security Diagnostics Helper, which is explained in the documentation. It is a web application you deploy on the server, and it checks different settings, like Oracle Web Services Manager, BISystemUser, and lets you test whether the AD authentication is set up properly.
http://docs.oracle.com/cd/E23943_01/bi.1111/e10543/troubleshoot.htm#BIESC6203
Happy SSO'ing!
