If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Cognos Configuration Authentication

Started by dean, 14 May 2013 12:50:01 PM

Previous topic - Next topic

dean

Hello. Our Authentication Namespace is offline for good (died)  :(
Had my settings as:
Namespace ID: THISDC06
Host and Port: THISDC06:389

Our new Active Directory is now called THISDC07.
I have created new security authentication
Namespace ID: THISDC07
Host and Port: THISDC07:389

Content Manager has accepted the change (except error on THISDC06 which I can live with) and the config is up and running.
However when I log onto Cognos Connection I can't get at the administration portal, any idea what I need to do next please ????

sir_jeroen

#1
Dean,

You're luck at all to get it in (in my opinion you shouldn't have been able to logon, but that's me :D)
The thing is: By changing you're Namespace ID, you've removed all your "old" users. You're most likely able to log on to Cognos because there's a role that has the group "Everone" as a member (for example the new roles: Statistics Authors / Enhanced Consumers / Mobile users ).

What you have to do is the following:
- Run the script: <INSTALL>\configuration\schemas\content\<DB>\AddSysAdminMember.sql (The group Everyone is added to the role "System Administrators")
- Logon to Cognos
- Add yourself to the  System Adminstrators role
- Remove the group "Everyone" from the System Adminstrators role
- Start adding all your users again.

That should do the trick.

Another suggestion: If you use an Active Directory namespace (not LDAP): instead of pointing to a single Domain Controller, point to your domain. In this case you can replace all the domain controllers without Cognos failing.

So do the following in Cognos Configuration:

Namespace ID: <Your domain name>
Host and Port: <DOMAIN>:389

dean

Thanks for the quick feedback, I will try your solution today and report back so this thread is complete. Luckily I keep a simple access database with all our users and roles in so an hours job to add them all back!

So our domain is called THIS, by your example should I use THIS:389 instead of THISDC07:389 ??

Regards
Dean

dean

So I added a new Namespace ID and Host and Port in Cognos Configuration

Then ran the script:
<INSTALL>\configuration\schemas\content\<DB>\AddSysAdminMember.sql
Logged into Cognos
Added myself to the System Administrators role
Removed the group "Everyone" from the System Administrators role
I then deleted the old Namespace ID from Cognos Configuration and from Cognos Connection Security Portal
I restarted the environment service in Cognos Configuration
I renamed the new Namespace ID Label to the old Label so when users log in they see the same domain name
Now adding all the users again

I have a backup access db which holds all users and roles just incase something like this happened !! (recommend  ;D)
Only downside is anything in my folders will be lost  :-\

MMcBride

Probably a little late on this, but I authenticate against 5 different AD domains and everytime they change a domain controller I see these same type of issues

However what I do different is I just update the setting in the Namespace - the name is just a name you can call it "Fred" if you want - so you could have edited your settings like this:

Old
Namespace ID: THISDC06
Host and Port: THISDC06:389

New
Namespace ID: THISDC06
Host and Port: THISDC07:389

By doing this Cognos isn't smart enough to know your Authentication Provider died as all of it's internal settings are based on the name not the Host:port

dean

Thanks, have it set that way now as per reportnet addict's suggestion also  :D

sir_jeroen

Quote from: MMcBride on 16 May 2013 01:26:57 PM
Probably a little late on this, but I authenticate against 5 different AD domains and everytime they change a domain controller I see these same type of issues

However what I do different is I just update the setting in the Namespace - the name is just a name you can call it "Fred" if you want - so you could have edited your settings like this:

Old
Namespace ID: THISDC06
Host and Port: THISDC06:389

New
Namespace ID: THISDC06
Host and Port: THISDC07:389

By doing this Cognos isn't smart enough to know your Authentication Provider died as all of it's internal settings are based on the name not the Host:port

I would suggest to use Automatic loadbalancing/routing instead of Manual ( ;-) ) loadbalancing

Namespace ID: THISDC06
Host and Port: THIS:389
because the load balancing mechanisme in your domain will redirect it to an available DC... So you shouldn't  have to change it anymore...

sir_jeroen

Quote from: dean on 15 May 2013 01:26:05 AM
So our domain is called THIS, by your example should I use THIS:389 instead of THISDC07:389 ??

Yuuuppppp (for those watching Discovery Channel ;-) )

MMcBride

QuoteNamespace ID: THISDC06
Host and Port: THIS:389
because the load balancing mechanisme in your domain will redirect it to an available DC... So you shouldn't  have to change it anymore

Perhaps this is just the environment at my company or my lack of Active Directory knowledge but your recommendation does not work here.

I am not an Active Directory admin so perhaps there is some reason they have this disabled within my environment.
I authentecate against 5 different AD domains
For each Namespace I have to specify either an IP address or a specific Maching name - this means when they change a domain controller it may break my Cognos environment until I update the config.

Even though when I do a domain controller lookup I can see 27 different domain controllers.
If I attempt to just the domain name it errors out - even fully qualified.

sir_jeroen

Now I understand your problem and you're right... The solution I provided won't work...