Integrated login between BI an TM1

[vladkon]

We are testing new versions of TM1 (10.2.2 FP1) and BI (10.2.2) installations. Authentication is through BI gateway (on a separate BI server). TM1 users can successfully login by entering user and password from relevant AD namespace, but integrated login is not working in architect and perspectives. tm1s.cfg is configured with:
SecurityPackageName=NTLM
IntegratedSecurityMode=5
Integrated login is checked in client options. Any ideas what else could be wrong?

[LutherPaul]

I think you should use Kerberos.

# Valid values are:
# * Kerberos (default) - Windows 2000 or later.
# * NTLM - Older Windows installations, such as Windows NT.
SecurityPackageName=Kerberos

[vladkon]

Thanks. Changed:
SecurityPackageName=Kerberos
In BI config deleted:
singleSignonOption IdentityMapping
Still no integrated login...

[tomok]

You're yet another victim of the confusing terminology in TM1. In Architect and Perspectives, the "Integrated Login" checkbox actually means single sign-on, whereby you can just double-click on a server and be authenticated (assuming you have logged in with a Windows ID that matches the UniqueID attribute of a client on that server). In order for this to work you have to choose Security Mode 2. Security Mode 5 is for using the BI definition of integrated login which really means using CAM, integrated with AD so that you get challenged with your Windows credentials when logging in. You don't get automatically let in like single sign-on, you still have to log in again, you just get to use the same ID and password from AD.

In your case, since you are using Mode 5, you SHOULD NOT have the integrated login box checked in Architect and Perspectives.

[lotsaram]

You don't get automatically let in like single sign-on, you still have to log in again, you just get to use the same ID and password from AD.

Not true. It is possible to configure CAM + AD Namespace for SSO which behaves (from the point of view of the end user) just like traditional windows integrated login in TM1. Of course being a product of Cognos & IBM there are one hell of a lot more moving parts and potential breakage points to get it to work, but it does work.

We are testing new versions of TM1 (10.2.2 FP1) and BI (10.2.2) installations. Authentication is through BI gateway (on a separate BI server). TM1 users can successfully login by entering user and password from relevant AD namespace, but integrated login is not working in architect and perspectives.

No, when using CAM you don't have integrated login selected in tm1p settings. To get SSO working you need to make sure that all the Cognos gateway parameters are set correctly in tm1s.cfg and you have to follow exactly the documentation on configuring an IIS web service for the Cognos gateway to capture the kerberos credentials and bouncing this back to tomcat. (2 additional properties need to be manually added in congos configuration as well). If these extra steps aren't done then SSO won't work you will just have users re-entering their AD user name and password.

Going CAM does mean all the client IDs will change, which for an existing application is a bit of a migration exercise but not a massive job.

[vladkon]

1. tried to uncheck integrated login in client options - no change
2. bi and tm1 should be configured according to manual but obviously something is missing.
here are the settings in tm1p.cfg:

ServerCamURI = http://biservername:9300/p2pd/servlet/dispatch
ClientCAMURI = http://biservername:80/ibmcognos/cgi-bi ... sisapi.dll

on biserver I can login to cognos connections with sso, but trying to login from terminal server asks for user and password. so I guess it should be something in getway or cognos configuration on bi server..

lotsaram - can you advise which properties should be added to cognos configuration?

[lotsaram]

1/ Did you set up an Cognos BI IIS application pool?
2/ In cognos configuration did you add the advanced property "singleSignOnOption" to the AD namespace?

Without these extra steps you will have "single sign on" in the limited sense that user enters same user name and password that they use for logging on to the network but you won't get single click through authentication in the true sense of single sign on.

[PlanningDev]

I believe there is also a setting on the BI Configuration for setting the default namespace. Its blank by default and I remember somewhere having trouble getting SSO to work without setting that. May want to take a look.

[dkleist]

Check for firewalls between terminal server and BI server gateway - sometimes those strip out the tokens for authentication.

Check that the bi gateway is on the list of local intranet sites in IE - otherwise, again, token is stripped out and you'll get prompted.

First test for integrated security should be opening Internet Explorer from TM1 server and from terminal server and point to the BI gateway. If you get prompted, you have to fix that before getting integrated security working for TM1

[vladkon]

1. BI application pool is configured, returned back SingleSignonOption.
2. BI getway machine added to trusted sites on TM1 machine.
3. Getway namespace in BI configuration environment is changed to the name of AD namespace - I think this is the one meant by default namespace?
It is the same as I wrote earlier - I am able to login sso on BI getway machine but not on TM1 server. The problem is the same when attempting to login to cognos connections from explorer on TM1 machine - have to key in user and password.
dkleist - What do you mean by checking firewalls - software firewalls on one of the machines? If so Firewall is off for domain..