Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only. Moving forward, myibi is our community platform to learn, share, and collaborate. We have the same Focal Point forum categories in myibi, so you can continue to have all new conversations there. If you need access to myibi, contact us at myibi@ibi.com and provide your corporate email address, company, and name.


Connect to myibi
Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] AD Authentication

Read-Only Read-Only Topic
Go
Search
Notify
Tools
[SOLVED] AD Authentication
 Login/Join
 
Member
posted
I am setting up Managed Reporting to use AD for its authentication. After I setup Managed Reporting for External Authentication, how do I assign users to specific domains? Or how do I even setup which users have/don't have access?

This message has been edited. Last edited by: Kerry,


WebFOCUS 7.6
Windows, all output
 
Posts: 7 | Registered: November 12, 2010Report This Post
Expert
posted Hide Post
Melody,

If you have not done so already, you will have to set up the Authorisation Tree within AD.

This is covered quite comprehensively in DN4500790.0810 with quite a reasonable diagram of the AD Schema that you will require.

Once you have this in place then you will be able to assign groups to domains and also users to groups, privileges and roles.

This process is fairly straight forward when you have the document to hand and, if I remember correctly, there are sample VB scripts to help you build your schema.

T



In FOCUS
since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2  
WebFOCUS App Studio 8.2.06 standalone on Windows 10 
 
Posts: 5694 | Location: United Kingdom | Registered: April 08, 2004Report This Post
Platinum Member
posted Hide Post
Melody,
If all you want is to authenticate users against Active Directory you do not need to setup the authorization data within AD.

Within the WebFOCUS Admin console go to:
Configuration -> MR Security Settings -> General

And confirm that your authentication is set to AD, and your authorization is set to INTERNAL, or a database.

Assuming this is the case, you can log into the Managed Reporting Admin Console just like you did before you authenticated against AD. This is how you will assign roles, groups, etc to the user. The only difference is that when "creating" a user you must use the same userid as their AD userid for them to be able to logon, and you will notice you can no longer set a password (since their AD password will be checked).

With this setup the user's password and authentication information will be within AD, but their "authorization" data (What they can do within WebFOCUS) will be stored elsewhere.

If a user does not have any authorization entries they will not be able to logon, even if they use valid authentication credentials.

With all that said, if you want to use AD credentials to logon to Managed Reporting, I would recommend you instead have Managed Reporting authenticate to the WebFOCUS Reporting Server (WFRS), and have the Reporting Server authenticate to LDAP against AD, or OPSYS against AD.

This allows a Managed Reporting logon to provide credentials both for MR and the Reporting Server so that when a report is run the user is not prompted for credentials.

If all of this seems confusing, I'd recommend the following article:
http://techsupport.information...curity_overview.html

It gives a brief and high level model of the security architecture in WebFOCUS 71x, 76x and 77x.


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
Expert
posted Hide Post
quote:
If all you want is to authenticate users against Active Directory you do not need to setup the authorization data within AD.

True, I assumed (possibly mistakenly) that Melody anted both against AD. Apologies if I got that wrong.

T



In FOCUS
since 1986
WebFOCUS Server 8.2.01M, thru 8.2.07 on Windows Svr 2008 R2  
WebFOCUS App Studio 8.2.06 standalone on Windows 10 
 
Posts: 5694 | Location: United Kingdom | Registered: April 08, 2004Report This Post
Member
posted Hide Post
Thank you dlogan that was what I was looking for.

Although after changing my Authorization to AD I can not log in to 'Managed Reporting Admin Console', does that mean one of my AD settings is not setup properly?


WebFOCUS 7.6
Windows, all output
 
Posts: 7 | Registered: November 12, 2010Report This Post
Platinum Member
posted Hide Post
Melody,
What I described would be done if your authorization is set to "INTERNAL" or to a database (e.g. SQL).

If you want to do AD authorization as well, you will have to follow all the directions that TonyA referenced. It is an involved process, and not one I recommend unless it is really required.

Before you make the switch to AD authentication you will need to create an admin userid in Managed Reporting Administration that matches
an Active Directory id. This way when you make the switch, you have at least one id to log in as to create the rest of the user's.


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
Member
posted Hide Post
quote:
Before you make the switch to AD authentication you will need to create an admin userid in Managed Reporting Administration that matches
an Active Directory id. This way when you make the switch, you have at least one id to log in as to create the rest of the user's.


I did this but when I try to login I get a error message 'Invalid user credentials'. I know my credentials are valid so I think there is something wrong with the way I setup AD Directory Configuration. Is there an error log I can look at?


WebFOCUS 7.6
Windows, all output
 
Posts: 7 | Registered: November 12, 2010Report This Post
Platinum Member
posted Hide Post
Melody,
Yes, within the WebFOCUS Admin console under "Diagnostics" there is a trace "MR Realm". If you enable that trace it will give you more information as to why it is failing.

The following document will walk you through troubleshooting AD authentication.

http://techsupport.information...bf_dia_realm_7x.html

You can of course also open up a case with Techsupport and they will be able to assist.

If you do open a case, give them a copy of MR Realm & WFServelet traces of a failed logon and a copy of your /ibi/webfocusxx/config/mrrealm.cfg.


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
Silver Member
posted Hide Post
Melody,

You cant find anyinformation on the trace file as it is related to the AD.

Can you let us know what are the parameters you used to connect to AD. By looking at these parameters i can figure out where is the problem?

Thanks,
Amarnath


WebFOCUS 7.6.7
Unix
Excel/Html
 
Posts: 46 | Registered: January 27, 2009Report This Post
Platinum Member
posted Hide Post
AMARNATH_EL,
If anything is going to be posted on a public forum, the MR Realm trace has everything that is needed and passwords are filtered out.

Posting the connection information from a mrrealm.cfg in a public forum would not be wise. I'm not even sure that posting a MR Realm trace on this forum would be wise since it contains domain controller, userid's and other information as well.

A much better option is to open a case, or maybe post the error from the MR Realm trace.

The troubleshooting dock I gave Melody, should walk her through most of this, however.


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     [SOLVED] AD Authentication

Copyright © 1996-2020 Information Builders