Enabling single sign-on to CRN or Cognos secured against Active Directory

Technote (troubleshooting)


Problem(Abstract)

Single Signon (SSO) from Windows Users to ReportNet or Cognos configured to authenticate to an Active Directory facilitating an Active Directory Authentication Provider (AD AP) is achievable in two different ways. This document briefly describes both approaches and lists the exact prerequisites for successfully implementing them.

The task however is challenging and is mainly focused on Microsoft Windows Security knowledge rather than Cognos. For more detailed information and detailed steps, refer to the documents listed in the Related Information section below

Symptom

No error message, but Single Signon fails. Users get prompted for authentication information, the username may be pre-set like DOMAIN\USER.


Cause

Depending on the scenario, one or more prerequisites are not met.

Environment

ReportNet or Cognos running on Windows

Authentication Source: Active Directory
Web server: Microsoft IIS 5.x, 6.x or 7.x


Resolving the problem

Once a user connects their Internet Explorer browser to IIS, their Windows credentials will be passed to the web server by the browser. The web server will authenticate the user and is able to pass on the users credentials hence forth. Through a Gateway or Dispatcher component, authentication information eventually is passed down to the Cognos security layer which sits with the Content Manager component. There, an Active Directory authentication provider can be configured to handle authentication.


By default, Cognos' Active Directory Authentication Provider facilitates Microsoft's implementation of the Kerberos protocol to obtain authentication information and authenticate the user. By using Kerberos, the concept of delegated authentication in turn enables Cognos to pass on user credentials to other services again. This is leveraged when connecting to Microsoft SQL Server Analysis Services for example. In addition, using Kerberos is considered to be the most secure way of integrating with Windows security. Using Kerberos adds some prerequisites to the setup and inherits some restrictions from it as well.

If you do not or cannot use the Microsoft Kerberos protocol, the Active Directory provider can be configured to obtain authentication information from the HTTP CGI standard environment variable REMOTE_USER instead.

This still allows single signon to the Cognos environment to occur as the user name is passed down but prevents Cognos from impersonating the user in line with the delegated authentication. Cognos will not be able to pass on the users credentials to other services as only a username is obtained. This renders single signon to Microsoft SQL Server Analysis Services impossible as this would require username and password or Kerberos information. However, other signon methods based on the 'external' Active Directory Namespace are still possible.

For details about Configuring Data Sources for Microsoft Analysis Services, refer to the Administration and Security Guide, Chapter 5.


Scenario 1: Single Signon based on Microsoft Kerberos with an IIS web server

  1. Establish a Realm in IIS
    For the Cognos virtual directories configured as described in "Configure the Web Server" in Chapter 6 of the Installation and Configuration Guide, enable Windows Integrated Authentication and disable Anonymous Access on the IIS Web server.
  2. Make sure the following prerequisites are met:

    General

    + The Active Directory targeted for authentication must be running in native mode.

    TIP: To verify, check the domain properties in the Microsoft Active Directory - Users and Computers console.

    + The Active Directory may be running in Mixed mode as well as long as the authenticating Domain Controller is running AD/Kerberos rather than NTLM BDC. If the Active directory is running in native mode this is true by default.

    + None of the computers participating in the authentication (web server, CM computer, client computer) is part of the Internet Zone regarding the user's Microsoft IE browser security settings.

    + The web server computer is in the Trusted or Local Intranet zone regarding the user's Internet Explorer security settings.

    + All the computers participating in the authentication are time synchronized or within a skew of 5 minutes

    + All URLs specified in Cognos Configuration and user?s browsers use the fully qualified domain naming scheme. For example:

    http ://server.company.com/Cognos will work
    http://servername/Cognos may cause issues


    IIS Web Server

    + The IIS web server is running on a computer which is part of a domain within the same forest as the Active Directory Server targeted for authentication.

    + The IIS web server is using HTTP Keep alives, as this is required for Kerberos to work

    + The IIS web server is correctly configured to support Kerberos authentication! NTLM will work for SSO but will cause issues in multi-domain setups and prevent impersonation.

    + If IIS is running as Local System or Network Service account, then the machine IIS is running on has the trusted for delegation property set.

    + If IIS is running as a domain account, that account has the trusted for delegation property set.

    TIP: To verify, check the account properties in the Microsoft Active Directory - Users and Computers console.


    Content Manager component:

    + Content Manager is installed on a computer which runs Windows 2003 server or Windows 2008 server. Note: Technically Content Manager may be installed on Windows XP as well, but there are known issues in Microsoft's Kerberos implementation which may hinder stability. Microsoft itself does not consider XP a server OS and will only fix Kerberos issues if reproducible on a server OS as well. This has officially been stated to Cognos and hence we exclude Windows XP to prevent customers from getting trapped.

    + Content Manager is installed on a computer which is member of a domain within the same forest as the Active Directory Server targeted for authentication.

    + If Content Manager is running as Local System or Network Service account, then the computer account has the trusted for delegation property set

    + If Content Manager is running as a domain account, that account has the trusted for delegation property set.

    TIP: To determine the account Content Manager is running at, go to Computer Management -> Services and look for the value in the "Logon As" column of the "Cognos ..." Service entry.


    Users

    + All users which will authenticate to the IIS and eventually Cognos are members of domains within the same forest as the Active Directory Server targeted for authentication.

    + Additional properties may need to be configured for the Active Directory authentication provider if Users come from a different domain than the Active Directory Server targeted for authentication, see 3).

    All users which will authenticate to the IIS and eventually Cognos must not have the Account is sensitive and cannot be delegated setting enabled.

    TIP: To verify, check the account properties in the Microsoft Active Directory -> Users and Computers console.

    + All the users accessing the web server and eventually Cognos use a supported Microsoft Internet Explorer browser and have the Enable Integrated Windows Authentication setting enabled.

    TIP: To verify check Internet Options -> Advanced Tab > Security section.

  3. On each Content Manager component in the system, configure an Active Directory namespace and point it at the Active Directory Server targeted for authentication or at any domain Controller in the same forest or to the domain name only to leverage Windows build-in DNS based failover, given the required advanced properties chaseReferrals and/or multiDomainTree are set.

    For details see section "Configure an Active Directory Namespace" in the Cognos Installation and Configuration Guide.

  4. Start Microsoft Internet Explorer Browser and enter the fully qualified URL of the Cognos Gateway.
    Hit Enter. If prompted, select the Active Directory Namespace.

    You will get authenticated automatically now.


--------------------------------------------------------------------------------------------------------------------------------------------------------

Scenario 2: Single Signon Using REMOTE_USER with an IIS webserver

1. Establish a Realm in IIS

For the Cognos virtual directories configured as described in "Configure the Web Server" in Chapter 6 of the Installation and Configuration Guide, enable any of the supported authentication methods on the IIS Web server


2. Make sure the following prerequisites are met:

General

+ All URIs specified in Cognos Configuration and user?s browsers use the fully qualified domain naming scheme. For example:

http://server.company.com/Cognos8 will work
http://server/Cognos8 may cause issues

+ All users which will authenticate to the IIS and eventually Cognos are members of domains within the same forest as the Active Directory Server targeted for authentication.

Note: Additional properties may need to be configured for the Active Directory authentication provider if Users come from a different domain than the Active Directory Server targeted for authentication, see 3).

+ All the users accessing the web server and eventually Cognos use a supported browser and can successfully authenticate to the webserver for the configured method.


IIS Web Server

+ The IIS web server is running on a computer which is part of a domain within the same forest as the Active Directory targeted for authentication

Content Manager component

+ Content Manager is installed on a computer which runs Windows XP, Windows 2003 or Windows 2008.

+ Content Manager is installed on a computer which is member of a domain within the same forest, or within a forest which has full trust to the forest, the Active Directory Server targeted for authentication is in.


3. On each Content Manager component in the system, configure an Active Directory namespace and point it at the Active Directory Server targeted for authentication or at any domain Controller in the same forest or to the domain name only to leverage Windows build-in DNS based failover, given the required advanced properties chaseReferrals and/or multiDomainTree are set.

For details see section "Configure an Active Directory Namespace" in the Installation and Configuration Guide of Cognos.

+ In addition to those steps, an advanced property needs to be set using Cognos Configuration to disable the use of Microsoft Kerberos for single signon like this:

+ In the Explorer window, under Security, Authentication, click the Active Directory namespace.
+ Click in the Value column for advanced properties and then click the edit button
+ In the Value - Advanced properties window, click Add.
+ In the Name column, type singleSignonOption (Case sensitive)
+ In the Value column, type IdentityMapping (Case sensitive)
+ Click OK.
+ Save configuration and restart Service for the setting to take effect

TIP: To switch back to Kerberos delegation, edit Advanced properties again and either delete the property or in the Value column, type KerberosAuthentication.


4. Start Microsoft Internet Explorer Browser and enter the URL of the Cognos Gateway.

+ If IIS was configured for Basic or Digest Authentication you will get prompted by IIS for authentication. Provide valid credentials and hit Enter.

+ If IIS was configured for Integrated Windows Authentication, no prompting for credentials will occur. If prompted by Cognos 8 to select a Namespace, select the Active Directory Namespace.

You will get authenticated to Cognos automatically now.

WARNING: Cross Forest Scenarios (XForest), such as when users are in Forest 1, Content Manager runs in Forest 2 and similar, are currently NOT tested by Cognos. However the COGNOS AD authentication provider will detect XForest setups in ReportNet 1.1 RTM, MR1, MR2 and MR4 and in Cognos. In Summary, XForest will work as far as it is supported by ADSI in those releases.

Related information

Cognos Proven Practices: The Active Directory Story
IBM Cognos Business Intelligence Installation and Conf


Cross reference information
Segment Product Component Platform Version Edition
Business Analytics Cognos Business Intelligence Install and Config

Historical Number

1032392

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Cognos Business Intelligence
Security

Software version:

8.3, 8.4, 8.4.1, 10.1, 10.1.1, 10.2, 10.2.1

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:

1341889

Modified date:

2010-08-09

Translate my page

Machine Translation

Content navigation