Problem passing defined namespace and credentials to connection

[CognosPaul]

I have a series of reports that are to be embedded into a third-party system and need to be run as a specific user on a specific namespace. On the development system it works perfectly, I pass the following URL and it logs in as it's supposed to:

http://cognosdev/cognos8/cgi-bin/cognosisapi.dll?&CAMNamespace=Namespace&CAMUsername=repuser&CAMPassword=123456

When I try logging into the production environment with
http://cognos/cognos8/cgi-bin/cognosisapi.dll?&CAMNamespace=Namespace&CAMUsername=repuser&CAMPassword=123456

I get

The provided credentials are invalid. Please type your credentials for authentication.

and it prompts me for the username and password.

The really weird thing is that even though the username and password are correct, I cannot log into this screen. It will always say the credentials are invalid, even if I try using different credentials.

SSO is enabled, and if I try using http://cognos/cognos8/cgi-bin/cognosisapi.dll?&CAMNamespace=Namespace it will log in with my user.

All of the settings in Configuration are identical from Dev to Prod (except the pointer to the content store). Everything looks the same in IIS6.

So, instead of contiuing to bang my head against the wall, anyone have any ideas?

Thanks

[CognosPaul]

more information:

I've just created another authentication reference in Configuration, one that doesn't have single signon enabled. It doesn't validate users when they try to log in through that namespace.

So Namespace (ad.namespace.com:389) with SingleSignon and IdentityMapping works.
Namespace1 (ad.namespace.com:389) without any advanced properties does not work.

What am I forgetting or missing?

[redmist]

Paul,

I might have misunderstood your requirement but from what i understand you are looking to bypass the SSO.

how about if you create a copy of cognosisapi.dll and give it a name cognosisapiprompt.dll
Now in IIS change the property to this file to disable 'Integrated Windows Authentication'.
You might also have to 'Enable Anonymous Access'

Now try the modified link
http://cognosdev/cognos8/cgi-bin/cognosisapiprompt.dll?&CAMNamespace=Namespace&CAMUsername=repuser&CAMPassword=123456

JD

[CognosPaul]

Hi JD,

You seem to understand completely.

I think the problem lies with the AD itself. I have another namespace that works perfectly when passing the namespace and credentials in the URL, it's only this one in particular. When I tried disabling SSO completely for the first namespace nobody can log in to it at all. It only works with SSO. I resolved the by having them create the user in the namespace that works, giving us time to research what is going on.

I actually never thought of having two separate DLLs, I don't think it would help much here but I can think of a few cases where it'd be incredibly useful. (An easier way to log in to test reports with different rights and schedule reports with specific users jump out at me)

[redmist]

Paul,

I use the alternate dll for that purpose so that i can log in as an Adminstrator or as a Test user. It was a suggestion by an IBM Cognos rep

[redmist]

Not sure if this will help but do you have memberOf in the Custom Properties field

[CognosSupport]

Hi Paul,

I'm assuming dev and prd are connecting to the same AD?
If they are, then it's really strange as that AD is talking properly to the dev environment.
Maybe to check on this prd server if the computer has been ticked for "trust computer for delegation" attribute, or that the account that has been used to start Cognos has "trusted for delegation attribute" checked as well?

So from your description:
1. Using URL with "Namespace" with your account works in PRD?
2. Using URL with "Namespace" with the other user account does not work in PRD?
3. Disabling SSO in PRD doesn't authenticate at all per manually?
4. Enabling SSO in PRD (via portal, not URL) works for both your account and the other user?
5. When disabling Advanced Properties, do you also untick integrated authentication in IIS and move back to anonymous user?

Regards,
Z

[CognosPaul]

Hi Z,

I think that you got it. The admin said that the computer was set on "do not trust".

Dev and prod are connected to the same AD.

To be clear:

1.There are two AD domains: Namespace and Ecapseman.
2. Cognos is configured for SSO to both of them. So people can log on to Cognos by going to http://cognos/cognos8/Namespace/ or http://cognos/cognos8/Ecapseman/. 
3. Passing a username and password to Ecapseman works perfectly:
http://cognos/cognos8/cgi-bin/cognosisapi.dll?&CAMNamespace=Ecapseman&CAMUsername=repuser&CAMPassword=123456
4. It did not work with Namespace.
5. Setting up a new namespace in Configuration, pointing to that domain, without SSO did not work. Nobody could log in with that.

I didn't try unticking integrated authentication. There is very little testing I could do as it's a production environment.

Thanks for you help. This was driving me absolutely crazy as all of the settings were identical from dev to prod.