IBM Support

'CAM-AAA-0135 - The user is already authenticated' when launching Controller, caused by IIS (web server) application pool running under an invalid Windows user account

Troubleshooting


Problem

User launches Controller. User receives error message. After acknowledging the first error, they get a second error.

Symptom

Initial error:

    Log On Controller
    Cognos 8
    CAM-AAA-0135
    The user is already authenticated in all available namespaces.

After clicking OK, this is followed by:
    Error
    The user currently logged in is not authorized to use this method.

Cause

There are several possible causes for this problem.

  • TIP: For many more examples, see separate IBM Technote #1346138.

This Technote specifically relates to the scenario where the cause is that the IIS (web server) application pool is running under an invalid Windows user account.

More Information
The Cognos "Gateway" runs as part of an application pool in Windows 2003. Depending on the configuration of this webserver, it may need further permissions in addition to allowing CGI (or ISAPI) scripting.
  • By default, the application pool runs under the account "Network Service". In most cases, this works OK. However, the customer's Active Directory security policies may not allow this, and deny the service from running.

Environment

This issue does not occur in all environments. Instead, it seems to only occur in certain customer environments - perhaps where their Active Directory policies are particularly restrictive.

Resolving The Problem

Change the setting of "Application Pool Identity"

  • TIP: In some environments changing to "Local System" will fix the problem, however in other environments it must be changed to the Controller COM+/service account (e.g. "<DOMAIN>\<Controller_service>").

Steps:
  1. Logon to the 'gateway' server. TIP: For most small-medium Controller environments, this is normally the same as the Controller 'application' server
  2. Right-click on "My Computer" and choose "Manage"
  3. Expand "Internet Information Services" - "Application Pools"
  4. Right-click on "DefaultAppPool" and choose "properties"
  5. Click on "Identity" tab
  6. Change "Application Pool Identity" from default ("Network Service") to either "Local System" or "<DOMAIN>\<Controller_service>"
  7. Reboot gateway server

[{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.5.1;8.5;8.4;8.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

1034561

Document Information

Modified date:
15 June 2018

UID

swg21371017

Page Feedback