While
configuring Active Directory ( MSAD in this instance) there are quite a few
parameters that we overlook and one such time while migrating from 11.1.1.3 to
11.1.2.2, I used the exact same settings that my prior environment had and once everything was configured ,while testing , I
ran into this issue with users from across the globe got “Invalid login
credentials” while logging into Essbase, Workspace or Planning and each time after restarting the entire suite it
would start working back for a while and would loop back to the same state in some time .
The logs indicated only numerous references to the Invalid credentials message.
Some good tools that serve as a starting point for investigating the root cause are LDAPBrowser, Wireshark that can help in understanding why this kept happening.
Also, The Oracle Hyperion Shared Services User and Role Security Guide * contains a good write up on the concepts of Active Directory most relevant to Hyperion Foundation.
Specifically , The section that talks about the DNS lookup.
You can configure Active Directory so Shared Services can perform a static host name lookup or a DNS lookup to identify Active Directory. Static host name lookup does not support Active Directory failover.
would start working back for a while and would loop back to the same state in some time .
The logs indicated only numerous references to the Invalid credentials message.
Some good tools that serve as a starting point for investigating the root cause are LDAPBrowser, Wireshark that can help in understanding why this kept happening.
Also, The Oracle Hyperion Shared Services User and Role Security Guide * contains a good write up on the concepts of Active Directory most relevant to Hyperion Foundation.
Specifically , The section that talks about the DNS lookup.
You can configure Active Directory so Shared Services can perform a static host name lookup or a DNS lookup to identify Active Directory. Static host name lookup does not support Active Directory failover.
Using the DNS lookup ensures high availability of Active Directory in scenarios in which Active Directory is configured on multiple domain controllers to ensure high availability. Whenconfigured to perform a DNS lookup, Shared Services queries the DNS server to identify registered domain controllers and connects to the domain controller with the greatest weight.If the domain controller to which Shared Services is connected fails, Shared Services dynamically switches to the next available domain controller with the greatest weight.
In my case, the Failover Active Directory serving from a different geographic location could not identify the credentials for some reason. So, to restrict the "lookup" to the working Active Directory Site, we had to populate the information for AD Site. The next challenge was to find out the AD Site Information for which running this command is extremely helpful.
nltest [/server:] /dsgetsite
The result of this command needs to be applied in the AD Site field. Once this setting was applied, the error message stopped appearing.
No comments:
Post a Comment