As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.
I'm trying to get the SingleSignOn for the Dashboard running, but my REMOTE_USER variable is not beeing populated. I read the manual and other guides several times, but something is going wrong on my configuration.
I'm using a Windows Server 2003 with WebFOCUS 7.6.4 with Tomcat and no IIS installied.
1 I configured the custom settings in the MR Administration Console like: IBIMR_domain(pass) MR_FULL_FEXNAME(pass) MR_ITEM_HANDLE(pass) MR_CHANGE_PASS(protect) IBIMR_user (pass) WORP_USER(pass) REMOTE_USER(pass)
2 I configured the MR security settings for authentification like: User Web Server REMOTE_USER variable + Include Windows domain
3 Tomcat server.xml file < !-- Define an AJP 1.3 Connector on port 8009 --> Connector port="8009" enableLookups="false" request.tomcatAuthentication="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3"
When I try to open the dashboard I get an error message like the following:
Error Number 19104 Description invalid User-ID or Password. ibi.webfoc.wfmre.mrutil.WFMRError: invalid User-ID or Password
(I searched for this Error Number, but i only found another Description to that error, that does not match with mine.)
But this becomes understandable, when i trace the MR Realm Driver while dashboard login:
**********************************D:/ibi/WebFOCUS76/logs\00103_mrrealm_090217_094421.trace ---------------------------------------------------------------- Logging started on [2009-02-17 09:44:21 CET] WF Gen: 168 Date: Thursday, November 15, 2007 5:15:36 AM CET MR Realm Driver Revision: 2.3.0 (7.6) ---------------------------------------------------------------- [2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] authenticateUser: Trusted Mode Authentication for user 'null' [2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] findReposUserByID: User 'null' Not Found [2009-02-17 09:44:21 CET] {INFO} [WFMRX_MRSecurityDriver] >authenticateUser: User null failed to authenticate
The HTTP Request Info in the diagnosticts tell me the following:
@JG I checked this browser settings, although the security and administration manual tells, that the browser should be configured to "Automatic logon only in Intranet zone".
@dhagen What configuration do I have to set to get the REMOTE_USER populated without IIS?
----- WebFOCUS 7.6.4 on Windows Server 2003 with Oracle DB / MS SQL Server
Maybe I did not understand the single sign on authentification process correctly, but I think it is becoming a bit clearer now.
The Web Server populates the REMOTE_USER variable and Tomcat is able to read that variable and pass it to the MRE. I don't use IIS as Web Server, so Tomcat receives an empty REMOTE_USER variable. Is that correct so far?
If I don't use a Web Server that sets the REMOTE_USER variable, is it possible to get the SingleSignOn working with Tomcat? Or do I need to install a Web Server and there is no way around it?
----- WebFOCUS 7.6.4 on Windows Server 2003 with Oracle DB / MS SQL Server
To get the Remote_User without IIS you would have to configure Tomcat to use Active Directory as an authentication point. This would not be trusted, and therefore, your users would be then prompted for credentials.
To get true SSO with Tomcat standalone, read TM4647 (Configuring Single Sign-on to the WebFOCUS Reporting Server Using Kerberos). It can be a bit of a ride to configure, but it should allow you to do what you are looking for.
"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
Sorry I should have asked the obvious question first.
If it's Tomcat standalone then you need to configure and deploy a servlet like jcifs, this is open source and quite easy to do.
However depending on your security implementations you may need to go to a servlet such as Jespa this is foc for a max 25 users but $400 for unlimited users. (pea nuts).
The browser settings you have are fine if the webserver is on the intranet, however if you have external users they must use the Internet logon.
As I see the easiest way to get the SSO working is to use the IIS. Alternatively we can implement JCIFS for ntlm authentification for tomcat standalone or use the kerberos protocol.
I think we will install the WebFOCUS with IIS in the future and try the solution with the JCIFS also.
Thank you for your help.
----- WebFOCUS 7.6.4 on Windows Server 2003 with Oracle DB / MS SQL Server