COGNOiSe.com - The IBM Cognos Community

ETL, App Development and other tools => COGNOS Access Manager => Topic started by: cognosfreelancer on 13 Oct 2005 11:26:46 AM

Title: Single Signon Does Not Happen
Post by: cognosfreelancer on 13 Oct 2005 11:26:46 AM
Folks

Even after integrating ReportNet with the Active Directory server and enabling Integrated Windows Authentication on the IIS server, users still get prompted to enter their network user id and password.

Why are they not getting authenticated automatically.

NKT
Title: Re: Single Signon Does Not Happen
Post by: CoginAustin on 13 Oct 2005 07:13:57 PM
Are you using a Windows 2003 server? IIS6?
Title: Re: Single Signon Does Not Happen
Post by: Blue on 14 Oct 2005 12:33:41 AM
Is the Annonymous check box set in IIS for the virtual directory?  If so uncheck it.
Title: Re: Single Signon Does Not Happen
Post by: cognosfreelancer on 14 Oct 2005 08:01:43 AM
Thank you for your answers.

Yes I am using Windows 2003 with IIS6 and yes the annonymous access is unchecked.

I am puzzled by this behavior.

Looks like it jas something to do with Active Directory. When the same system uses a Cognos series 7 namespace OS and basic signons work fine.

NKT
Title: Re: Single Signon Does Not Happen
Post by: CoginAustin on 14 Oct 2005 12:02:43 PM
I think this is a bug actually. I never got my 2003 server and IIS6 to work without prompting.
We even spent hours with cognos consultants trying to figure it out and finally gave up.

IF you do a complete dump of the environment when the user goes to the sign-in page you will see the crendentials are being passed but cognos is doing nothing.

I am not sure why but if anyone does know it would help a lot :)
Title: Re: Single Signon Does Not Happen
Post by: ykud on 31 Oct 2005 06:57:55 AM
Got it working in multiple installations of Cognos EP.

Active Directory cannot be blamed for this, it's just a container.

Works on AD2003+Win 2003+IIS6
Title: Re: Single Signon Does Not Happen
Post by: CoginAustin on 31 Oct 2005 08:15:21 PM
Ok, so you got it working but you didnt explain the trick? ugh..
Title: Re: Single Signon Does Not Happen
Post by: ykud on 01 Nov 2005 01:51:26 AM
No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.
Title: Re: Single Signon Does Not Happen
Post by: ibrusett on 07 Nov 2005 07:56:48 AM
Quote from: Void on 01 Nov 2005 01:51:26 AM
No trick:

1 AD signed as directory server in AM (AD admin rights required).
2 Users added, OS signon created as domain\user (also set in namespace as an auth method)
3 Anonymos authen unchecked, Integrated windows set on web-server

Works.
Check your IIS logs for finding out, where it breaks. Possibly, no domain is visible, or such.

I cannot make it work... can you please give me some more details? Thanks!
IgorB
Title: Re: Single Signon Does Not Happen
Post by: ykud on 07 Nov 2005 01:51:14 PM
Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1
Title: Re: Single Signon Does Not Happen
Post by: ibrusett on 09 Nov 2005 04:43:05 AM
Quote from: Void on 07 Nov 2005 01:51:14 PM
Give me some info bout where it falls, it'll clarify the problem.

One of the tricky points is that Cognos works with AD 2000, and therefore asks for 2003 work as 2000 in some cases. That is written in KB. It requires turning one parameter in Ad 2003. That can be tracked if you get "Unable to connect to your directory server, are your host/port correct? Detail:invalid credentials" - message.

Solution:
http://support.cognos.com/kb-app/knowledgebase?document_search_show_document=1&document_id=1001571&version_id=1

I think this is not my case.
I have AD 2000 and other 2 providers (NTLM) and it seem that single signon cannot work in this "mixed" environment.
Title: Re: Single Signon Does Not Happen
Post by: ykud on 09 Nov 2005 06:35:56 AM
Ok. That's more concrete.

I've got it working from 2 AD, so maybe "mixed" it is.

Anyway, i don't think it's the case, so let's go further.

When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?
Title: Re: Single Signon Does Not Happen
Post by: ibrusett on 09 Nov 2005 09:12:57 AM
Quote from: Void on 09 Nov 2005 06:35:56 AM
When you're logging into cognos (what product, btw), what do the website(what website?)  logs read?

Did you inform Cognos Support about this problem?

I'm logging into Cognos Reportnet portal, and it presents me the choices of the namespaces and then ask for credentials.
Which is the log you refer to? IIS log or there are a more specific cognos reportnet log??

I opened a call on cognos support and they said that SSO is not supported when mixing AD 2000 (that uses kerberos) and NTLM that uses its own NTLM provider.

I am not still able to understand what you meant with
Quote
1 AD signed as directory server in AM (AD admin rights required).

Thanks for your help
Title: Re: Single Signon Does Not Happen
Post by: cognosfreelancer on 09 Nov 2005 01:07:42 PM
Void

What provider did you use, AD or LDAP.


NKT
Title: Re: Single Signon Does Not Happen
Post by: ykud on 15 Nov 2005 12:47:22 PM
Got it now.

We're talking bout different products here. You mean CRN, don't you?
I've got EP down here.

AM is Cognos Access Manager.

Did you try using Cognos Security in ReportNet?
Title: Re: Single Signon Does Not Happen
Post by: COGNOiSe administrator on 26 May 2007 07:39:43 PM
You can't use two security namespaces and the same gateway. But you can install gateway twice, in two physical and virtual directories, and force each to SSO with one or the other.