Single Signon Does Not Happen

[cognosfreelancer]

Folks

Even after integrating ReportNet with the Active Directory server and enabling Integrated Windows Authentication on the IIS server, users still get prompted to enter their network user id and password.

Why are they not getting authenticated automatically.

NKT

[CoginAustin]

Are you using a Windows 2003 server? IIS6?

[Blue]

Is the Annonymous check box set in IIS for the virtual directory?  If so uncheck it.

[cognosfreelancer]

Thank you for your answers.

Yes I am using Windows 2003 with IIS6 and yes the annonymous access is unchecked.

I am puzzled by this behavior.

Looks like it jas something to do with Active Directory. When the same system uses a Cognos series 7 namespace OS and basic signons work fine.

NKT

[CoginAustin]

I think this is a bug actually. I never got my 2003 server and IIS6 to work without prompting.
We even spent hours with cognos consultants trying to figure it out and finally gave up.

IF you do a complete dump of the environment when the user goes to the sign-in page you will see the crendentials are being passed but cognos is doing nothing.

I am not sure why but if anyone does know it would help a lot :)

[ykud]

Got it working in multiple installations of Cognos EP.

Active Directory cannot be blamed for this, it's just a container.

Works on AD2003+Win 2003+IIS6

[CoginAustin]

Ok, so you got it working but you didnt explain the trick? ugh..

[ykud]

No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.

[ibrusett]

No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.

I cannot make it work... can you please give me some more details? Thanks!
IgorB

[ykud]

Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1

[ibrusett]

Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1

I think this is not my case.
I have AD 2000 and other 2 providers (NTLM) and it seem that single signon cannot work in this "mixed" environment.

[ykud]

Ok. That's more concrete.

I've got it working from 2 AD, so maybe "mixed" it is.

Anyway, i don't think it's the case, so let's go further.

When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?

[ibrusett]

When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?

I'm logging into Cognos Reportnet portal, and it presents me the choices of the namespaces and then ask for credentials.
Which is the log you refer to? IIS log or there are a more specific cognos reportnet log??

I opened a call on cognos support and they said that SSO is not supported when mixing AD 2000 (that uses kerberos) and NTLM that uses its own NTLM provider.

I am not still able to understand what you meant with

1 AD signed as directory server in AM (AD admin rights required).

Thanks for your help

[cognosfreelancer]

Void

What provider did you use, AD or LDAP.


NKT

[ykud]

Got it now.

We're talking bout different products here. You mean CRN, don't you?
I've got EP down here.

AM is Cognos Access Manager.

Did you try using Cognos Security in ReportNet?

[COGNOiSe administrator]

You can't use two security namespaces and the same gateway. But you can install gateway twice, in two physical and virtual directories, and force each to SSO with one or the other.