I’m not sure if I fully understand how aliases work so please bear with me…
We are using Windows AD on NTLM using SSO for Infoview (no options for Kerberos, in case that is your first recommendation…) and I’m trying to set up some very limited access for delegated admin, so that they can assign users to groups in the CMC, to control specific folder access.
When a member of the delegated admin group tries to log into the CMC using AD authentication I get:
Account Information Not Recognized: The AD plugin does not support Java in NTLM mode. Please use Kerberos. (FWM 02100)
So as a workaround I thought if I could automatically create an Enterprise account for members of the delegated admin group, they could log in using Enterprise authentication.
What I had hoped would be possible is that the Enterprise account/alias created uses the AD credentials, but it looks as if you need to specify a new password for the Enterprise account.
This is bad on 2 levels. First, it means the user has to remember a second specific CMC password (we’ve just got onto AD SSO, so this feels like a big step backwards), and second, it means that someone has to administrate setting up the Enterprise account in the CMC.
I’d hoped it would be possible to have the user added via AD, and the Enterprise alias created automatically.
Can anyone help? (or indeed enlighten me further about aliases!)
As you already discovered, enterprise aliases require a new password or no password at all (you probably don’t what the latter). You could write some code to create enterprise aliases, but there is no way to retrieve passwords from AD so your users would be forced to use 2 passwords. martensnl’s suggestion to use Kerberos is the only way I know to get SSO working with the Java platform.
If I understand you correctly:
You want to use AD as your primary, and Enterprise as an alias. You want an Enterprise alias automatically created when a AD refresh occurs adding new users.
Other wise it is a manual process or a script using the SDK that creates the new alias for all users and sets them with a default password that the user would be prompted to change on the first logon.
I too have looked for a similary feature since CE8.5.
Problems I ran into that prompts the necessity for mulitple aliases (or at least Enterprise) If you are using AD, NT, LDAP or SAP, you are mapping groups from elsewhere that you may or maynot control. I have had problems with AD, LDAP and BW sources where security is maintained by someone else. If the user(s) are removed accidentally and you refresh the CMS (authentication) then the users are removed from the system. Anything they are an owner of becomes orphaned, any recurring schedules are removed, and all favorites/inboxes are gone also. This is a huge problem when you get an executive wanting to know where his saved reports are that were sent to his inbox or favorites are once he is restored.
If the users belong to more than one group(AD< NT< LDAP< SAP) this isn’t as much of a problem if they were only removed from one group. But I have seen users get accidentally deleted from the entire network.
Creating an Enterprise alias is good practice as it is locally controlled and can be your backup, should network or security admins have a glitch somewhere. This way all objects remain in tact until the issue can be resolved.
Back to the issue at hand. I too have requested this function be added, so that by default all users get an Enterprise alias. I have always been told that I can do myself with the EntSDK. But it remains a manual process.
They will only added it to the system should enough customers request the feature.
But be fore warned. It could take years to get this into the system, and it may only last one version or even one SP before they remove it because they don’t see enough use of the feature. They have retired many features over the years because only 5% or less use a feature, but fail to realize that the 5% are supremely heavy users of that feature.
Be prepared, they are getting ready to do it again with XI 4.0. We will probably lose more functions in EPM, as they shift to XCelsius services, and more tie in’s to SAP BW.
They should really impliment a feature to automatically add Enterprise alias as soon as AD/LDAP/NT gets created. Better would be - keep this Enterprise alias disabled, until BO Admin enables it.
Can anyone share the information about where to send suggestions for new features?
I have written some different java applications to do this, but not “automatic”. It needs to be run periodically to create the Enterprise users. It’s a fairly simple program to write as well. I doubt this would become an actual feature of BOE.
I couldn’t give the actual code I have because it’s for other clients and it has other things in it, but I can probably pull out the parts needed and post that. It may be a few days.
If the program basics are provided I am sure the rest of us can figure out how to adapt it to our environments.
Another suggestion: The AD authentication now in 3.1 has two program objects one for AD Graph and one for AD Graph and Alias. By making them objects that can be scheduled, you can have your AD refresh automatically. If we can do the same to this program object for creation of Enterprise Aliases that are disabled and setup with default passwords that require users to change upon logon. Then theoretically, you can setup the AD graph and alias update to post an event trigger. We set the Ent Alias program object schedule to run upon receipt of the event trigger.