If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Single Signon based on Microsoft Kerberos (AD)

Started by Tsunami, 23 Sep 2011 12:04:22 PM

Previous topic - Next topic

Tsunami

I've think I've configured everything based on the KB article but it's not automatically authenticating.

I've verified the settings and prerequisites.  Everything seems to be setup right.  Only thing I question is that in IIS, I went to the specific website and set the directory security.  Should I have done it a higher level?

When I select AD as my namespace, Cognos pulls in my domain/username but I still have to enter my password.  What am I missing to get this far but not have Cognos pull in my password?   I didn't think an advanced property was required for kerebos...or does it?  Do I need to restart the service?

SomeClown

Is IIS configured to require Kerberos?  In my experience, IIS usually isn't using Kerberos but NTLM.  I've had success in getting single signon to work when I used NTLM (singleSignonOption  IdentityMapping  for the parm)

Tsunami

#2
I thought that it uses Kerberos by default?  How do I check this setting?

Update:  I got it to work by using the singleSignonOption

smiley

Without that setting, it uses as full kerberos handshake, that has a lot of requirements to meet, includign making changes to your AD.
The singlesignonoption utilises the remote_user variable, which is a bit less safer as it can be spoofed, but still does the job of a single signon very well.
Normally no problem inside a regular network.