IBM Support

How to enable Single Signon in a multi domain environment using Active Directory

Technote (troubleshooting)


Problem(Abstract)

How to enable Single Signon in multiple domain environment using Active Directory

Symptom

If customer tries to use an LDAP namespace, then this can only connect to a single domain (not entire Active Directory forest).


Resolving the problem

In order to setup SSO in a multi-domain Active Directory environment, follow these steps:

1. Launch "Cognos Configuration"

2, Create a new namespace

3. Make sure that this is set to "Active Directory" (not LDAP)
4. Use the root domain as the hostname
5. Locate "Advanced properties" and click edit/modify button

6. Enable either 'ChaseReferrals' or 'MultiDomainTrees'.

TIP:

  • ChaseReferrals - This will allow users from 'child' domains (i.e. domains below the domain that your namespace is connected to) to logon
    • This is often the best choice (for performance reasons).
  • MultiDomainTrees - Allows users from ALL domains (inside the forest) to logon
    • If you are unsure where your users will be located, 'MultiDomainTrees' can be the best option (to ensure that all users are able to logon, wherever they are located).
    • However, this means that searches will traverse the entire forest, leading to performance slowdowns.

Once you have chosen, add one of the following entries:
  • chaseReferrals: True
  • multiDomainTrees: True

TIP: For more information, see attached document "KB 1041799 - ChaseReferrals and multiDomainTrees.pdf".

6. Decide on whether to use NTLM ("REMOTE_USER") or KERBEROS authentication.

If you want to use NTLM/REMOTE_USER, then also add the following entry:
  • singleSignOnOption: IdentityMapping

Do not use this entry if you want to use Kerberos (which is the preferred option for many environments).

7. Perform a test on this namespace to make sure a connection can be made
8. Restart the service

TIP: Take care to ensure that users can access their content in Cognos Connection prior to removing an existing LDAP type namespace. If we are recognising them as new users their content will need to be migrated to the accounts under Active Directory.

Document information

More support for: Cognos Business Intelligence
Install and Config

Software version: 8.4.1, 10.1.1, 10.2, 10.2.1, 10.2.2

Operating system(s): Windows

Reference #: 1340833

Modified date: 17 February 2017


Translate this page: