Enable Single Sign On using Cognos BI 10.2.2

[Rosanero4Ever]

Hi all,

can you advice me any simple step-by-step guide in order to enable SSO with Cognos BI 10.2.2?
Authentication is based on Active Directory.

Many thanks in advance

[sunosoft]

Did you check below link ?

http://www-01.ibm.com/support/docview.wss?uid=swg21341889

[Nimirod]

Well,

There are at least three words that cannot live together in the same sentence: Cognos, SSO, AD and Simple

But start defining what kind of SSO you want to implement (Kerberos, KerberosS4U, NTLM, etc.) and discuss with an Internet Security guy in your organization because your choices can be refused for security reasons.
In complex organizations you cannot do the whole process alone, some parameters should be configured by domain administrators (spn's, delegation, constrained delegations, and so)

Then, my advice, start configuring ALL your cognos BI services portal and when everything works perfect only then start configuring SSO.

And then some more questions you may need to answer before starting with SSO:
1.   Do you want SSO to be used to databases connections too or are you using Sign-On on datasources.
2.   Is you Cognos portal accessible over Internet or Mobile.
3.   Are you using secured connections (httpS)
4.   Are you using IIS as web server
5.   All your users are on the same intranet domain
6.   Are your Cognos servers in the same time zone that your Controler Domain servers

As you see SSO could became a very complex topic.

So good luck and never give up !  ;D

[alistairConnor]

Hello.
I'm currently dealing with this problem. BI is widely deployed at my site, with SSO, however... MS just issued a patch that completely shuts down NTLM (insecure!). In the case of Cognos SSO, this created the problem that people could no longer change their passwords...
The obvious answer is to reconfigure SSO to use Kerberos.
In addition to the comprehensive doc linked above, I'm finding this one useful :

http://www-01.ibm.com/support/docview.wss?uid=swg21694595

This describes setting up constrained delegation with Kerberos on AD with IIS and BI.
In practice, I'm sure all the prerequisites and caveats described in the other document apply, but this doc at least gives a fairly straightforward recipe.

[smiley]

Do you have the nr of the MS patch that shuts down NTLM?

[alistairConnor]

It's the MS16-101 security update.
https://support-msft-us1.vtv.stillw.com/bg-bg/kb/3178465
It explicitly disables the fallback to NTLM when Kerberos authentication fails. I think this must be breaking a lot of configurations, all around the world, because Kerberos misconfigurations are, in my experience, the rule rather than the exception.

[smiley]

Thanks!