If you are unable to create a new account, please email support@bspsoftware.com

 

URGENT!Cognos 10.2.2 Authentication issue after domain migration of server

Started by White light, 10 Jan 2021 07:19:00 AM

Previous topic - Next topic

White light

Hi All,

We recently changed the domain(migration of server from domain1 to domain2) of the Cognos server. In cognos configuration, i changed the domain name where ever there was old domain name.
After saving and restarting the services, I am unable to login into the namespace. I get the error message "The provided credentials are invalid. Please type your credentials for authentication." even when valid credentials are entered.

i am guessing the cookies are being rejected by the domain.
in global config i have edited the domain and path as well as shown below:
domain:.<domain2>
path:/ibmcognos

Before:<servername><domain1>/ibmcognos
After:<servername><domain2>/ibmcognos

i am using the url with changed domain details as well.

need inputs quickly.

thanks,
WL

MFGF

Quote from: White light on 10 Jan 2021 07:19:00 AM
Hi All,

We recently changed the domain(migration of server from domain1 to domain2) of the Cognos server. In cognos configuration, i changed the domain name where ever there was old domain name.
After saving and restarting the services, I am unable to login into the namespace. I get the error message "The provided credentials are invalid. Please type your credentials for authentication." even when valid credentials are entered.

i am guessing the cookies are being rejected by the domain.
in global config i have edited the domain and path as well as shown below:
domain:.<domain2>
path:/ibmcognos

Before:<servername><domain1>/ibmcognos
After:<servername><domain2>/ibmcognos

i am using the url with changed domain details as well.

need inputs quickly.

thanks,
WL

Hi,

You didn't explicitly mention whether you updated the list of valid domains in the properties of the CAF to add your new domain name? As a sanity check, what happens if you temporarily disable the CAF? Do your logins then work? If so, this pinpoints the CAF configuration as being the issue and you can focus on the domains list there to make sure it's valid and correct so you can re-enable CAF.

Cheers!

MF.
Meep!

White light

Hi MF,

Thanks for the reply.
I have added the new domain name in CAF in the format *.<new domain name>.
I'll try disabling the CAF temporarily to test the logins and report back.

thanks,
WL

White light

Hi MF,

Just wanted to give a small update.
I was able to login just now. But the issue is I'm getting the prompt for entering credentials repeatedly.
I enter the credentials(domain\username) once at the first prompt and then it takes me to page where I choose the AD. After that it prompts for credentials again.If i enter the valid credentials here it says invalid credentials and fails to login.
So this time without entering anything here, i just refreshed the page twice here resubmitting the credentials and then it logs in.
i have enabled SSO as well.

Could this be an issue with IIS configuration?
Will check login with CAF disabled once.

Thanks
WL


MFGF

Quote from: White light on 11 Jan 2021 08:21:46 AM
Hi MF,

Just wanted to give a small update.
I was able to login just now. But the issue is I'm getting the prompt for entering credentials repeatedly.
I enter the credentials(domain\username) once at the first prompt and then it takes me to page where I choose the AD. After that it prompts for credentials again.If i enter the valid credentials here it says invalid credentials and fails to login.
So this time without entering anything here, i just refreshed the page twice here resubmitting the credentials and then it logs in.
i have enabled SSO as well.

Could this be an issue with IIS configuration?
Will check login with CAF disabled once.

Thanks
WL

Hi,

This could certainly be your web server messing with things. Again, the best course of action is to try to pinpoint where the issue lies. In this case I'd recommend you try connecting via the servlet gateway (hostname.domain:port/bi) to see if you have the same issue. If not, this is a good pointer to the web server being the issue.

Cheers!

MF.
Meep!

White light

Hi,

Thanks for your reply. I tried with http://servername:9300/p2pd/servlet/dispatch . I get the screen to choose between 2 namespaces. i am unable to login to both of them.
But i am able to open/run cubes and open FM models using same credentials.
any advise?

thanks
WL

MFGF

Quote from: White light on 11 Jan 2021 11:37:55 AM
Hi,

Thanks for your reply. I tried with http://servername:9300/p2pd/servlet/dispatch . I get the screen to choose between 2 namespaces. i am unable to login to both of them.
But i am able to open/run cubes and open FM models using same credentials.
any advise?

thanks
WL

Hi,

Sorry - I just realised this is Cognos 10, so I got the servlet gateway format wrong (I gave you the one for C11). The address you tried should be fine for C10 though.
You got a prompt to pick a namespace? Do you have two authentication providers configured?

MF.
Meep!

White light

Hi,

Sorry my bad for not mentioning at the start. it is cognos 10.2.2.
Yes that is correct, i have two namespaces configured. and I am unable to login to both when opened through servlet gateway.
I dont have direct access to the AD. Is there any setting that needs to be changed on AD side?

Thanks,
WL

MFGF

Quote from: White light on 11 Jan 2021 12:13:25 PM
Hi,

Sorry my bad for not mentioning at the start. it is cognos 10.2.2.
Yes that is correct, i have two namespaces configured. and I am unable to login to both when opened through servlet gateway.
I dont have direct access to the AD. Is there any setting that needs to be changed on AD side?

Thanks,
WL

Is there anything else going on with security here? Do you have single signon configured, for example?

MF.
Meep!

White light

Hi MF,

I have defined these parameters in configured ADs.

singleSignonOption
trustedCredentialType
chaseReferrals
MultiDomainTrees

thanks,
WL

White light


MFGF

Quote from: White light on 13 Jan 2021 06:39:33 AM
Hi,

Any inputs on this would be helpful.

Thanks,
WL

I would try setting up your IIS virtual directories again as a next step. Given you are doing single signon, things may have got messed up with the domain change.

MF.
Meep!

White light

Hi MF,

Thanks a lot for the reply.
Currently I have asked the AD admin team to check "trust computer for delegation" attribute.

Got this from below article.
https://www.cognoise.com/index.php?topic=9957.0

Out of the 2 namespaces that have been setup, i can login to one namespace without any issues. But cant login into other one post domain migration. So I have asked to check above setting on AD side.

If it doesnt work, i'll try recreating the Virtual directories in IIS.

Thanks ,
WL

White light

Hi All,

The issue was with the dispatcher. After un-registering and re-registering it, the login works fine.
Here are the steps i followed:

Stop Cognos services.
>Change port numbers in Environment and Portal services from 80 to 81 and 9300 to 9301.
>save the changes and start the services(unregisters old one with 9300 and registers with 9301)
>then stop the services again(it may throw some errors while stopping)
>change back the ports to original numbers and start the services.
>then in cognos administration in portal under "System" you can remove the dispatcher registered with 9301

Here is the link that explains above idea.

https://www.ibm.com/support/pages/unable-log-valid-user-id-and-password-provider-credentials-are-invalid


Thanks MF for the support.

MFGF

Quote from: White light on 09 Feb 2021 10:04:43 AM
Hi All,

The issue was with the dispatcher. After un-registering and re-registering it, the login works fine.
Here are the steps i followed:

Stop Cognos services.
>Change port numbers in Environment and Portal services from 80 to 81 and 9300 to 9301.
>save the changes and start the services(unregisters old one with 9300 and registers with 9301)
>then stop the services again(it may throw some errors while stopping)
>change back the ports to original numbers and start the services.
>then in cognos administration in portal under "System" you can remove the dispatcher registered with 9301

Here is the link that explains above idea.

https://www.ibm.com/support/pages/unable-log-valid-user-id-and-password-provider-credentials-are-invalid


Thanks MF for the support.

Wow! Good find!! Glad you managed to get it working. Thanks for posting up the solution too - very helpful!

Cheers!

MF.
Meep!