EM13c: AD User Login Fails with Authentication Error - Minimum Role <ROLE> Needed for Auto Provisioning Not Found in Subject
(Doc ID 3003266.1)
Last updated on FEBRUARY 22, 2024
Applies to:
Enterprise Manager Base Platform - Version 13.5.0.0.0 and laterInformation in this document applies to any platform.
Symptoms
EM 13.5
- AD user login in EM Console fails with authentication error.
- OMS logs in debug mode reports below error:
<OMS_INST>/em/EMGC_OMS{n}/sysman/log/emoms_pbs.trc
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService _performLogin.1200 - Set of princs associated with this opss subject [<USER>, authenticated-role, anonymous-role]
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService isAutoProvisioningEnabled.1675 - Minimum roles configured for auto provisisoning: [<ROLE>]
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService isAutoProvisioningEnabled.1682 - Set of princs associated with this subject [<USER>]
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO auth.EMLoginService isAutoProvisioningEnabled.1697 - Minimum role <ROLE> needed for auto provisioning not found in Subject Subject:
Principal: <USER>
Private Credential: <USER>
- Following properties have been set on OMS side:
oracle.sysman.core.security.auth.autoprovisioning_minimum_role=<ROLE>
oracle.sysman.core.security.auth.enable_cred_providers=null
oracle.sysman.core.security.auth.enable_username_mapping=null
oracle.sysman.core.security.auth.is_external_authentication_enabled=true
oracle.sysman.core.security.auth.ldapuserattributes_emuserattributes_mappings=null
oracle.sysman.emSDK.sec.DirectoryAuthenticationType=LDAP
- The minimum role set as <ROLE> is available in the Weblogic Admin Console Group page.
Login to WLS console and navigate to Security Realms -> my realm -> Users and Groups -> Groups.
- Issue is seen only with new AD user login attempt.
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Symptoms |
Cause |
Solution |
References |