IBM Support

** Troubleshooting** error message when logging into Controller AAA-AUT-0013 / CAM-AAA-0135 The user is already authenticated

Troubleshooting


Problem

User launches Controller. User receives error message.

Symptom

CAM-AAA-0135
The user is already authenticated in all available namespaces.



TIP: In some environments (for example later/newer versions of Controller), the error message may mention 'AAA-AUT-0013' instead of 'CAM-AAA-0135'.

Cause

This Technote specifically relates to the scenario where the error is occurring during the initial Controller client launch/logon phase.
  • TIP: If you get the problem intermittently when inside Controller, then see separate IBM Technote #1971884.

There are many different potential causes for this error message. For example:
 
Scenario #1 - (LIKELY) - Users are trying to login to a (newly-connected) Controller database that has come from a different system
All users affected - no user can successfully logon
  • Example A - This other ('source') system also used Cognos (CAM) security, but it was configured to have a different value for its 'namespace' name (different from the 'target' system's value). In other words, the new (target) environment had a different namespace (defined inside the program Cognos Configuration, inside the section 'Security - Authentication') compared with the original (source) environment.
  • Example B - The new (target) environment is using a new Content Store database, therefore the user's CAMIDs are new (different from the source system)
 
Scenario #2 - (LIKELY) - User has not been correctly configured inside the security system
Specifically, the user is not a member of the relevant built-in Cognos user group(s) ('Controller Administrator' and/or 'Controller Users')
  • See separate IBM Technote #1346666 for more details.
In this scenario, you may find that many users can successfully logon. Some (or perhaps only one) user gets the error message. The 'bad' user(s) are not a member of the Cognos security group 'Controller Users' (located inside 'Cognos Connection')…
 
...and/or have not been correctly defined ('mapped') inside the Controller program itself:
Scenario #3 - (RARE) - The I.T. administrator has recently changed the security from 'native' to 'Cognos' (also known as "CAM")...
...but has not configured it correctly.
In this scenario, all users will be affected - no user can successfully logon
  • See separate Technote #1346666 (or 1393515) for more details.
 
Scenario #4 - (RARE)- IIS webserver has a misconfigured 'application pool identity'
All users affected. No users can logon
  • See separate Technote #1371017 for more details.
 
Scenario #5 - Controller client on a Citrix/Terminal Server which has Internet Explorer enhanced security enabled,
This can occur even if the security (inside 'Controller Configuration') is set to 'native'
By default, IE enhanced security can blocking the Controller client from communicating (to the application server) via HTTP
Scenario #6 - (RARE) - Administrator has moved the Controller Users and Controller Administrators roles from the root of the Cognos namespace to a sub-folder
Scenario #7 - Memory leaks in Controller 8.2/8.3/8.4/8.5 causing the Cognos 8 BI service to slowly fail
For more information on these memory leaks, see separate IBM Technotes #1347915 & #1365078.
In this scenario, when you logon to Cognos Connection and browse the Active Directory namespace, the AD namespace will appear 'corrupted'
In other words, many of the AD folders (containers) that you can see inside the Microsoft tool do *not* appear when you browse from inside the namespace (in http://servername/cognos8)
For example, you will see 'strange' subfolders, inside them will appear the entire active directory itself!
This is stopping the BI service from locating some/all of the end users inside the namespace.
Scenario #8 - Incorrect 'Dispatcher URI' setting inside "Report Server" section of Controller configuration
  • See separate IBM Technote #1594161
 
Scenario #9 - Invalid "Allow Anonymous Access" setting inside Cognos Configuration
  • See separate IBM Technote #1427502.
Scenario #10 - Cognos BI server is set to be a non-English (e.g. German) configuration, and the Controller Configuration has not been changed/updated to reflect this.
Scenario #11 - Extra 'space(s)' after the comma, inside the section 'Server Authentication' - 'User Groups', for example:
Scenario #12 - Limitation (reference APAR PI94496) of Controller, when used with Cognos Analytics (CA) if all of the following are true:
  • Controller configured to use Native authentication
  • CA is using anonymous authentication
  • CA is using the default settings inside its 'logoff.xts' file
TIP: For more details, see separate IBM Technote #2013912
 
Scenario #13 - Limitation of Controller, when used with Cognos Analytics (CA) if all of the following are true:
  • Controller configured to use CAM authentication
  • Controller configured to use Single Sign On (SSO)
  • CA is using the default settings inside its 'logoff.xts' file
  • CA is using the default settings for SSO, where 'SSO Login' is enabled
TIP: For more details, see separate IBM Technote #0884136
++++++++++++++++++++++++++++++++++++++

This IBM Technote article shall mainly focus on Scenarios #1 and #2, although there is help/references for the other scenarios.

Environment

Controller has been configured to use 'Cognos 8' security (as opposed to the default 'Native' security), which means that (during the logon process) Controller asks the Cognos 8 reporting system whether the Cognos 8 user has sufficient permissions to logon to Controller. If there is any problem with this authentication process, it will give this error.

Resolving The Problem

Scenario #1 - Modify the Controller database's XCAMUSER table, so that the the current (new) configuration namespace matches with the one stored in the database.
  
Example A (less likely) - This other ('source') system also used Cognos (CAM) security, but it was configured to have a different value for its 'namespace' name (different from the 'target' system's value). In other words, the new (target) environment had a different namespace (defined inside the program Cognos Configuration, inside the section 'Security - Authentication') compared with the original (source) environment.
  • For details on how to fix this, see separate IBM Technote #0998204.
  
Example B (more likely) - The new (target) environment is using a new Content Store database, therefore the user's CAMIDs are new (different from the source system)
  • For details on how to fix this, see separate IBM Technote #0998344.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scenario #2 - Ensure that:
  • the 'bad' user is a member of the Cognos 8 group 'Controller Users'
  • the 'bad' user has been correctly defined ('mapped') inside Controller
Steps:
1. Ensure that the 'bad' user is a member of the Cognos Analytics (Cognos BI) role 'Controller Users'
  • TIP: See attached 'Proven Practice' document 'Configuring Controller 8.2 to use Active Directory authentication', especially pages 11 to 13.
2. Ensure that the 'bad' user has been correctly defined inside Controller
  • TIP: See attached 'Proven Practice' document 'Configuring Controller 8.2 to use Active Directory authentication', especially page 15.
Scenario #3 - Launch Cognos Connection and reconfigure the memberships to ensure that all relevant users (especially the Controller super-user) are defined inside the groups 'Controller Administrator' or 'Controller Users' as appropriate
If necessary, delete the information inside the XCAMUSER table which stores the associations between Controller 'native' and Cognos 8 users. Afterwards, log back into the Controller itself and re-configure the Controller native users to be associated to the correct Cognos 8 namespace users.
  • See separate Technote #1346666 for full details
  • See separate Technote #1371371 is helpful too.
 
Scenario #4 - Modify the settings for the 'Application Pool Identity'
  • See separate Technote 1371017 for full details
 
Scenario #5 - Disable the use of Internet Explorer enhanced security configuration, and ensure that the 'Report Server' URL (for example http://repsvr.domain.com/) is inside MS Internet Explorer's 'trusted zone' for the end user
For steps, see Proven Practices website (http://www.ibm.com/developerworks/data/library/cognos/cognosprovenpractices.html) document 'How to install the Controller 8.4 client on a user's PC'
  • Also refer to separate Technote article #1347752.
 
Scenario #6 - Inside Cognos Connection, move the Controller roles (from the sub-folder) back to the 'default' location (under the root of the Cognos namespace).
  
Steps:
1. Logon to Cognos Connection
2. Open the section "Administer Cognos Content"
3. Select 'Security'
4. Select the 'Cognos' namespace
5. Select the sub-folder where 'Controller Administrators' and 'Controller Users' roles have been placed /moved-to
6. Select the roles 'Controller Administrators' and 'Controller Users', and choose 'Move'
7. Move them into the root of 'Cognos'
  
Scenario #7:
As a workaround, get a short period of downtime and reboot the Cognos 8 BI report server to release the memory
As a long-term fix, upgrade to the latest version of Controller (for example 10.1 onwards).
Scenario #8 - See separate IBM Technote #1594161
Scenario #9 - See separate IBM Technote #1371017
Scenario #10 - Add the non-English translations for "Controller Users" and "Controller Administrators" (e.g. for German they are "Controller-Benutzer" & "Controller-Administratoren") into "Controller Configuration - Server Authentication".
  • For more information, see separate IBM Technote #1591717
 
Scenario #11 - Remove extra space(s) inside the 'User Groups' section in 'Controller Configuration'
  • See separate IBM Technote #1988695
Scenario #12 - See separate IBM Technote #2013912
Scenario #13 - See separate IBM Technote #0884136

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[{"code":"a8m0z000000bpIoAAI","label":"Excel"}],"ARM Case Number":"TS003974495","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.2.0;10.2.1;10.3.1;10.4.0;10.4.1","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Historical Number

1024688

Document Information

Modified date:
23 July 2020

UID

swg21346138

Page Feedback