Working with distribution list and multiple namespace with IBM Cognos 10.2.1

[stevveil]

Hi,
we are upgrading our IBM Cognos environnment from Cognos 10.1.1 to IBM 
Cognos 10.2.1 ;D and at the same time we are moving from Cognos Series 7 security to Microsoft Active Directory. :o With Cognos Series 7 we were using only one namespace but with our company AD we must now use 4 namespaces.

We have scheduled reports that are sent by email using distribution lists and they can contains users from all namespaces at the same time.

What are the setups I need to do to be sure that when there is an email sent to a distribution list that all the people received the email event if they are in namespace 1 , 2 , 3 or 4 ?

Right now, the users are simply dropped from the email and no error happen :( when I try to schedule a report or even send now a report to a distribution list that contains users from the secondaries namespaces when I'm logged only in the primary namespace.


Thanks.

[stevveil]

Hi,
I was able to solve my problem ...
I've used this document : http://public.dhe.ibm.com/software/dw/dm/cognos/security/active_directory/the_active_directory_story.pdf

Here is the detailled of what have  setup to use only one namespace (instead of many namespace) that will be able to access all my AD domain (all domain must be in the same AD forest) :

- IBM Cognos service is started with an Active Directory domain account.
- In Active Directory : This user has been configure properly for the "Account is trusted for delegation". Also in AD, my server name has the "Trust computer for delegation" checked. AD is running in native mode and all the domain in AD are in the same forest.
- In IIS : Windows Authentication - Enable , Anonymous Authentication - Disable for the Cognos virtual directory. The provider for Windows Authentication is Negotiate first and NTLM second.
- In Cognos Configuration, my namespace is configured like this :
Under Security - Authentication, namespace type is "Active Directory" and I have used in Advance properties the 2 following parameters :"multiDomainTrees" set to True. And I have also use this parameters to be able to use single signon :
"singleSignOnOption" = "IdentityMapping".

After doing some more tests it's now working. I know that setting up this parameter "snigleSignOnOption" bypass Kereberos ... I'm ok with that since my goal is reach and that we do not use Microsoft Analysis Service.

My goal was :
- Doing single sign on.(Ok ... this one was a nice to have ... )
- Using distribution list of people coming from different AD domains and be able to send a report by email using those distribution lists and make sure everybody received the reports even if they are not in the same domain as the user sending the report. So this is possible because we are using only one namespace in Cognos and when a user is autenticated in that namespace he is able to reach all the "forest" of our Active Directory because of the "multiDomainTrees" parameter.
Thanks.
Steve