My Oracle Support Banner

EM13c: AD User Login Fails with Authentication Error - Minimum Role <ROLE> Needed for Auto Provisioning Not Found in Subject (Doc ID 3003266.1)

Last updated on FEBRUARY 22, 2024

Applies to:

Enterprise Manager Base Platform - Version 13.5.0.0.0 and later
Information in this document applies to any platform.

Symptoms

EM 13.5

- AD user login in EM Console fails with authentication error.
- OMS logs in debug mode reports below error:

<OMS_INST>/em/EMGC_OMS{n}/sysman/log/emoms_pbs.trc
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService _performLogin.1200 - Set of princs associated with this opss subject [<USER>, authenticated-role, anonymous-role]

2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService isAutoProvisioningEnabled.1675 - Minimum roles configured for auto provisisoning: [<ROLE>]
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] DEBUG auth.EMLoginService isAutoProvisioningEnabled.1682 - Set of princs associated with this subject [<USER>]
2024-01-26 14:30:27,687 [[ACTIVE] ExecuteThread: '25' for queue: 'weblogic.kernel.Default (self-tuning)'] INFO auth.EMLoginService isAutoProvisioningEnabled.1697 - Minimum role <ROLE> needed for auto provisioning not found in Subject Subject:
Principal: <USER>
Private Credential: <USER>

- Following properties have been set on OMS side:
  

oracle.sysman.core.security.auth.autoprovisioning=true
  oracle.sysman.core.security.auth.autoprovisioning_minimum_role=<ROLE>
  oracle.sysman.core.security.auth.enable_cred_providers=null
  oracle.sysman.core.security.auth.enable_username_mapping=null
  oracle.sysman.core.security.auth.is_external_authentication_enabled=true
  oracle.sysman.core.security.auth.ldapuserattributes_emuserattributes_mappings=null
  oracle.sysman.emSDK.sec.DirectoryAuthenticationType=LDAP

- The minimum role set as <ROLE> is available in the Weblogic Admin Console Group page.
   Login to WLS console and navigate to Security Realms -> my realm -> Users and Groups -> Groups.
- Issue is seen only with new AD user login attempt.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.