Text only | Text with Images

COGNOiSe.com - The IBM Cognos Community

IBM Cognos 10 Platform => Cognos 10 BI => Cognos Administration => Topic started by: Rosanero4Ever on 20 Apr 2016 03:23:19 AM

Title: Enable Single Sign On using Cognos BI 10.2.2
Post by: Rosanero4Ever on 20 Apr 2016 03:23:19 AM
Hi all,

can you advice me any simple step-by-step guide in order to enable SSO with Cognos BI 10.2.2?
Authentication is based on Active Directory.

Many thanks in advance
Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: sunosoft on 20 Apr 2016 04:04:38 AM
Did you check below link ?

http://www-01.ibm.com/support/docview.wss?uid=swg21341889

Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: Nimirod on 21 Apr 2016 02:21:02 AM
Well,

There are at least three words that cannot live together in the same sentence: Cognos, SSO, AD and Simple

But start defining what kind of SSO you want to implement (Kerberos, KerberosS4U, NTLM, etc.) and discuss with an Internet Security guy in your organization because your choices can be refused for security reasons.
In complex organizations you cannot do the whole process alone, some parameters should be configured by domain administrators (spn's, delegation, constrained delegations, and so)

Then, my advice, start configuring ALL your cognos BI services portal and when everything works perfect only then start configuring SSO.

And then some more questions you may need to answer before starting with SSO:
1.   Do you want SSO to be used to databases connections too or are you using Sign-On on datasources.
2.   Is you Cognos portal accessible over Internet or Mobile.
3.   Are you using secured connections (httpS)
4.   Are you using IIS as web server
5.   All your users are on the same intranet domain
6.   Are your Cognos servers in the same time zone that your Controler Domain servers

As you see SSO could became a very complex topic.

So good luck and never give up !  ;D

Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: alistairConnor on 25 Oct 2016 10:40:00 AM
Hello.
I'm currently dealing with this problem. BI is widely deployed at my site, with SSO, however... MS just issued a patch that completely shuts down NTLM (insecure!). In the case of Cognos SSO, this created the problem that people could no longer change their passwords...
The obvious answer is to reconfigure SSO to use Kerberos.
In addition to the comprehensive doc linked above, I'm finding this one useful :

http://www-01.ibm.com/support/docview.wss?uid=swg21694595

This describes setting up constrained delegation with Kerberos on AD with IIS and BI.
In practice, I'm sure all the prerequisites and caveats described in the other document apply, but this doc at least gives a fairly straightforward recipe.
Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: smiley on 26 Oct 2016 02:39:25 AM
Do you have the nr of the MS patch that shuts down NTLM?
Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: alistairConnor on 10 Nov 2016 09:45:44 AM
It's the MS16-101 security update.
https://support-msft-us1.vtv.stillw.com/bg-bg/kb/3178465
It explicitly disables the fallback to NTLM when Kerberos authentication fails. I think this must be breaking a lot of configurations, all around the world, because Kerberos misconfigurations are, in my experience, the rule rather than the exception.
Title: Re: Enable Single Sign On using Cognos BI 10.2.2
Post by: smiley on 10 Nov 2016 10:26:42 AM
Thanks!
Text only | Text with Images