Troubleshooting
Problem
When trying to access the Cognos URL from IBM Enterprise Records administration client, the user receives a Windows Security dialog followed by an error.
Symptom
After completing all of the steps needed to setup Kerberos Single Sign-on (SSO) with Active Directory in Cognos using the Microsoft IIS 7.5 Web server, the user is prompted for his credentials when trying to access, for example:
http://MyReportServer.MyDomain.com/ibmcognos/
After the correct credentials are entered, the user receives a 401 unauthorized error.
For more detailed information, refer to the documents listed in the Related Information section.
Cause
There are duplicate SPN entries when setting up Kerberos authentication in IIS 7.0/7.5. The user no longer needs to worry about the correlation between HTTP Service Principal Names (SPNs) and the Application pool Identity that was required in version IIS 6.0. The following sections illustrate an example of a duplicate SPN issue.
Environment
Cognos 10.1 running on Windows Server 2008 R2
Authentication Source: Active Directory
Web server: Microsoft IIS 7.x
Resolving The Problem
In the following example "MyReportServer.MyDomain.com" is the Cognos server/host.
+ Review the following setting in IIS Admin console for Kerberos authentication in IIS 7.0/7.5:
> Navigate to the Configuration Editor at the location “ibmcognos/cgi-bin” level and validate the following settings under the Management section:
>system.webServer
- >security
- >authentication
- windowsAuthentication
+ Check for duplicate SPNs for the desired Cognos based URL by entering a command similar to the following command:
C:\Users\Administrator>setspn -f -q */MyReportServer
You should receive output similar to the following output:
Checking forest DC=MyDomain,DC=com
CN=MyDomainUser,CN=Users,DC=MyDomain,DC=com
HTTP/MyReportServer
HTTP/MyReportServer.MyDomain.com
CN=MYREPORTSERVER,CN=Computers,DC=MyDomain,DC=com
WSMAN/MyReportServer
WSMAN/MyReportServer.MyDomain.com
TERMSRV/MYREPORTSERVER
TERMSRV/MyReportServer.MyDomain.com
RestrictedKrbHost/MYREPORTSERVER
HOST/MYREPORTSERVER
RestrictedKrbHost/MYREPORTSERVER.MyDomain.com
HOST/MYREPORTSERVER.MyDomain.com
Existing SPN found!
Highlighted entries shown earlier reflect an example of duplicate SPNs. These duplicate entries prevent you from getting the correct credentials. The entries cause the submission to fail with a 401 unauthorized error.
+ If duplicate SPNs exist, the instances need to be removed as shown in the following example:
C:\Users\Administrator>setspn -d http/MyReportServer.MyDomain.com MyDomainUser
Unregistering ServicePrincipalNames for CN=MyDomainUser,CN=Users,DC=MyDomain,DC=com
http/MyReportServer.MyDomain.com
Updated object
C:\Users\Administrator>setspn -d http/MyReportServer MyDomainUser
Unregistering ServicePrincipalNames for CN=MyDomainUser,CN=Users,DC=MyDomain,DC=com
http/MyReportServer
Updated object
+ Check for duplicate SPNs again with the same command and receive a response similar to the following example:
C:\Users\Administrator>setspn -f -q */MyReportServer
Checking forest DC=MyDomain,DC=com
CN=MYREPORTSERVER,CN=Computers,DC=MyDomain,DC=com
WSMAN/MyReportServer
WSMAN/MyReportServer.MyDomain.com
TERMSRV/MYREPORTSERVER
TERMSRV/MyReportServer.MyDomain.com
RestrictedKrbHost/MYREPORTSERVER
HOST/MYREPORTSERVER
RestrictedKrbHost/MYREPORTSERVER.MyDomain.com
HOST/MYREPORTSERVER.MyDomain.com
Existing SPN found!
+ No more duplicate SPNs.
The user now gets authenticated to Cognos automatically.
Related Information
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21659267