11.0.4 logon & refresh issues

[ZenCog]

I was wondering if people could post what the server configuration is for SSO that they have working.

COGNOS 11.0.4 Configurator Options for SSO/IIS authentication.

ENVIRONMENT:
GATEWAY SETTINGS:
  Gateway URI=http://caserver/ibmcognos/bi/v1/disp
  Gateway namespace=
  ContentManager sAMAccountName=
  Allow namespace override=false
  Dispatcher URIs for the gateway=http://caserver:9300/bi/v1

DISPATCHER SETTINGS:
  External Dispatcher URI=http://caserver:9300/p2pd/servlet/dispatch
  Internal Dispatcher URI=http://caserver:9300/p2pd/servlet/dispatch

OTHER URI SETTINGS:
  Dispatcher URI for external applications=http://caserver:9300/bi/v1/disp
  Content Manager URIs=http://caserver:9300/p2pd/servlet

SECURITY:
AUTHENTICATION:
  Allow session information to be shared=false
  Restrict access to members of builtin namespace=false
  Automatically renew trusted crendential=Primary namespace only
  Advanced properties  defaultNamespace=MYAD    (this is required if env has more than one authentication namespaces and you want to authenticate users by default against a certain namespace. Although, it doesn't hurt to have this option even if you have only one namespace)

  COGNOS:
   Allow anonymous access=false

  MYAD (ie. ActiveDirectory type of namespace):
   Namespace ID=MYAD  (this value should match the advancedProperties.defaultNamespace option above)
   Host and Port=MYAD.FI:389    (ie. binds to domain name so Cognos queries DNS nameserver for active AD controller names)
   Advanced properties  singleSignonOption=IdentityMapping   (ie. use NTLM instead of Kerberos with browsers and IIS. Leaving this blank works IF you register kerberos service name in a domain)

Everything else shouldn't have anything to do with SSO login.


Internet Information Services (IIS) settings are listed in the IBM web page linked above. The key points are
- Create a new applicationPool, for example "CA11Pool"
- Add "cgi-bin/cognosisapi.dll" in "allowed ISAPI extensions" list and select "allow for execution" option in server level
- Create "/ibmcognos" folder as an APPLICATION, not as virtual directory. Set it to use "CA11Pool" you created above
- Create "/ibmcognos/sso" folder as an APPLICATION and set it to use the same "CA11Pool" application pool
- Disable anonymousAccess option in "/ibmcognos" folder and enable "Integrated Windows Authentication" option.
- Sometimes I have seen environments where this "Integrated Windows Auth" option has required an additional step by moving NTLM provider in the top of the provider list. But usually it is not necessary.

- Add "cisapi" handler in /ibmcognos/sso folder and link it to cgi-bin/cognosisapi.dll isapi handler file
- Remember to choose "execute" from "Request Restrictions/Access" tab page of this handler properties
- Remember to select "execute" option from "Edit feature Permissions..." screen of HandlerMappings in /ibmcognos/sso folder
- Make sure cisapi handler is listed as "Enabled" handler in the "Handler mappings" list. If not then check the last three steps.

- Set re-write rules in "/ibmcognos/bi" folder. Follow the steps listed in IBM's web page (single typo error here and SSO doesn't work)
- Remember that the first rule does NOT have option for "stop processing for subsequent rules". Other rules does have this option enabled.
- The order of these rules is important

I believe these tweaks are the primary options having something to do with SSO/IIS login. In the client browser side there are few things you might wanna check

- Make sure http://caserver is listed in IE/Options/Security/LocalIntranetZones host list (in some environments IE browser doesn't send SSO login information to anywhere else but to intranet sites). Check zone custom configuration options and at the end of the list there should be something like "Automatic logon only in intranet sites" option enabled.
- Make sure compatibleView option is NOT set for CA11 web site address (in browser or via domain policy)
- IE EnterpriseMode should not be enabled for CASERVER web address. If it is then ask your domain admins to remove caserver address from a domain "IE EnterpriseMode" policy list.

Also try installing CA11.0.4 into a fresh targer folder instead of overwriting CA11.0.x folder. Some people here have reported strange bugs if CA11.0.4 was installed on top of old CA installation folder. You can use the existing contentStore database so using fresh folder is not too much extra work.

If SSO still doesn't work after checking these options then it must be some very strange corner case. If/When you solve it then please share the solution here.

[dougp]

Thanks, ZenCog.

Followed the instructions refered to from the community.watsonanalytics article you mentioned (http://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_sso_actdirserver.html#t_sso_actdirserver) and am now verifying that we caught the rest of your instructions.  What is missing in both places is the actual URL to use to take advantage of SSO.  In Cognos 11.0.2 this was http://servername.domain.com/alias/cgi-bin/cognosIsapi.dll?b_action=xts.run&m=portal/main.xts&m_redirect=/alias/bi/.  If something else was used (like http://servername.domain.com/alias) I got either a 404 error or a logon screen appeared, so the exact URL was important.

In Cognos 11.0.4, I still get a logon screen.  What URL should the user use to get into Cognos Analytics 11.0.4?

Also, I'm not an IIS expert, so I'm having trouble finding some of the settings you mention.  For example, your second bullet under IIS uses the terms "allowed ISAPI extensions" and "allow for execution".  I don't see those anywhere on the screen when creating an application pool.  Where do I find these settings?

[ZenCog]

What is missing in both places is the actual URL to use to take advantage of SSO.  In Cognos 11.0.4, I still get a logon screen.  What URL should the user use to get into Cognos Analytics 11.0.4?

Also, I'm not an IIS expert, so I'm having trouble finding some of the settings you mention.  For example, your second bullet under IIS uses the terms "allowed ISAPI extensions" and "allow for execution".  I don't see those anywhere on the screen when creating an application pool.  Where do I find these settings?

IIS/SSO works using the alias root URL directly, for example http://my-caserver/ibmcognos/.  Those IIS proxy re-write rules and cisapi handler name makes this work without explicit references to the old C10 style cgi-bin/cognosisapi.dll URL name. If you use /ibmcognos/bi URL then make sure to add trailing slash because I have seen cases where /ibmcognos/bi doesn't work but /ibmcognos/bi/ does work. Anyway, after setting up all required re-write rules then /ibmcognos/ URL should work.

There are two places in IIS admin screens where you have to enable cognosisapi.dll handler.
- First one: Server name node (ie. the level above your "Default Web site" item) and "ISAPI and CGI restrictions" icon. Here you should have a link to C11.0.4 cognosisapi.dll file and listed as "allow extension path to execute" (ALLOW).
- Second one: /ibmcognos/sso/ application item and "Handler Mappings" icon and "Add module mapping" screen there.

These last two config steps are pretty much the same you did with C10 cognosisapi.dll handler also. Just make sure that in "Handler Mappings" screen you use "cisapi" value in Request Path option because proxy re-write rules use that path name and not the original cognosisapi.dll path name. Of course executable path value still refers the the c11 cgi-bin/cognosisapi.dll file path.

Also, re-check that you have disabled anonymous authentication access and enabled WindowsIntegratedAuth from both /ibmcognos and /ibmcognos/sso/ application folders and are using the same application pool (well, sub folders should inherit it from parent IIS folder unless you have overridden something).

[dougp]

My problem has been solved.  The problem was with the first URL Rewrite rule.  I had not included the parentheses.

The documentation could delineate the value better.  For example, in documentation I produce anything that I would expect the user to cut and paste I put in a shaded box.  That eliminates the age-old question, "Do I include the quotes, or just what's between them?"

[Jeff H.]

I finally managed to get Integrated Authentication (NTLM) using the cognosisapi.dll for 11.0.4.

The documentation on the URL rewrite rules is correct. I had these issues:

Windows 2012 R2 – there are 2 features in IIS which need to be configured at the server node. Select "feature delegation" and set read/write to "Authentication – Windows" and "Module". These are set to read/write in Windows 2008 by default but in 2012 R2 they have to be explicitly set to read/write.

IIS Application pool – leave "Enable 32 bit applications" set to false. If it's enabled the cognosisapi.dll will not work.

ARR 3.0 – I had to manually download these and I had only 2 of the 4 components installed. I was seeing error 441 which said it was attempting to use ARR components when it was failing. This prompted me to uninstall, reboot and reinstall.

Cheers and thanks everyone for the help,
Jeff

[johnwilkinson]

Has anybody got SSO working in 11.0.6?

I'm not seeing "cognosisapi.dll" anywhere in my installation, despite having the optional gateway installed.