| This post originally appeared on the Rittman Mead blog. |
A quick blog post to record for future Googlers a problem I encountered today. I was configuring OBIEE 11.1.1.6 to use Microsoft Active Directory (MSAD) as an Authentication Provider, following the instruction’s in Mark’s blog post.
After completing the setup, I could see my AD users in Web Logic Console under Users and Groups but logins to analytics with an AD user failed. In the bi_server1-diagnostic.log was the entry
[OBI-SEC-00022] Identity found jbloggs but could not be authenticatedThe problem was that my Principal*user (let’s call it *ADBusInt) was outside of the AD region which I’d identified with Base User DN. This meant that OBIEE could find the user’s AD account (jbloggs) successfully (in the specified Base User DN), but not the ADBusInt account which is required to complete authentication.
The solution was to broaden *Base User DN*to include the area of the AD which hosted my *Principal*user too.
| This post originally appeared on the Rittman Mead blog. |