Authentication issue - user already logged in, or switching between users?

[jeffowentn]

So, we just started experiencing authentication issues that I've never seen before.

We are on Cognos 8.4.1 FP4 (BI) and FP2 (EP), running on assorted Windows servers and a SQL backend.

A user can login and sometimes see more capabilities than she should have (administration and BI functionality when she has only been assigned Planning Contributor Web rights). 

I login as myself, and then log off.  Then, I log on as a test account, and log off.  When I log back on as myself, I initially see my content, but then when clicking on the Administration screen it reverts back to the test account and shows nothing because the test account does not have admin rights.

I'm not sure if this is related or not, but I also have a user having problems logging into the Contributor add-in for Excel, but she can get into the web, just fine.  The error message states "the URL does not reference a valid Planning web site.  Please check the URL and try again."

We use Access Manager / Sun One LDAP for our authentication.

What else do you need to know to provide some suggestions?

Your help is greatly appreciated.

[SomeClown]

Set sticky session/sticky bit on your F5 load balancer for the Cognos website

[jeffowentn]

That should have already been set, but let me confirm...thank you.

[jeffowentn]

This was the response from our networking guy:


Your VIP is currently set to source IP persistence. Could it be a misconfigured client that are getting sent to the proxy? If so, the F5 would see them as all coming from the same ip. We may need to switch to a different persistence profile. We can try the insert cookies method. Just let me know.

Thanks,
-J


I'm not sure how to respond.  Any thoughts?

[SomeClown]

I'm pretty light on the firewall stuff, but the misconfigured client doesn't sound right - I would think the dup IP would show up on net logs (it's all browser based traffic) and you would have had issues earlier with the old one.  Could be if you have other stuff in the network, the IPs aren't coming across like they think they are.  You can try cookie persistence but I don't think I've run across anyone using that before.

Thinking about it more, I don't think cookie does it - your symptoms are more like old sessions not expiring, not that it's someone else's request.  Any of the issues coming from a Citrix box or terminal server?

Do you get same behavior if you bypass the F5 and go directly to one of the web servers?