[ QUOTE ]
Just imagine our users. They didn't have to login to JDE for years. They have a windows password they have to change evey month. They didn't need to login to JDE. Now we are upgrading from 8.10 (terrible release) to the new 8.12 tools release 8.98 with all new features. Also Imagine they must switch over from fat client to web......??. If this feature isn't working just gives a negative flow....
User will say "it is possible for years and now it doesn't work" How do I have to explain this? Implementing big changes in infrastructure is also not the way to go. All our effort goes in the project, making it technically and functionally work.
[/ QUOTE ]
Yes, this is why I recommended Kerberos. As some have pointed out, Kerberos is an authentication system while LDAP is an access protocol. They can work together. The folks who responded to your Metalink request aren't necessarily aware of all of the options. You don't need a portal, collaborative or otherwise. UnifiedLogon is no longer an option with the "web" client. Making "big changes in the infrastructure" is pretty much required if you want the same functionality. It is what it is. I can't make any apologies for Oracle, and I don't have any reason to defend them, either. The UnifiedLogon service just isn't applicable any more with the "web only" releases. Change happens.
Kerberos solves this problem (users don't have to enter more than one password), but it is NOT as easy to setup as UnifiedLogon. You don't have to configure "base LDAP" with JDE to make it work. It is all done at the "web" client layer, not the EnterpriseOne technical foundation.
You may accept some solution in between after evaluating the Kerberos option. First you would need to evaluate it. Gregg recommmended you hire a consultant, wouldn't be a bad idea. A good bet if you do hire a consultant would be to work with someone who knows both OAS (with SSO) and JDE EnterpriseOne. You can go it alone, but once again, not as easy as UnifiedLogon. I don't automatically assume that everyone is technically challenged and that solutions are just too hard for them to figure out. Until you say otherwise, I'll assume you are technically adept and can handle it.
The brief rundown on what you can do to get a UnifiedLogon "like" configuration up and running for the "web" client is as follows:
Install OAS - Infrastructure home option. I recommend 10.1.2.0.2 at this point for JDE. This is Oracle Identity Management and includes a prebuilt Oracle database - no Oracle database installation knowledge is required to get it up and running. There are other options for the database (all Oracle options), but the included database is the easy method.
The Infrastructure home will provide Oracle Internet Directory (OID) and Oracle Single Sign-On. OID and SSO can be installed together at the same time, which is recommended for a first time install, or separately. This can either be in separate homes on the same server, or on separate servers. For instance, OID/SSO together in the same home, or OID on server1 - while SSO is installed on server2. It is also possible to have server3 hosting the db...won't get into that now. Doesn't sound like this is what you want (infrastructure sprawl) but I post this stuff for everyone, not just one.
Once you have the infrastructure up and running, you can then pull the Windows Active Directory accounts into the OID. There are some decent "howto" documents/whitepapers out on the Internet - I've written one for a JDE journal and they are in the process of publishing it in pieces.
The act of pulling the AD accounts into OID is the issue some others have been railing on about - how it shouldn't be necessary, etc., but the fact is it is necessary for Oracle Single Sign-On. I've posted before that perhaps in the future it won't be. (For an Oracle employees perspective on the SSO/OID requirement among other thoughts:
http://blogs.oracle.com/mwilcox/2007/12/clarifying_questions_on_kerber.html)
Either way, it is not like installing a new ERP system in complexity, but it will take some level of attention/maintenance, more so than UnifiedLogon. It is the nature of the beast. A big ERP upgrade project should take risks like these into account. I am disappointed how so many technical consultants leave out the "little" things like user authentication when they lay out the overall project plan for the technical upgrade.
Once you have the accounts pulled in, you can turn on the AD external authentication plug-in for OID. This will authenticate users in OID against AD using their Windows password. This isn't required for Kerberos, but good to have in case Kerberos fails for whatever reason.
Once you have this configured, you can connect JDE "web" client to Oracle Single Sign-On. Once that has been verified as working, you can configure Kerberos on the Oracle SSO server. This can work if you are running OAS on any supported platform, it doesn't have to be running on Windows to work with the Windows implementation of Kerberos.
Once you have Kerberos working with SSO, users who are able to authenticate with Windows should no longer be required to enter their username/password for access to JDE. Again, no portal is required for this, and it is supported.
The detractors either haven't done it themselves, have and hated it, are worried you will struggle and blame JDEList or them personally, or just want to be or enjoy being detractors.
I am sorry you are going through phases of understanding, confusion, understanding, joy, discomfort, etc. This isn't an easy topic to discuss, due to the Oracle centric nature of the recommended solutions. I'm also not a full time professional journalist, and no one is here to edit my posts on JDEList. Again, sorry.