I am setting up Managed Reporting to use AD for its authentication. After I setup Managed Reporting for External Authentication, how do I assign users to specific domains? Or how do I even setup which users have/don't have access?

This message has been edited. Last edited by: Kerry,

Melody,

If you have not done so already, you will have to set up the Authorisation Tree within AD.

This is covered quite comprehensively in DN4500790.0810 with quite a reasonable diagram of the AD Schema that you will require.

Once you have this in place then you will be able to assign groups to domains and also users to groups, privileges and roles.

This process is fairly straight forward when you have the document to hand and, if I remember correctly, there are sample VB scripts to help you build your schema.

T

Melody,
If all you want is to authenticate users against Active Directory you do not need to setup the authorization data within AD.

Within the WebFOCUS Admin console go to:
Configuration -> MR Security Settings -> General

And confirm that your authentication is set to AD, and your authorization is set to INTERNAL, or a database.

Assuming this is the case, you can log into the Managed Reporting Admin Console just like you did before you authenticated against AD. This is how you will assign roles, groups, etc to the user. The only difference is that when "creating" a user you must use the same userid as their AD userid for them to be able to logon, and you will notice you can no longer set a password (since their AD password will be checked).

With this setup the user's password and authentication information will be within AD, but their "authorization" data (What they can do within WebFOCUS) will be stored elsewhere.

If a user does not have any authorization entries they will not be able to logon, even if they use valid authentication credentials.

With all that said, if you want to use AD credentials to logon to Managed Reporting, I would recommend you instead have Managed Reporting authenticate to the WebFOCUS Reporting Server (WFRS), and have the Reporting Server authenticate to LDAP against AD, or OPSYS against AD.

This allows a Managed Reporting logon to provide credentials both for MR and the Reporting Server so that when a report is run the user is not prompted for credentials.

If all of this seems confusing, I'd recommend the following article:
http://techsupport.information...curity_overview.html

It gives a brief and high level model of the security architecture in WebFOCUS 71x, 76x and 77x.

quote:

If all you want is to authenticate users against Active Directory you do not need to setup the authorization data within AD.

True, I assumed (possibly mistakenly) that Melody anted both against AD. Apologies if I got that wrong.

T

Thank you dlogan that was what I was looking for.

Although after changing my Authorization to AD I can not log in to 'Managed Reporting Admin Console', does that mean one of my AD settings is not setup properly?

Melody,
What I described would be done if your authorization is set to "INTERNAL" or to a database (e.g. SQL).

If you want to do AD authorization as well, you will have to follow all the directions that TonyA referenced. It is an involved process, and not one I recommend unless it is really required.

Before you make the switch to AD authentication you will need to create an admin userid in Managed Reporting Administration that matches
an Active Directory id. This way when you make the switch, you have at least one id to log in as to create the rest of the user's.

quote:

Before you make the switch to AD authentication you will need to create an admin userid in Managed Reporting Administration that matches
an Active Directory id. This way when you make the switch, you have at least one id to log in as to create the rest of the user's.

I did this but when I try to login I get a error message 'Invalid user credentials'. I know my credentials are valid so I think there is something wrong with the way I setup AD Directory Configuration. Is there an error log I can look at?

Melody,
Yes, within the WebFOCUS Admin console under "Diagnostics" there is a trace "MR Realm". If you enable that trace it will give you more information as to why it is failing.

The following document will walk you through troubleshooting AD authentication.

http://techsupport.information...bf_dia_realm_7x.html

You can of course also open up a case with Techsupport and they will be able to assist.

If you do open a case, give them a copy of MR Realm & WFServelet traces of a failed logon and a copy of your /ibi/webfocusxx/config/mrrealm.cfg.

Melody,

You cant find anyinformation on the trace file as it is related to the AD.

Can you let us know what are the parameters you used to connect to AD. By looking at these parameters i can figure out where is the problem?

Thanks,
Amarnath

AMARNATH_EL,
If anything is going to be posted on a public forum, the MR Realm trace has everything that is needed and passwords are filtered out.

Posting the connection information from a mrrealm.cfg in a public forum would not be wise. I'm not even sure that posting a MR Realm trace on this forum would be wise since it contains domain controller, userid's and other information as well.

A much better option is to open a case, or maybe post the error from the MR Realm trace.

The troubleshooting dock I gave Melody, should walk her through most of this, however.