Authentication And Scheduling Problems
We have had strange issues in BusinessObjects Enterprise XI R2 and 3.0 where;
- Log in with AD Authentication stops working. A timeout occurs after a while. Users without AD aliases can log on without any problems.
- When scheduling reports the report job gets stuck in status Pending.
These two issues started at the same time but we interpreted them as separate issues. That was a wrong assumption.
After a lot of investigation and testing we isolated the problem to the BOE DB repository. The problem was due to changes in the availability of one of the AD groups that was registered under AD Authentication in CMC/Authentication. The same problem would occur if a NT group would be removed or made unavailable.
The solution for this problem was to remove the group that caused the system to hang. After that, it all worked again.
We have had these issues a number of times now in different systems and it's mind-boggling how the functionality in the system can be designed in this way. This function is a core part of the system and should not have this behavior!
Why does the scheduling stop working if there are verification problems against a domain? Well, when the CMS starts a scheduled job it checks to see if the user has the rights to run the report. At that point the system does a verification against the group and if that group are unavailable the session is hung until timed out.
Does anyone else had similar issues?
2 comments:
I saw a similar AD anomalous behaviour on a customer site.
They had created an account with two aliases, one using AD and the other enterprise authentication. The user could choose which method they wanted to use.
One day there was a problem with their AD server, it was unavailable.
The users were unable to login using their ENTERPRISE alias!
Only solution was to delete the AD alias.
Ross
I have seen this problem before. The most common cause is the deletion of an AD group. One way to help insulate the BOE system is to use Enterprise groups to assign permissions to folders and then place the AD groups in the Enterprise Groups. In that way if the AD group is deleted the permissions are still in place and all that is required is a re-linking of the two groups, the Enterprise group and the new AD group. The old AD group will need to be removed from the Authentication area in the AD or NT tab. The old group will appear as a GUID like number.
Keep a pure Enterprise account handy with Admin level of access to fix the problem. You most likely will not be able to Access the CMC with an AD / NT account.
If possible schedule all reports using an Enterprise account. If a report scheduler leaves the company and scheduled reports with their AD account, the schedules may fail when the AD / NT account is deleted AND the Update button in the corresponding Authentication tab is pushed.
Jeffrey Hill
Post a Comment