If you are unable to create a new account, please email support@bspsoftware.com

 

News:

MetaManager - Administrative Tools for IBM Cognos
Pricing starting at $2,100
Download Now    Learn More

Main Menu

Single Sign On with multiple namespaces ( a few questions)

Started by Tsunami, 05 Mar 2012 11:04:03 PM

Previous topic - Next topic

Tsunami

Is there anyway to make cognos skip the 'select namespace' prompt when logging in via SSO?  I have AD and Cognos Access Manager and I want it to skip the prompt if it finds AD credentials.  Is this possible?

Also, I was trying to set up SSO using Kerberos but was having little luck.  I ended up adding the singleSignonOption to IdentityMapping and it worked.  I'm not sure I fully understand the differences.  It seems like I would rather have Kerberos but what are the disadvantages of using IdentityMapping?

Tsunami

Update:  I was able to get Cognos to skip the prompt by setting the gateway namespace to Active Directory and restarting the IIS Service.  However, when I tried to access Cognos via a URL with the Access Manager namespace embedded in the URL, I got an error saying it was unable to authenticate.  That doesn't really meet my requirements as we still need to be able to use Access Manager.  Is there a way to automatically pass users via AD but still allow access using Cognos Access Manager as well?

SomeClown

Quote from: Tsunami on 05 Mar 2012 11:39:48 PM
Is there a way to automatically pass users via AD but still allow access using Cognos Access Manager as well?
No.

Quote from: Tsunami on 05 Mar 2012 11:04:03 PM
It seems like I would rather have Kerberos but what are the disadvantages of using IdentityMapping?
None.  It means your IIS server is not set up to use Kerberos as the default authentication method (it's using NTLM/remote user thingies)

Tsunami

Quote from: SomeClown on 06 Mar 2012 06:14:46 AM
No.

What purpose does the 'Namespace Override' serve?  I thought that might be the solution but when I enabled it, nothing changed.
Quote
None.  It means your IIS server is not set up to use Kerberos as the default authentication method (it's using NTLM/remote user thingies)
In the article located here:  http://queryvision.com/wp-content/uploads/2011/07/Enabling-single-sign-to-Cognos-BI-Servers-for-Active-Directory.pdf

It mentions that Kerberos is the most secure way and that it will allow passing the credentials to 3rd parties.  It's not a requirment at this point, but I would like to enable Kerberos just in case.  I made all the changes in the above article and it still wouldn't work.  :-\

Grim

To do what your looking for the easiest way is to install 2 gateways. One configured to each namespace.
"Honorary Master of IBM Links"- MFGF
Certified IBM C8 & C10 Admin, Gamer, Geek and all around nice guy.
<-Applaud if my rant helped! 8)

CognosPaul

Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL

For example going to http://cognos/ibmcognos/Domain1 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain1&m=portal/main.xts

While http://cognos/ibmcognos/Domain2 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain2&m=portal/main.xts

Cognos will attempt to use the selected CAMNamespace to log in the user. If the namespace has SSO enabled, he will log in automatically.

In order to enable it, copy the index.htm for each namespace you have. Open them and look for "cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/main.xts" or "cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts"

Add the CAMNamespace parameter after the b_action.xts.run. Remember the namespace ID must match what you have configured in Cognos Configuration.

Next open your IIS, and create a virtual directory for each Namespace. Restart the IIS and you're set.

SomeClown

Quote from: PaulM on 07 Mar 2012 01:35:47 AM
Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL
Wow, nice.  Do you require credit when I implement it at a client site? ;)

Tsunami

Thanks for the suggestions guys!  I've got a new issue with SSO.  I can't login to framework manager OR get to congos connection on my cognos server.  All the other computers work fine.  Everytime I try to connect to framework or CC on the server, I get windows prompt for login for cognos.domain.com.  I enter my credentials an the box just flashes.  After 3 times it says access is denied. ???  Any ideas?

SomeClown

Try these:
Make sure IE Enhanced for admins is turned off.
Add the cognos.domain.com to the list of sites in Local Intranet in IE (Tools | Internet options | Security)

I've seen sporadic issues with caching in the browser, but not had enough time to pin down (not sure if it's an IE8/9 issues or IIS7.5). 

Tsunami

All those settings are good.  I actually ran into a problem modifying the enhanced security for IE.  I was toggling it off/on to test it and it corrupted my IIS.  Had to restore from backup.

Still not sure what's going on.  I've been working w/ ibm support for the last couple of days and they can't pinpoint it either.

SomeClown

I've seen strange behavior from the server in that  http://localhost  works in the browser, but  http://<server>  does not

Do any of the server references work in the browser name?  locahost vs server  vs server.domain.com?  I would focus on that since the FM would use only the gw setting from CogConfig.


Tsunami

So after some testing, it seems like it's an IIS setting but I'm not sure which one.  If I enable anonymous login, I can login to framework manager and cognos connection on the server.  However, I lose SSO capability.  If I disable anonymous login, I gain SSO but lose access to Framework Manager and Cognos Connection through the server.

Grim

"Honorary Master of IBM Links"- MFGF
Certified IBM C8 & C10 Admin, Gamer, Geek and all around nice guy.
<-Applaud if my rant helped! 8)

Tsunami

Quote from: Grim on 13 Mar 2012 09:55:48 PM
Are you using RDP? If yes, this is a known issue with using CGI. Try switching to ISAPI.

http://www-01.ibm.com/support/docview.wss?uid=swg21378400

https://www-304.ibm.com/support/docview.wss?uid=swg21380204

I think you are on to something.  :)  Our Gateway URI uses ISAPI but the default and index files referenced CGI.  I'm going to restart Cognos after hours and hopefully that will solve our problem.

Tsunami

no luck.  I tried changing the two files and it still give me a windows login prompt to login to cognos.domain.com. :-\

aumdy

Quote from: PaulM on 07 Mar 2012 01:35:47 AM
Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL

For example going to http://cognos/ibmcognos/Domain1 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain1&m=portal/main.xts

While http://cognos/ibmcognos/Domain2 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain2&m=portal/main.xts

Cognos will attempt to use the selected CAMNamespace to log in the user. If the namespace has SSO enabled, he will log in automatically.

In order to enable it, copy the index.htm for each namespace you have. Open them and look for "cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/main.xts" or "cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts"

Add the CAMNamespace parameter after the b_action.xts.run. Remember the namespace ID must match what you have configured in Cognos Configuration.

Next open your IIS, and create a virtual directory for each Namespace. Restart the IIS and you're set.

@PaulM - Can you provide steps on how to do this? I have a similar issue at a client this week, who is having a hard time getting two namespaces to work. You can refer to the issue in this thread:

http://www.cognoise.com/community/index.php/topic,20326.0.html