If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Single Signon Does Not Happen

Started by cognosfreelancer, 13 Oct 2005 11:26:46 AM

Previous topic - Next topic

cognosfreelancer

Folks

Even after integrating ReportNet with the Active Directory server and enabling Integrated Windows Authentication on the IIS server, users still get prompted to enter their network user id and password.

Why are they not getting authenticated automatically.

NKT

CoginAustin

Are you using a Windows 2003 server? IIS6?

Blue

Is the Annonymous check box set in IIS for the virtual directory?  If so uncheck it.
Robert Edis
Principal
Robert Edis Consulting
Rotorua, New Zealand

cognosfreelancer

Thank you for your answers.

Yes I am using Windows 2003 with IIS6 and yes the annonymous access is unchecked.

I am puzzled by this behavior.

Looks like it jas something to do with Active Directory. When the same system uses a Cognos series 7 namespace OS and basic signons work fine.

NKT

CoginAustin

I think this is a bug actually. I never got my 2003 server and IIS6 to work without prompting.
We even spent hours with cognos consultants trying to figure it out and finally gave up.

IF you do a complete dump of the environment when the user goes to the sign-in page you will see the crendentials are being passed but cognos is doing nothing.

I am not sure why but if anyone does know it would help a lot :)

ykud

Got it working in multiple installations of Cognos EP.

Active Directory cannot be blamed for this, it's just a container.

Works on AD2003+Win 2003+IIS6

CoginAustin

Ok, so you got it working but you didnt explain the trick? ugh..

ykud

No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.

ibrusett

Quote from: Void on 01 Nov 2005 01:51:26 AM
No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.

I cannot make it work... can you please give me some more details? Thanks!
IgorB

ykud

Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1

ibrusett

Quote from: Void on 07 Nov 2005 01:51:14 PM
Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1

I think this is not my case.
I have AD 2000 and other 2 providers (NTLM) and it seem that single signon cannot work in this "mixed" environment.

ykud

Ok. That's more concrete.

I've got it working from 2 AD, so maybe "mixed" it is.

Anyway, i don't think it's the case, so let's go further.

When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?

ibrusett

Quote from: Void on 09 Nov 2005 06:35:56 AM
When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?

I'm logging into Cognos Reportnet portal, and it presents me the choices of the namespaces and then ask for credentials.
Which is the log you refer to? IIS log or there are a more specific cognos reportnet log??

I opened a call on cognos support and they said that SSO is not supported when mixing AD 2000 (that uses kerberos) and NTLM that uses its own NTLM provider.

I am not still able to understand what you meant with
Quote
1 AD signed as directory server in AM (AD admin rights required).

Thanks for your help

cognosfreelancer

Void

What provider did you use, AD or LDAP.


NKT

ykud

Got it now.

We're talking bout different products here. You mean CRN, don't you?
I've got EP down here.

AM is Cognos Access Manager.

Did you try using Cognos Security in ReportNet?

COGNOiSe administrator

You can't use two security namespaces and the same gateway. But you can install gateway twice, in two physical and virtual directories, and force each to SSO with one or the other.