11.0.6 SSO not working

[Vgamer]

I have tried and followed step by step on setting up SSO using: https://www.ibm.com/support/knowledgecenter/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html#gateway_iis

I can access the Analytics site and features however I have to login with my Active Directory Credentials each time at the login screen http://<server>/ibmcognos/bi/
IBM Cognos Analytics
Sign with your AD ID

I read up on so many posts prior to 11.0.5 of how they changed files and pointed to the cognosisapi.dll and .cgi but I was under the impression that these tweaks aren't required and using the Gateway URI http://server:9300/ibmcognos/bi/v1/disp would work for the SSO following the IBM instuctions of URL Rewrites and Proxy Redirect.

[zakatak]

SSO works fine, but is handled through the Web Gateway.

If you're going to http://server:9300/ibmcognos/bi/b1/disp then you're going straight to the dispatcher, not the gateway. The gateway will be on port 80 rather than the port 9300 that you are going to.

You could try http://server/ibmcognos/ and see if that works.

[Vgamer]

Thanks I try that, however I thought following the IBM guide with all the SSO and URL Rewrites with those rules I setup handle all the redirecting of that.

[nmcdermaid]

zakatak can you clarify your comments? is additonal config required to get SSO working on 11.0.6? Which web gateway are you referring to? The native one provided by the Cognos server or the one that is manually set up in IIS after following the link in the comments?

I've been through that linked document a few times and I just end up with a 403 error when I hit the web gateway that is manually set up in IIS

I have a C10 / C11 sid eby side install, so http://servername/IBMCognos actually goes to my C10 install right now.

[zakatak]

I believe the subject changed. When I first replied the top was 11.0.5, but is now 11.0.6.

I haven't had a chance to upgrade to 11.0.6 yet, so I am unsure.

[Blue]

I too cannot get SSO working. A colleague and I have two separate CA11.0.06 installs and neither of use can get SSO working.
We've both followed and refollowed the IBM doco several times. We've tried various tweaks. We're tried various URLs (both port 80 and port 9300). All to no avail.
One instance is on WS8R2SP1 and the other WS12R2.
One instance uses IIS 7.5 and the other 8.5.
Both are VMs.
Both connect to the same company LDAP database (Active Directory).
Yet we know of at least one site that say they have it working. When they show us the Cognos Analytics Configuration settings (via screen shot) they are virtually identical to ours.
The issue goes back to at least 11.0.4 for me.

Who of you has it working and who is still struggling please?

Cheers,

Blue

[nmcdermaid]

We have it functioning (or so I am told by our installation specialist)

What symptom do you have? Do you get an error or are you just still prompted regardless? My understanding is that you have to definitely access it through the app set up in IIS (on port 80), and it captures your windows account there and sends it on to the usual login. However it is not clear to me how it does this, and it's difficult to troubleshoot.

[Blue]

"... still prompted regardless"

[nmcdermaid]

When you see it prompting, is it at the :80 address or the :9300 address? If it's at the :9300 address then the IIS SSO part has worked but it hasn't passed it through to cognos. Why? I dunno. If it's at the :80 address then it's failing at the IIS part. Also make sure that your web client (IE, chrome etc.) has all these sites set as trusted, also confirm that you have the 'automatically sign on' bits set in settings for IE. The problem could be in the web browser not passing through clogin details. Again, I don't really know specifics here because there are so many variables around web clients nowadays. Sorry I can't help too much but sometimes it's enlightening to try and break the failure into pieces and find where along the line it has failed

[Blue]

shows the :9300 address :(

[jbertrand]

I've gotten this working on multiple different sites with 11.0.4,5 and 6. So i can confirm it does work. But is slow, due to the redirect rules. I hope IBM will come up with a different solution than IIS redirects.

Blue, what error messages does it show (if any). Or does it just pop up with the username/password box?

[Blue]

Just pops up the username and password box.

[TomCognos]

I have it working in 11.0.3,4,5,6.

At one point, to bring all three environments into alignment (DEV UAT & PRD) I deleted the Cognos virtual directory and recreated from scratch all the settings including SSO. I did this successfully across the three environments in 11.0.6.

One issue I did come up against in UAT was in IIS, under Default Web Site, click on you Cognos Virtual Directory. The double click the Authentication Icon in the IIS group. Make sure Windows Authentication is enabled. You have to do this for the SSO virtual directory as well under you Cognos Virtual Directory.

Check this is enabled. Also in IE make sure in Internet Options -> Security -> Local Intranet -> Custom Level -> {down the bottom} User Authentication is set to -> Automatic logon with current user name and password.

Clear you cache and restart IE.

If you are still having issues I can post the steps for deleting the virtual directory and recreating.

[shekark]

We are facing a similar issue in configuring SSO with Cognos 11.0.6. Though we followed the steps mentioned by IBM (using the script) etc. It still prompts for the credentials at the CA home page.

@GrumbleNuts, It would be helpful to know your successful steps.

Thanks in advance.

Cheers,
Shekar K

[TomCognos]

Ok here are the steps to delete your Cognos Virtual Directory in IIS and recreate. We have TM1 here as well so there were also TM1 considerations and config files that needed to be brought into alignment with the new settings. So here goes.

Do this first
•Within IIS, ensure existing configuration back-up is performed (
Ref https://support.microsoft.com/en-us/help/954872/how-to-create-and-manage-configuration-backups-in-internet-information

How to create a configuration backup   
To create a configuration backup by using the Appcmd.exe tool, follow these steps:   
a.Click Start, click Run, type cmd in the Open box, and then click OK.   
b.At a command prompt, type the following commands, and then press ENTER:   

•cd %Windir%\system32\inetsrv   
•appcmd add backup backupName   

Note A directory that has the backup name that you specify is created in the %Windir%\system32\inetsrv\backup directory. If you do not specify a name, the Appcmd.exe tool generates a directory name by   automatically using the current date and the current time.

Note
•Manually delete existing "cgi-bin" application under "ibmcognos" virtual directory. Though I deleted the entire ibmcognos virtual directory just to be sure.
•Check existing application pool "IBM Cognos Analytics v11" correspond to no existing applications (count = 0)
•Delete "IBM Cognos Analytics v11" application pool.
  Reference: had issues with this in the past, may need to create a dummy one to assign things to it before you can delete the VD
•Take back-up of web.config file in:
a.\\servername\Program Files\ibm\cognos\analytics\webcontent   
b.\\servername\Program Files\ibm\cognos\analytics\webcontent\bi   
c.\\servername\Program Files\ibm\cognos\analytics\cgi-bin    {this didn't exist for UAT, so don't be to surprised if its not there}

•Conduct step by step procedure as highlighted below.
•NOTES
•I opened up my DEV server and copied all the relevant items below, so not to have any finger trouble issues when replicating the steps through UAT and PRD
•IIS server name: iis-host   
•IIS port #: 80
•IIS virtual directory name: ibmcognos
•Cognos Analytics server name: ca-host(n) (for me same as the iis-host)   
•Cognos Analytics port #: 9300 
•Gateway URI:      http(s)://iis-host:80/ibmcognos/bi/v1/disp 
•Dispatcher URIs for gateway:    http(s)://ca-host:9300/bi/v1/disp 
•Dispatcher URI for external applications:  http(s)://ca-host:9300/bi/v1/disp 

1.Create a new, dedicated application pool. For example, named CAPool.   a.Right-click on Application Pools. Click Add Application Pool. 

I skipped all of 2 as I don't have a server farm.
2.Optionally, create a server farm to provide load-balancing and failover for Cognos Analytics service requests. Include all Cognos Analytics servers that have the Application server components installed and configured.   
a.Right-click on Server Farms in the left-hand tree and select Create Server Farm.   
b.Name the new server farm. For example, ca_servers.   
c.For each Cognos Analytics server, enter:   
  i.the server address. For example, ca-host1.   
  ii.click Advanced settings and expand applicationRequestRouting. Set the httpPort or httpsPort (if you're using HTTPS). For example, 9300.   
d.Click Finish.   
e.Click No when prompted to allow IIS Manager to create a rewrite rule.   
f.Select your server farm in the left-hand tree and double-click Server Affinity.   
g.Select the Client Affinity check box.   
h.Click Apply.   
i.Select your server farm in the left-hand tree and double-click Caching.   
j.Change Query String Support to Include Query String.   
k.Click Apply.   
l.Select your server farm in the left-hand tree and double-click Health Test.   
m.In the URL Test section, enter the URL: http://ca_servers/bi/v1/ping   
n.Click Apply.   
o.Select your server farm in the left-hand tree and double-click Proxy.   
p.In the Time-out (seconds) field, change the value to 120.   
q.Click Apply.

3.Create an Application by right-clicking the Default Web Site and clicking Add Application. If it already exists. Delete it. 
Alias is ibmcognos.   
Application pool is the one created in step 1.   
Physical path is install_location\webcontent   
a.Enable Web Content expiry   
  i.Select ibmcognos and double-click HTTP Response Headers. {Step not done on dev, so not done on UAT}
  ii.Click Set Common Headers.   
  iii.Check Expire Web Content and set an expiry that works best for you.   

b.Select ibmcognos and double-click Mime Types.   
** Note : Certain MIME types may already exist – should they do, kindly remove and manually re-create them as pointed in the step on the link.   
Add the following Mime Types to your IIS configuration if they are not already present.     
* .svg : image/svg+xml     
* .woff : application/x-font-woff     
* .json : application/json     
* .woff2 : font/woff2     
* .template : text/html     
* . : text/plain

4.If you are configuring single signon between IIS and Cognos, right-click ibmcognos and click Add Application.   
  * Alias to sso.   
  * Application pool is the one you created in step 1.   
  * Physical path is install_location\cgi-bin   
a.Select sso and double-click Handler Mappings.   
b.Click Add Module Mapping in the right Actions pane.     
  * Request path is cisapi.     
  * Module is IsapiModule.     
  * Executable is install_location\cgi-bin\cognosisapi.dll     
  * Name is Cognos SSO.     
  * Click Request Restrictions and ensure that Invoke Handler is unchecked.     
  * Click OK twice.     
  * On the Edit Script Map dialog, click Yes.     
  * Select sso and double-click Modules. If the WebDAVModule appears in the list, remove it.
5.Create URL-rewrite rules to map requests to the correct handlers.   
  ** Note : If rules already exist kindly manually one-by-one remove all of the rules, and re-create them one-by-one as pointed out in the step on the link.
a.Click on bi directory under ibmcognos.   
b.Double-click URL Rewrite.   
c.Add a server variable to identify the Cognos Analytics location by clicking View Server Variables.     
  * Click Add.     
  * Name the variable HTTP_X_BI_PATH.     
  * Click Back to Rules.{don't click back to rules just add another}
  * Click Add.     
  * Name the variable HTTP_X_FORWARDED_HOST.     
  * Click Back to Rules.   
d.Add a rule to pass the Cognos Analytics location to the ca-host machines by clicking Add Rules > Inbound Rules > Blank Rule.     
  * Name is Headers.     
  * Pattern is (.*)     
  * Expand Server variables and   
     * Click Add. Select HTTP_X_BI_PATH and set the value to /ibmcognos/bi/v1.   
     * Click Add. Select HTTP_X_FORWARDED_HOST and set the value to {HTTP_HOST}.     
  * Action type is none.     
  * Uncheck Stop processing of subsequent rules.     
  * Click Apply and Back to Rules.   
e.If you configured the sso application in a previous step, add rules to map login and legacy UI service requests to the SSO handler,   
  i.Click Add Rules > Inbound Rules > Blank Rule.     
    * Name is SSO Login.     
    * Pattern is v1/login$     
    * Action type is Rewrite.     
    * Rewrite URL is /ibmcognos/sso/cisapi/bi/v1/login     
    * Check Stop processing of subsequent rules.     
    * Click Apply and Back to Rules.   
  ii.Click Add Rules > Inbound Rules > Blank Rule.     
    * Name is Legacy SSO.     
    * Pattern is (v1/disp(/.*)?)     
    * Action type is Rewrite     
    * Rewrite URL is /ibmcognos/sso/cisapi/bi/{R:1}     
    * Check Stop processing of subsequent rules.     
    * Click Apply and Back to Rules.   

f.Add a rule to map Cognos Analytics REST service requests to the backend Cognos Analytics servers .   
•Click Add Rules > Inbound Rules > Reverse Proxy .  {In the offical IBM notes it says a reverse proxy, choose a blank rule instead}
  * If proxies are not already enabled, you are prompted to enable. Click OK.     
  * Name is ReverseProxyInboundRule1
  * Server name is ca-host:9300/bi or if you have configured a server farm, http://ca_servers/bi
  Select the newly created rule and click Edit.     
  * Pattern is (^$)|(^v1(/.*)?)|(^[^/]+\.jsp)     
  * Action type is Rewrite.     
  * Rewrite URL is http://ca-host:9300/bi/{R:0} or if you have configured a server farm, http://ca_servers/bi/{R:0}     
  * Check Stop processing of subsequent rules.     
  * Click Apply and Back to Rules.   
i.Click Add Rules > Inbound Rules > Blank Rule.     
  * Name is Event Studio.     
  * Pattern is ^(ags|cr1|prompting|ccl|common|skins|ps)/(.*)     
  * Open the Conditions section.     
  * Click Add.       
    * Condition input is {HTTP_REFERER}       
    * Check if input string is Matches the Pattern       
    * Pattern is v1/disp       
    * Check Ignore case.     
  * Action type is Rewrite     
  * Rewrite URL is /ibmcognos/{R:0}     
  * Check Stop processing of subsequent rules.     
  * Click Apply and Back to Rules.
6.Adjust request size limits.   
  a.Select the bi directory under the ibmcognos application created earlier.   
  b.Double-click Request Filtering.   
  c.Click Edit Feature Settings... from the right-hand panel.     
    * Set Maximum URL length (bytes) to 8192.     
    * Set Maximum query string (bytes) to 4096.     
    * Click OK. 

7.If you configured the sso application in a previous step, enable Windows Authentication.   
  a.Select the sso application.   
  b.Double-click Authentication. Disable Anonymous Authentication, and enable Windows Authentication. Cognos Analytics should now be available at: http://iis-host/ibmcognos

Now. Almost there carry on.

Navigate to \\servername\Program Files\ibm\cognos\analytics\webcontent, and take back-up of existing index.html and default.htm -

In both index.html and default.htm, ensure the following exists (remove anything else that exists as the URL value): 

*  <meta http-equiv="refresh" content="0; URL=bi/"> -

Once all of the above steps are done, perform an IIS reset in the command prompt (run as administrator) – command is "iisreset". 

* NOTE: This step will restart IIS.

So far this has taken me about an hour to get to this point.

Now

- Clear all cache on your browser (IE and chrome)

- Now, go to IE settings > Internet Options > Security > Local intranet > Custom Level... (navigate to the bottom of the security settings – local intranet zone window) and ensure the following is set 

: Automatic  log-on with current username and password

One main issues encountered.

In IIS at the ibmcognos level, click authentication, enable windows sign on. Only in UAT, DEV AND PRD were ok.

Edited:

Recently had to do a fresh install. Didnt work for SSO. Had to add the rules from 5 in 3 times. Ended up doing 5f as a reverse proxy instead of blank rule. That seem to sort things out. Worked ok after that.

[shekark]

@ GrumbleNuts Thank you for sharing the information.

We did the same steps are mentioned and tried to login to CA 11 via a non-domain user (i.e., as a localuser). As expected, a dialog box popped up asking for the credentials, they were provided. After a while, the login page of CA shows up asking for the credentials again with a message below saying "Please type your credentials for authentication". Screenshots attached. (The zip archive contains SSO_1.jpg and SSO_2.jpg)

Any leads on how to resolve this would be helpful.

Cheers,
Shekar K

[hmw]

I also have 3 environments up and running and agree with the steps outlined by GrumbleNuts. The only thing I would add is we need to add the site to the Local intranet. We had to add that because we are using the FQDN. Otherwise we will always get prompted even though everything was configured correctly.