Search This Blog

Loading...

SBL-DAT-00712: Unable to retrieve credential string from user '%1' in Active Directory.

Applies to:

Product Release: V7 (Enterprise)
Version: 7.7.2 [18325]
Database: Oracle 9.2.0.4
Application Server OS: Microsoft Windows 2000 Advanced Server SP 4
Database Server OS: HP 9000 Series HP-UX

This document was previously published as Siebel SR 38-2208858391.

Symptoms

SBL-DAT-00712

Dear,



In all our Object Manager logfiles, the following errormessage is reported:
"SBL-DAT-00712: Unable to retrieve credential string from user xxxx in Active Directory."
We have checked the Siebel Support Website, but did not found any information on this error. Could you please inform what this error message means?
We have successfully implemented ADSI authentication and no problems were reported. We are using two different ADSI profiles; so 1 OM connects to a different Domain Controller then an other OM.

Please send your feedback to RDILISSE@NCSBE.JNJ.COM.

Solution

Message 1

For the benefit of other:

The customer noticed the following error in all object manager log files:

"SBL-DAT-00712: Unable to retrieve credential string from user xxxx in Active Directory."

The customer has successfully implemented ADSI authentication and no problems were reported. He wanted to know what this error message means.

Resolution:

As documented in Siebel Bookshelf version 7.7 > Security Guide for Siebel eBusiness Applications > Security Adapter Authentication > Security Adapter Deployment Options > Configuring the Shared Database Account:

"For ADSI, if the shared database account is specified, then database credentials are retrieved
from a user if they are available to be extracted. If database credentials are not available from
the user, they are instead retrieved from the shared database account."

According to this statement the error SBL-DAT-00712 is benign and can be ignored.

The security adapter retrieves first the attribute ipPhone (CredentialsAttributeType) from the user. If this is not available, the error will be reported in the object manager log file. Hence the security adapter retrieves the database credentials from the shared database account. That explains why the customer is connecting to the Siebel application without any problem.

Thanks and Regards,
Siebel Technical Support


Applies to:

Product Release: V7 (Enterprise)
Version: 7.8.2 [19213] Life Sci
Database: Oracle 9.2.0.6
Application Server OS: Microsoft Windows 2000 Server SP 4
Database Server OS: HP 9000 Series HP-UX

This document was previously published as Siebel SR 38-3099895901.

Symptoms

SBL-DAT-00712, SBL-SEC-10005

I recently started testing change the AllowAnonUsers parameter in the SWE section of epharma.cfg file. By setting the parameter to false, it did prevent anonymous access. I then noticed the behavior described in SR 38-1021293097 where the application does not bring the message about an invalid userid/password.

The recommendation in that SR is to comment out the following command as a workaround:

        string StartCommand = SWECmd=GotoView&SWEView=Home+Page+View+(eSales)

I went to try and configure this, but it does not appear to be part of the epharma_enu section of the eapps_sia.cfg file. I didn't figure adding it there and commenting it out would help the situation. It is also not in the default section at the top of the eapps.cfg file. Is this configurable for the ePharma Object Manager? Is so, how?

Solution

Message 1

For the benefit of other readers,


Customer was using Siebel ADSI Security Adapter authentication version 7.8.2 and had changed parameter AllowAnonUsers to FALSE in the [swe] section of the epharma.cfg file. After this change, a login attempt was made, and the login page reloaded with no error messages. The ePharma Object Manager log file had the error messages below:

“SBL-DAT-00712: Unable to retrieve credential string from user <user DN> information in Active Directory.”

“SBL-SEC-10005: Your password has expired. Please change your password.”

Error message SBL-DAT-00712 is acceptable. Service Request 38-2208858391 on SupportWeb has further information regarding this error message.

Error message SBL-SEC-10005 is usually associated with an ADSI account with expired password. Based in this information, an internal environment with Siebel version 7.8.2 environment, Siebel ADSI Security Adapter authentication, and an ADSI account with expired password has been configured. Parameter AllowAnonUsers was set to FALSE in application cfg file. Behavior customer reported has been reproduced using this internal environment.
When logging using an ADSI account with password expired, the ADSI Security Adapter identifies that password is expired and redirects Siebel Web Client to load the “Change Password View”. As this view is loaded using Anonymous browsing, no error message is displayed and login page is reloaded.


[Continue]

Message 2

[Continued]

Change Request 12-198EWWW has been logged to address this behavior and provide an error message when using expired passwords and AllowAnonUsers parameter set to FALSE.


Thank you,


Siebel Technical Support

Applies to:

Product Release: V7 (Enterprise)
Version: 7.7.2.6 [18372]
Database: Microsoft SQL Server 2000 SP4
Application Server OS: Microsoft Windows 2003 Server SP1
Database Server OS: Microsoft Windows 2003 Server SP1

This document was previously published as Siebel SR 38-3306211901.

Symptoms

SBL-UIF-00230, SBL-UIF-00271, SBL-UIF-00335, SBL-DAT-00329, SBL-DAT-00712, SBL-SEC-10018

Hello,

Our application is set up to use Web Single Sign On for external authentication.
The users are already defined in the Active Directory Server.

We use SSL Accelerator hardware, so the browser submits HTTPS requests, but the Siebel Web Server still uses HTTP protocol.

We use an ISAPI Filter, which takes care of the session token.
Then, it passes authentication information to IIS in Basic Mode.

When the user enters the login username with domain context (<domain>\<username>), everything is fine.
But, if he enters only the login username without the domain name (<username>), it seems Siebel does not recognize the username.

We do not want to provide the domain name to our users.
We did test without the filter and without SSL, but we still get the same results.

Please advise.

Thanks!

Solution

Message 1

For the benefit of other readers:

Users must enter their username prefixed by the domain name whenever customer uses Windows Basic Authentication on the IIS virtual directory, while authenticating against the Microsoft Active Directory Server.

We have checked customer’s eapps.cfg file from %SIEBEL_ROOT%\SWEApp\bin folder, and found the following parameter:

    [swe]
    IntegratedDomainAuth = True

Parameter IntegratedDomainAuth should be set to TRUE only when setting up Windows Integrated Authentication.
Since this customer is implementing Basic Authentication, we have asked them to set IntegratedDomainAuth = FALSE under the [swe] section.
After setting IntegratedDomainAuth to False and restarting the Web Server, everything is working fine.

For further information on this parameter, please refer to Bookshelf Version 7.7, Rev. A (May 2005) > Security Guide for Siebel eBusiness Applications > Appendix B – Configuration Parameters Related to Authentication > Section Parameters in the eapps.cfg File:

“...
IntegratedDomainAuth. To support Windows Integrated Authentication for Web SSO, set this parameter to TRUE. This setting causes SWSE to strip out the domain name from HTTP headers, which allows the application to integrate with Windows Integrated Authentication.
...”

Thank you,

Applies to:

Product Release: V7 (Professional)
Version: 7.7.2.2 [18356]
Database: Oracle 9i
Application Server OS: Microsoft Windows 2000 Server SP 4
Database Server OS: Microsoft Windows 2000 Server SP 4

This document was previously published as Siebel SR 38-3008152701.

Symptoms

SBL-UIF-00401, SBL-SCR-00141, SBL-DAT-00215, SBL-DAT-00712, SBL-SVR-01051, SBL-SCM-00022, SBL-SMI-00033, SBL-NET-01023, SBL-BPR-00125, SBL-BPR-00151

Hi,

We are having problems using drag drop functionality on SWE. When you try to save the attached document systems gives the error "Session Warning: The server you are trying to access is either busy or experiencing difficulties. Please close the Web browser, open a new browser window, and try logging in again." and logs out the user. We have tried the same functionality with dedicated client and it works ok. We also tried the functionality with DB authentication on SWE and had the same error. We are currently using ADSI authentication for production.

The best I have found from SWE logs is as follows.

ProcessPluginRequest    ProcessPluginRequestError    1    0    2006-04-18 17:15:22     5116: [SWSE] RPC coming in without a user session

ProcessPluginRequest    ProcessPluginRequestError    1    0    2006-04-18 17:15:22     5116: [SWSE] Failed to obtain a session ID. NOT OK

ProcessPluginRequest    ProcessPluginRequestError    1    0    2006-04-18 17:15:22     5116: [SWSE] Set Error Response (Session: Error: 00065535 Message: NOT OK)

Your help is appreciated.

Solution

Message 1

For the benefit of other readers,
Customer reported that drag drop attachment functionality on SWE (Web Client) is not working. Further, the following error message was reported while saving the drag & drop attachments from the windows explorer.

"Session Warning: The server you are trying to access is either busy or experiencing difficulties. Please close the Web browser, open a new browser window, and try logging in again." and finally logs out the user.

Comments:
Initial investigation steps included the following checks and confirmation from the customer:-
-    This behavior was happening on all attachment screens.
-    Drag & drop attachments from the windows explorer onto the “Siebel Application > Attachments Screen” works fine on a Siebel dedicated client. However, the same functionality is not working for the SWE _Web Client, for all the USERS.
-    Even tried attaching a small size file, this did not work either (just to eliminate the size and type of document they were attaching).

Next, we noticed few error messages like
**********************************
ObjMgrLog    Error    1    0    2006-05-09 10:05:26    (init.cpp (232)) SBL-SCR-00141: Siebel eScript runtimefout in procedure 'GetFieldValue' van BusComp [DHB Financial Accounts]:

Error: SiebelError: Deze bewerking is niet toegestaan wanneer geen records worden weergegeven. Voer eerst een query uit die minstens één record retourneert of voeg een nieuwe record toe.(SBL-DAT-00215)

<CONT'D> Resolution 1 of 2........

Message 2

<CONT'D> Resolution 2 of 2........

ObjMgrLog    Error    1    0    2006-05-09 10:05:26    (init.cpp (232)) SBL-SCR-00141: Siebel eScript runtimefout in procedure 'GetFieldValue' van BusComp [DHB Financial Accounts]:*****
********************************
So just to eliminate the possibility of eScript related issue, customer conducted testing by setting "EnableScripting" parameter false and later also setting Application Object parameter "Application Scripting Enabled" to false. However, still the behavior was the same.

Finally, customer confirmed that the root cause of this reported issue was to do with the underscore "_" character which was used for naming their Servers. Basically, the server network name of their production server was "SIEBEL_PROD". That problem occurs because of that underscore "_" character. So when they used the IP address of the actual server instead of the server name (with underscore ‘_’) everything started working as expected.

Additional reference to similar issues which are posted on Support web:
"Service Request #: 38-2936429161 - problem to upload attachment bigger than 1 MG"
Document Enhancement Request 12-IYK4BR has been logged to make sure that this is documented in Siebel Bookshelf.

"Alert 1067: Siebel Server Failures Due to Hyphen Character in Machine Hostname and in the Siebel Server Name"


Thank You,

Siebel Technical Support


No comments:

Post a Comment