EP 10.1.1 FP2 - authentication source inactive on cognos connection

[topedgemonk]

Hi,
I'm doing an upgrade from EP10.1 to EP10.1.1 FP2. It's a full uninstall and install of new software and uses a clean content store & planning store (separate) on Oracle 10g.
Started up services successfully, but the namespace on cognos connection doesn't seem to be active, its displayed in inactive mode if you go and check under security in Admin > configuration or cognos connection. I'm unable to authenticate against it and 'Log on' to the portal. We use Cognos Series 7 namespace for authentication.

If I right click on the namespace in cognos configuration and do a 'Test' it does not show any errors.

Attempts at resolving this include
- disabling SSL
- recreating virtual directories in IIS
- restarting the LDAP (Sun One Dir Server) and Cognos access manager
- directing authentication to a cognos series 7 namespace of same version on another server (so problem doesn't seem to be with the authentication provider)
- using web extensions of cgi and isapi.

I wanted to check if anyone has any thoughts on how this can be resolved (or maybe I probably missed something)?

[ykud]

Hi topedgemonk,

Are there any errors logged in logs/cogserver.log file?

[topedgemonk]

I see this error in PEL

SELECT definition FROM planningstoreschema.P_PAD WHERE padid = 'PAD'~~~~ORA-00942: table or view does not exist

not sure if related?

Also do not see any pointers to any problem in cogserver.log

[ykud]

EP error states that there's no tables in Planning store / or that oracle account you use to connect cannot see them. Double check that there are tables in planningstoreschema (P_PAD is one good example) and cognos user can see them.

Shouldn't be related to namespace visibilty though.

Double check string you use to connect to Series 7 namespace (c=,o= string)

[topedgemonk]

I can see P_PAD when I check manually.

The string seems correct. I have another environment running same version of EP which points to this access manager and that works fine.

Did a full uninstall and reinstall, this time without installing FP2 but hit the same roadblock. Strange

[ericlfg]

Generally if the namespace is showing up grey and not underlined in cognos administration > security, it's because Allow anonymous access has not been disabled.  When this setting is set to disallow annonymous access, you'll be forced to authenticate against the default external namespace as configured in cognos config before gaining access to the portal.  When it's set to allow anonymous access, you'll be able to get into the portal, but until you log on, you won't have access to the namespace.

This setting is located in cognos configuration > Security > Authentication > Cognos.  The default value for this is set to true and usually you would disable it once you've configured your security in cognos connection.  Even with allow anonymous access enabled, you should still be able to click log on within cognos connection and gain access to the namespace.  You would find the log on link in the top right hand corner of cognos connection.

Hope this helps.

[topedgemonk]

Tried enabling and disabling anonymous access.

If anonymous access is enabled, I can get into the portal. If I click on 'Log On' on the top right corner, I am thrown a page which prompts me for credentials.
We have 'Integrated Windows Authentication' enabled in IIS. So if things are working properly, then it wouldn't usually ask me for a password. Even if I enter the credentials, it does not allow me in.

If I disable anonymous access, it gives me the prompt page for credentials and does not let me in.

[ericlfg]

Hey,

So you may have a few things that need to be addressed, and there are quite a few approaches.  Personally, since SSO is a 'nice to have' feature, rather than a necessity, I would disable it until you can get into the namespace without issues.  This removes a layer of complexity, but I'll include an item below regarding SSO.

1. Confirm your series7 configuration is EXACTLY the same between this environment and your other environment which uses the same namespace.
2. Depending on namespace config in access manager, try using a basic signon (administrator account as an example), or if you were using basic, try the OS signon with and without domain specification. IE: domain\user
3. In IE, for SSO to work, you need to make sure you have the gateway address added to the local intranet zone, as well as in IE > Tools > Internet Options > Advanced > Enable Integrated Windows Authentication is checked.

There are a lot of items that you may need to check outside of this brief post, but if you're still struggling and if you have a support contract with IBM, you may want to log a ticket with them.

[topedgemonk]

Confirmed the series 7 settings are exactly sam.

Disabling SSL and Integrated Windows Authentication, I tried accessing the portal after setting my ID to 'Basic Sign On' on the Series 7 access manager. I was able to log in.

The 'enable integrated windows authentication is checked' in IE.

So now I need to find why it works with basic sign on, but refuses to work with SSL and Integrated Windows authentication enabled.  Any suggestions are much appreciated.

We do have an open PMR with IBM, but we haven't really made much progress on it.

[SomeClown]

Been a long time, and not sure it applies here, but there are two places to set cookie path, one in S7 and one in C10.  These need to be the same value (I usually use /).   Cannot remember where they get set though.

[topedgemonk]

Thanks for the suggestion.

In C10 its in cognos configuration > Actions > Edit Global configuration

In S7 its in configuration manager > services > access manager > webauthentication > Cookie settings.

'Secure flag enabled' is set to 'False' on both

'Path' & 'domain' are both blank in C10 and S7. so I guess both are same or would you recommend an explicit path for cookies?

[SomeClown]

Personally, I go with an explicit cookie path as I don't trust that the products would handle a space/null correctly.  That's just me though.

Existing servers?  If not, look for proxies/external firewalls.  Might want to look at Windows firewall settings too - make sure ports are open.

[topedgemonk]

This one got resolved now.

Turned out to be a permissions problem to enable the account used in IIS to read files from the install directory. Gave NTFS permissions to ServerName\Users group at the ../c10 directory level.



Thank you all for your suggestions!

[nedcpa]

I am seeing the same problem. Not clear about your statement: "Gave NTFS permissions to ServerName\Users group at the ../c10 directory level."? Are you referring to the Gateway server\Cognos Admin user group? Could you please add little more description/steps about how you resolved the issue. Thanks

[ericlfg]

If I'm following what topedgemonk indicated was the resolution, he gave file system permissions (most hard drives are NTFS partitions these days (previously Fat32 with much older operating systems)) to the 'users' local group for the ../c10 directory.

It is worth mentioning that the Users group should have had access to this directory, and I've only only ever seen problems with removing the group or restricting the permissions this group has.

General Steps: (assuming windows server 2008 r2)
1. Go into Windows explorer and navigate into your install directory for cognos (usual path is C:\program files (x86)\ibm\cognos\c10) *x86 is for a 64 bit OS only
2. Right click on the c10 folder and select properties.
3. Click on the Security Tab and in the Group or User names selection box confirm if the Users (<machine_name>\Users) is present in the list.

At this point you have a couple of options:
If the User group already exists:
1. Click on the Users group from the top select and confirm it has Read & Execute, List folder contents, and Read in the lower pane.
2. If it does not, then click the Edit.
3. Give it the 3 permissions by checking in the Allow columns.

If the User group doesn't exist:
1. Click the Edit button.
2. Click the Add button.
3. Click the Location button and select the top item (should be the server name) and click OK.
4. In the Enter the object names to be selected type Users and hit enter or click OK.
5. You should now have the Users group added, click on it and give it Read & Execute, List folder contents, and Read permissions and click OK, and then click Close.