11.0.6 Invalid login response with SSO Login URL Rewrite rule

[Bluefyre]

I am having issues with the URL Rewrite rule from the optional gateway tier instructions for IIS labeled SSO Login. I need it for out MotioCAP SSO, but when that rule is enabled, all I get is an error that says Invalid login response. With it disabled I can get to the namespace selection screen and can log into other configured namespaces.

Anyone seen this error? Nothing is getting logged in cogserver.log

[tontonfa]

Hi,

I am facing the same issue using Windows Server 2016 and IIS 10. Based on my discussion with IBM support, the problem could come from IIS 10 (not officially supported yet...).

I tested the same SSO configuration on IIS 8.5 and everything is ok.

[Bluefyre]

I'm on IIS 7.5

[Vgamer]

I am using IIS 8 and get the same error. The only thing I can do for now is to disable the URL Rewrite and use the  Legacy SSO, It's so annoying i've tried fresh installs and using the classic cognosisapi.dll , no luck.  Please keep us posted. I need this too!

[Bluefyre]

I had to go to 11.0.5 to get things working. I too tried the classic cognosisapi.dll which I would have preferred so as to not change the URLs for our other we applications that connect to Cognos, but that just crashes the App Pool in IIS. I am really hating Cognos 11. Nothing but problems with every new update.

[qshanley]

I was able to get around the issue by disabling the SSO Login rewrite rule.

OS: Windows Server 2012R2
Cognos: v11R6
IIS: 8.5

[Jeff H.]

I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.

[gohabsgo]

Anyone gotten past this?

I've checked everything in this thread and others.

Can only get 11.0.6 running with the SSO Login rewrite rule disabled, otherwise Invalid Login Response.

[Vgamer]

I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.

Well I still have no luck either on this. I was able to Enable the SSO Login Rewrite rule again. I did notice that my Authentication - Windows: read/write was set to Read Only. 
Cognos SSO stays Enabled I noticed if Check the INVOKE HANDLER and select any of those options it will give me INVALID LOGIN RESPONSE. However the IBM setup says to uncheck that anyhow.  But even with all REWRITE rules running I now have to login in with my AD Name and Password. So it was kind of a step forward for me.

[gohabsgo]

I was (finally) able to get this working.

I edited the default.htm and index.html in the ../webcontent folder with;

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">

With that set in both files I'm able to enable the SSO Login rewrite rules without this message showing up. 

My CAP SSO is working fine now as well.

I'm seeing light at the end of this dark 11.0.6 tunnel ;)

Hope this helps anyone out.

**Edit**
Also make sure that if this is an upgrade that you've updated the Gateway URI, Dispatcher URIs for gateway and Dispatcher URI for external applications to the correct 11.0.6 verbage
**

[Vgamer]

Well after following all the steps and even using the CA_IIS_CONFIG batch file, it seems the webserver I have been setting up to use did not have Trusted Delegation on the Domain Controller.  So now the SSO works on IE, just not on Chrome but that maybe a separate issue I'm sure.  But All is well. Thanks for everyone's input on this. IT helped.

[thomassikic]

Hi,

I'm also facing issue with SSO since install of R6 (truth to be said, install of R6 went so wrong we had to uninstall and reinstall..).

My issue looks a bit different to your, as I don't face a invalid login response but error "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."

I tried to enable Read/Write in feature delegations, to update default.htm and index.html using "<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">" but still it doesn't work.

I worked with IBM support two hours ago and their idea was to look around security on Analytics installation folder which I can understand even through it was working fine before on R5 and is also working fine on our testing R6 environment without granting any specific permission... Still even granting full permission to everyone doesn't fix the issue.
Any suggestion / feedback on this would be much appreciated,

Thomas.

[srinisundar_1967]

I was (finally) able to get this working.

I edited the default.htm and index.html in the ../webcontent folder with;

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">

With that set in both files I'm able to enable the SSO Login rewrite rules without this message showing up. 

My CAP SSO is working fine now as well.

I'm seeing light at the end of this dark 11.0.6 tunnel ;)

Hope this helps anyone out.

**Edit**
Also make sure that if this is an upgrade that you've updated the Gateway URI, Dispatcher URIs for gateway and Dispatcher URI for external applications to the correct 11.0.6 verbage
**

Could you please elaborate on the modification you have done in index.html and Default.htm under <Cognos Install>/Webcontent folder?
Cognos SSO handler mapping is configured for <Cognos Install>/cgi-bin/cognosisapi.dll .  Also the name of the mapping is cisapi and the description Cognos SSO. So should the entry be

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cisapi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">
.

Also we have the distributed environment content manager server, application dispatcher server and the optional gateway server. I understand we need to change only at Gateway tier.

It would be great if you could clarify on this.

[nmcdermaid]

Did you ever sort out your 403 error? I have the same issue.

I'm suspicious that I'm missing files and that the install failed.

403 means "does not have permission to view the web page". This is a frequently misleading error. It usually actually means that it can't find a useful file in the folder to run (rather than being related to security in any way).

For example, my url eventually redirects to

http://server/ibmcognos/bi

and gets a 403 error.

But if you type:

http://server/ibmcognos/bi/propertiesSample.html

It will actually run this html file no worries (no 403 error!)

The 403 happens because it can't find a file so it tries to directory browse, but it's not allowed to, so it fails with a 403.


So I suspect it's an installation failure in this case. I'm going to try my third reinstall now

[nmcdermaid]

An update on the 403 error: IT looks like my 'Reverse Proxy' rule was incorrect. After a great deal of fiddling about I got past this error. If I disable the Reverse proxy rule, the 403 error comes back.

The reverse proxy rule is the one that actually shifts the URL from the IIS gateway on port 80, to the native cognos URL on port 9300

My latest issue is that the web page just stays blank for a few minutes then finally show a C11 error that says:

       Account information Error
       Cannot get users account information!



Looking at the network tab in F12 tools, there's a lot of page download activity, downloading the same pages over and over.

I can see I am now getting a 441 error on page http://server:90/IBMCognos/bi/v1/identity

Cognos KB indicates 441 is a Kerberos type issue. But I do have singleSignOnOption set so I don't know why this is an issue.

(Note I had to run this on a different port as Cognos 10 is using IBMCognos)

[mrcool]

Hi,

Did you manage to fix this issue?

Cheers

[nmcdermaid]

Sorry No. We have a installation specialist who will now be doing a clean install. This stuff is impossible to fix or troubleshoot. The usual advice is "start again and do exactly what's listed in the instructions" (which are unfortunately often incomplete or incorrect)

[Boksberger]

Hey All,

It seems we're all having a baptism by fire experience with SSO and 11.0.6 ;)

After spending the last couple days of trying to coax IIS (8.5) and CA (11.0.6) to play well, I think I finally got the invalid response issue resolved for my client:

In IIS, under the SSO application, Authentication, there is a setting for Windows Authentications on the right panel called 'Providers'.

In my list, it showed Negotiation and NTLM underneath. I moved NTLM above Negotation and restarted the services, I no longer get this ridiculously vague and unhelpful error.

Hopes IBM gets with the program and starts providing logs that humans can read. Tableau is eating your lunch because they make it easy. Nothing you do is easy, ever. Everything requires a caveat.

[nmcdermaid]

I really appreciate you returning and documenting this little piece of the puzzle. I completely agree that IBM are losing the plot here. It's a complex system so fair enough, installation is complex but at least provide useful troubleshooting information because when we run into these errors we have no recourse for troubleshooting. For most other platforms if you google you'll find something of use but IBM is just a black hole.

Not to mention, five years later, tm1 / BI integration is still a black art.

[Boksberger]

100% agreed nmcdermaid, I could rant for a while on IBM and Cognos (especially C11).

Noticed in another thread you said your issue was resolved with the invalid login response. Were there any smoking guns or just a more 'thorough' implementation?

[nmcdermaid]

Our install specialist says he has it working. The install I'm working on here is still not functioning. I'm starting a new install on a new VM next week I'll let you know how I go

[TomCognos]

Have a look at the tech note

https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html

The last step. Step 7. I enabled windows authentication on the SSO directory and still had issues. Finally i went up one level in IIS to the cognosanalytics virtual directory (ibmcognos in the tech note) and doubled clicked Authentication there to and windows authentication was disabled there as well. Enabled it and it all worked.

[Rajesh_Vanam]

Hi,

In my case we have two web servers, with the IIS auto configuration utility provided by IBM (http://www-01.ibm.com/support/docview.wss?uid=swg22000097) SSO working fine in one web server on 11.0.6 FP1. Strangely we got 'Invalid Login Response' in web server 2. We copied all the IIS configuration files (C:\Windows\System32\inetsrv\config) from working server and its working fine now.


Regards,
Rajesh Vanam

[nehaleo03]

I have been working with IBM support team for more than 3 weeks on this issue and they are unable to resolve this issue. I tried every option in this blog but none helped me. Can some one tell me what should be the AD entry in Cognos configuration. I have attached the AD entry I am using. I used the same entry for 10.2.2 and SSO was working fine. I am getting the message "Invalid login response"

[fktran1]

On a sandbox server, I've upgraded Cognos on every release and successfully implemented several SSO methods.  However, I started getting this error and I couldn't fix it even after trying several  ideas. My guess is that there is an issue with IIS.

Anyway, I started over on a new environment and SSO worked on my first attempt by using the following guide:

https://www.ibm.com/communities/analytics/cognos-analytics-blog/automatic-configuration-of-ibm-cognosanalytics-gateway-on-microsoft-internet-information-service/