SSO and Anonymous access

[dougp]

Is it possible to use Single Sign On and anonymous access at the same time on the same server?

I'm currently running CA 11.1.7 as a single-server install on Windows Server with an IIS gateway using SSO with "Allow anonymous access?" set to False.  So the ibmcognos application in IIS has Anonymous Authentication disabled and Windows Authentication enabled.  Also, it's all running through SSL.

Is this as simple as setting "Allow anonymous access" to true and enabling Anonymous Authentication in IIS?

I just found https://www.ibm.com/support/pages/sso-and-non-sso-users
It says to enable two authentication methods, use two web sites.  So is it this:
1.  Create a new web site in IIS.
2.  Configure it mostly the same as the default web site, with the authentication methods different.

But since what I am testing is a system where internal users are authenticated against Active Directory using SSO and external (Internet) users are not authenticated, perhaps I need two IIS servers?

Oooh... but then, do I need a multi-server install where I have two gateway machines and one machine for the CM and dispatcher?

[sdf]

I think you just need another gateway install and setup IIS with different authentication method.
A similar approach when you have two namespace for authenticating different sets of users.

[dougp]

So for testing, could I get away with installing the new gateway into a different folder on the same machine, then create an additional web site in IIS to point to it?

[sdf]

actually you can try your initial idea to just add a new website in the same gateway. You just need to have a unique name for it and use a different port. If you are using an ELB you can set them with different DNS that users can use to login to a specific website and be authenticated differently.

Just my thought.

[dougp]

It looks like that won't work.  The URL re-write rules are already defined in the web.config file and include the rewrites needed for SSO.  I'll try installing an additional gateway into a different folder.

[sdf]

ah right! I thought the settings will just append on the web.config file. Your best bet now is to have another install of gateway.

[dougp]

I have installed Cognos (gateway only) and wired it up to a different application in the same (IIS) web site.  I don't know if that's the wrong thing to do or if something else has gone wrong.  Now I just get...

HTTP ERROR 502

...when I go to the new application.

Original (SSO) application:  https://servername.domain.loc/ibmcognos/
New (anonymous) application:  https://servername.domain.loc/cognos/

The original (using SSO) still works.

This is done with SSL and IBM told me I need to configure SSL on the new gateway following the instructions.  (https://www.ibm.com/docs/en/cognos-analytics/11.1.0?topic=services-configuring-iis-in-cognos-analytics taken with a grain of salt because much of the mechanics described are not correct)  SSL appears to be configured properly.  I skipped the JuPyter and SSO sections.  (And, yes, I substituted my application name where I saw "ibmcognos" in the instructions.)

Enabled "anonymous access" in the original Cognos install.
Enabled Anonymous Authentication and disabled Windows Authentication on the new application in IIS.

This is my first attempt at any kind of "distributed" install.  Any help will be appreciated.

[sdf]

Just do another rounds of checking make sure your new application is pointing to the new /webcontent/.

Were you able to save the cognos configuration successfully with the new gateway?
have you set the correct AAR settings?

[dougp]

Yes, the new application points to the new webcontent folder.
Yes, I was able to save Cognos Configuration.  It barked at me at first because the default Dispatcher URIs for gateway value generated by the new install was using port 9400.  Once I changed it to port 9300 I was able to save.
I'm not sure what you mean about AAR settings?  Does that have to do with Application Request Routing (ARR)?  Would that be the URL Rewrite rules?  Yes, I think those are correct.


Another oddity:
The first install works if I go through the portal (https://servername/ibmcognos/).  But these tests all fail:
Content Manager (https://servername:9300/p2pd/servlet)
Application (https://servername:9300/p2pd/servlet/dispatch)
Gateway (https://servername:9300/bi)
...and the error is unusual:  ERR_CONNECTION_TIMED_OUT
I've never seen that before.

[dougp]

This turned out to be much simpler than I thought.  I don't even need the second gateway.  Setting "Allow anonymous access" to true in Cognos Configuration was all I needed.  If the user has never used Cognos through that browser, or if the browser cache was recently cleared, they automatically are anonymous.  To sign in using the MSAD external directory namespace, they just need to go to the Personal Menu and click Sign in.  Since SSO is on, there is no challenge for credentials.  Then the aren't anonymous again until they clear the cache.  So all anonymous users must have a Sign in button, but those that can't get in through MSAD will get the Login page (I think).  So I would create a custom Login page that is a message indicating that login is restricted to internal users (or something) -- and does not ask for credentials or provide any path to logging in.

Lesson learned:  When working through authentication issues in Cognos, use "incognito" or "in private" browser windows and/or frequently clear the browser cache.

Now I can move forward with my demo for security and management.  Of course, actually providing service internally and externally from the same server may require a different architecture.  I'll cross that bridge when I get there.