Single Sign On with multiple namespaces ( a few questions)

[Tsunami]

Is there anyway to make cognos skip the 'select namespace' prompt when logging in via SSO?  I have AD and Cognos Access Manager and I want it to skip the prompt if it finds AD credentials.  Is this possible?

Also, I was trying to set up SSO using Kerberos but was having little luck.  I ended up adding the singleSignonOption to IdentityMapping and it worked.  I'm not sure I fully understand the differences.  It seems like I would rather have Kerberos but what are the disadvantages of using IdentityMapping?

[Tsunami]

Update:  I was able to get Cognos to skip the prompt by setting the gateway namespace to Active Directory and restarting the IIS Service.  However, when I tried to access Cognos via a URL with the Access Manager namespace embedded in the URL, I got an error saying it was unable to authenticate.  That doesn't really meet my requirements as we still need to be able to use Access Manager.  Is there a way to automatically pass users via AD but still allow access using Cognos Access Manager as well?

[SomeClown]

Is there a way to automatically pass users via AD but still allow access using Cognos Access Manager as well?

No.

It seems like I would rather have Kerberos but what are the disadvantages of using IdentityMapping?

None.  It means your IIS server is not set up to use Kerberos as the default authentication method (it's using NTLM/remote user thingies)

[Tsunami]

No.

What purpose does the 'Namespace Override' serve?  I thought that might be the solution but when I enabled it, nothing changed.

None.  It means your IIS server is not set up to use Kerberos as the default authentication method (it's using NTLM/remote user thingies)

In the article located here:  http://queryvision.com/wp-content/uploads/2011/07/Enabling-single-sign-to-Cognos-BI-Servers-for-Active-Directory.pdf

It mentions that Kerberos is the most secure way and that it will allow passing the credentials to 3rd parties.  It's not a requirment at this point, but I would like to enable Kerberos just in case.  I made all the changes in the above article and it still wouldn't work.  :-\

[Grim]

To do what your looking for the easiest way is to install 2 gateways. One configured to each namespace.

[CognosPaul]

Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL

For example going to http://cognos/ibmcognos/Domain1 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain1&m=portal/main.xts

While http://cognos/ibmcognos/Domain2 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain2&m=portal/main.xts

Cognos will attempt to use the selected CAMNamespace to log in the user. If the namespace has SSO enabled, he will log in automatically.

In order to enable it, copy the index.htm for each namespace you have. Open them and look for "cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/main.xts" or "cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts"

Add the CAMNamespace parameter after the b_action.xts.run. Remember the namespace ID must match what you have configured in Cognos Configuration.

Next open your IIS, and create a virtual directory for each Namespace. Restart the IIS and you're set.

[SomeClown]

Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL

Wow, nice.  Do you require credit when I implement it at a client site? ;)

[Tsunami]

Thanks for the suggestions guys!  I've got a new issue with SSO.  I can't login to framework manager OR get to congos connection on my cognos server.  All the other computers work fine.  Everytime I try to connect to framework or CC on the server, I get windows prompt for login for cognos.domain.com.  I enter my credentials an the box just flashes.  After 3 times it says access is denied. ???  Any ideas?

[SomeClown]

Try these:
Make sure IE Enhanced for admins is turned off.
Add the cognos.domain.com to the list of sites in Local Intranet in IE (Tools | Internet options | Security)

I've seen sporadic issues with caching in the browser, but not had enough time to pin down (not sure if it's an IE8/9 issues or IIS7.5). 

[Tsunami]

All those settings are good.  I actually ran into a problem modifying the enhanced security for IE.  I was toggling it off/on to test it and it corrupted my IIS.  Had to restore from backup.

Still not sure what's going on.  I've been working w/ ibm support for the last couple of days and they can't pinpoint it either.

[SomeClown]

I've seen strange behavior from the server in that  http://localhost  works in the browser, but  http://<server>  does not

Do any of the server references work in the browser name?  locahost vs server  vs server.domain.com?  I would focus on that since the FM would use only the gw setting from CogConfig.

[Tsunami]

So after some testing, it seems like it's an IIS setting but I'm not sure which one.  If I enable anonymous login, I can login to framework manager and cognos connection on the server.  However, I lose SSO capability.  If I disable anonymous login, I gain SSO but lose access to Framework Manager and Cognos Connection through the server.

[Grim]

Are you using RDP? If yes, this is a known issue with using CGI. Try switching to ISAPI.

http://www-01.ibm.com/support/docview.wss?uid=swg21378400

https://www-304.ibm.com/support/docview.wss?uid=swg21380204

[Tsunami]

Are you using RDP? If yes, this is a known issue with using CGI. Try switching to ISAPI.

http://www-01.ibm.com/support/docview.wss?uid=swg21378400

https://www-304.ibm.com/support/docview.wss?uid=swg21380204

I think you are on to something.  :)  Our Gateway URI uses ISAPI but the default and index files referenced CGI.  I'm going to restart Cognos after hours and hopefully that will solve our problem.

[Tsunami]

no luck.  I tried changing the two files and it still give me a windows login prompt to login to cognos.domain.com. :-\

[aumdy]

Instead of having 2 gateways, you can modify the gateway to point users to the correct namespace based on the URL

For example going to http://cognos/ibmcognos/Domain1 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain1&m=portal/main.xts

While http://cognos/ibmcognos/Domain2 will redirect to:

http://cognos/ibmcognos/Domain1/cgi-bin/cognosisapi.dll?b_action=xts.run&CAMNamespace=Domain2&m=portal/main.xts

Cognos will attempt to use the selected CAMNamespace to log in the user. If the namespace has SSO enabled, he will log in automatically.

In order to enable it, copy the index.htm for each namespace you have. Open them and look for "cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/main.xts" or "cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts"

Add the CAMNamespace parameter after the b_action.xts.run. Remember the namespace ID must match what you have configured in Cognos Configuration.

Next open your IIS, and create a virtual directory for each Namespace. Restart the IIS and you're set.

@PaulM - Can you provide steps on how to do this? I have a similar issue at a client this week, who is having a hard time getting two namespaces to work. You can refer to the issue in this thread:

http://www.cognoise.com/community/index.php/topic,20326.0.html