Trouble setting up integrated login in TM1 10.2

Post Reply
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

Hi everyone,

We are in the mid of migrating from TM1 10.1.1 to 10.2.2, and testing the waters for security without Cognos BI runtime or CAM. Our main goals is to enable SSO via AD, and applying group based security rights on cubes, dimensions and processes. I am testing Integrated security on the TM1 server box itself, so Admin Host, TM1 Server and Architect, all are installed and being used on the same box for now.

I have updated my cfg file as follows, and restarted the server.

SecurityLogging=F
SecurityPackagename=Kerberos
IntegratedSecurityMode=2
Servername=finance

In Architect, I am able to log on without enabling Integrated login (checkbox) using default admin credentials. But when I enable integrated security, I am getting the "SystemServerClientNotFound' error message.

I have looked at this technote from IBM, but no luck, http://www-01.ibm.com/support/docview.w ... wg21974502, as well as this thread, http://www.tm1forum.com/viewtopic.php?t=2310, and followed what Paul suggested, but I keep getting the above error message. And, as mentioned in the above forum thread, I haven't used ETLDAP tool to import all AD users. Not sure if that is a mandatory step.

Going back to the IBM technote (above), one of the points I am confused about how to form my UniqueID. With CAM security, logged on users were formed as "domain\user" format in }Clients dimension, while I am trying to form the UniqueID as "user@doman". Not sure if this has something to do with the error I am getting.

EDIT: I have tried couple combinations to form domain & user name, including "user@domain", "domain\user" in the }ClientProperties Cube, but no luck so far. domain refers to what I see as the output of systeminfo | findstr /B /C:"Domain" command, and what is displayed in the properties of My Computer. TM1 server is running under the context of a domain user, tm1admin@domain.

Appreciate help from the experts.

Thanks
Kaz
Thanks,

Kaz
tomok
MVP
Posts: 2831
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by tomok »

The user name from TM1 is meaningless as far as what needs to be in the UniqueID field in the }ClientProperties cube. As long as the value in that field matches a valid user from the domain then it will authenticate the user, assuming of course that the user is logged into the workstation with that ID in the domain. Basically, the UniqueID field is nothing more than a lookup value. When you attempt to login with intergrated login set in TM1, it takes your currently logged in ID from the domain and matches that against all the UniqueID values in the |ClientProperties cube. If it finds a match then it accepts you as the TM1 User specified by the corresponding element in the }Clients dimension.

Please be aware that domains are case sensitive. If my user ID in the domain is Fred.Smith and the domain is MyCompany.com then my UniqueID in the }ClientProperties cube must be Fred.Smith@MyCompany.com. Fred.Smith@MYCOMPANY.COM will not work, nor will Fred.Smith@mycompany.com. The domain must match exactly.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

tomok wrote: Wed Aug 16, 2017 5:08 pm The user name from TM1 is meaningless as far as what needs to be in the UniqueID field in the }ClientProperties cube. As long as the value in that field matches a valid user from the domain then it will authenticate the user, assuming of course that the user is logged into the workstation with that ID in the domain. Basically, the UniqueID field is nothing more than a lookup value. When you attempt to login with intergrated login set in TM1, it takes your currently logged in ID from the domain and matches that against all the UniqueID values in the |ClientProperties cube. If it finds a match then it accepts you as the TM1 User specified by the corresponding element in the }Clients dimension.

Please be aware that domains are case sensitive. If my user ID in the domain is Fred.Smith and the domain is MyCompany.com then my UniqueID in the }ClientProperties cube must be Fred.Smith@MyCompany.com. Fred.Smith@MYCOMPANY.COM will not work, nor will Fred.Smith@mycompany.com. The domain must match exactly.
Thanks Tom, for detailing it out.

I have checked with my network team, and updated the rule on }ClientProperties cube to match that to the UPN as that's the distinct user ID across AD. My rule now gives me a value in user@domain.com.au matching the UPN, for example, fred.smith@domain.com.au. But, still does not work! Is it not working because, right now, in my }Clients dimension, there is not entry Fred Smith, and I need to first import users from LDAP and then try integrated login?

Thanks
Kaz
Thanks,

Kaz
User avatar
gtonkin
MVP
Posts: 1192
Joined: Thu May 06, 2010 3:03 pm
OLAP Product: TM1
Version: Latest and greatest
Excel Version: Office 365 64-bit
Location: JHB, South Africa
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by gtonkin »

HI Kaz,
Try running the whoami command from the command prompt. This should return your username in the format <domain>\<user> e.g. acme\george
I then have a rule to derive UniqueID by joining Client to the domain to keep things simple:

Code: Select all

SKIPCHECK;
[UniqueID]=S:!}Clients|'@acme';
FEEDERS;
The above would derive the UniqueID as george@acme. Your clients should be created to align to the domain account - in my case I would have a client called "george"

In days gone by, there were some issues relating to the SPN - have a look at this article as a start-there are numerous others.
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

gtonkin wrote: Thu Aug 17, 2017 6:41 am HI Kaz,
Try running the whoami command from the command prompt. This should return your username in the format <domain>\<user> e.g. acme\george
I then have a rule to derive UniqueID by joining Client to the domain to keep things simple:

Code: Select all

SKIPCHECK;
[UniqueID]=S:!}Clients|'@acme';
FEEDERS;
The above would derive the UniqueID as george@acme. Your clients should be created to align to the domain account - in my case I would have a client called "george"

In days gone by, there were some issues relating to the SPN - have a look at this article as a start-there are numerous others.
Thanks gtonkin. I have tried to form the UniqueID using user@domain and using domain name from whoami. Does not work. I was hoping that it does not go the SPN path as it could turn out to be a pain in the neck. I've asked my network admin to set up SPN for me as mentioned in the tech note you sent (thanks for this).

In the last part of your post, you said that clients should be set up aligned to the domain account. Did you mean creating users in AD? Where will the clients be created? Sorry lost you there.

Thanks
Kaz
Thanks,

Kaz
User avatar
gtonkin
MVP
Posts: 1192
Joined: Thu May 06, 2010 3:03 pm
OLAP Product: TM1
Version: Latest and greatest
Excel Version: Office 365 64-bit
Location: JHB, South Africa
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by gtonkin »

kaazimraza wrote: Thu Aug 17, 2017 7:19 am ...In the last part of your post, you said that clients should be set up aligned to the domain account. Did you mean creating users in AD? Where will the clients be created? Sorry lost you there...
Users should already be configured in AD - you should be creating them in TM1 with the same user name (to keep things simple) - If the TM1 client and the AD names differ, you may need to do what I have done on one of my systems:
-Create two measures in }ClientProperties -> Signon and Domain (non-standard-keep track for upgrades)
-Change your rule to derive the UniqueID by joining the values of these two with the @ symbol between them
-Populate Signon and Domain as required

If you have users from a single domain, you may only want to add the Signon measure and hard-code domain-up to you.
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

And, do you know the preferred format of user & domain name for setting SPN for tm1s? I say that because I have different formats;

- my admin server & tm1 server are running under the user tm1admin@domain.local
- my whoami results in domain\myusername
- my upn (whoami -upn) gives me myusername@domain.com.au

Which one of the above would be the valid form?

Thanks
Kaz
Thanks,

Kaz
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

gtonkin wrote: Thu Aug 17, 2017 7:27 am
kaazimraza wrote: Thu Aug 17, 2017 7:19 am ...In the last part of your post, you said that clients should be set up aligned to the domain account. Did you mean creating users in AD? Where will the clients be created? Sorry lost you there...
Users should already be configured in AD - you should be creating them in TM1 with the same user name (to keep things simple) - If the TM1 client and the AD names differ, you may need to do what I have done on one of my systems:
-Create two measures in }ClientProperties -> Signon and Domain (non-standard-keep track for upgrades)
-Change your rule to derive the UniqueID by joining the values of these two with the @ symbol between them
-Populate Signon and Domain as required

If you have users from a single domain, you may only want to add the Signon measure and hard-code domain-up to you.
Means, I need to import them into TM1 using ETLDDAP? I thought, in one of the forums posts that I read here, that we can skip the step of manually importing users into TM1? Or perhaps, that is only true for Integrated Mode 3? With Integrated Mode 2, do we need to import users into TM1?
Thanks,

Kaz
User avatar
gtonkin
MVP
Posts: 1192
Joined: Thu May 06, 2010 3:03 pm
OLAP Product: TM1
Version: Latest and greatest
Excel Version: Office 365 64-bit
Location: JHB, South Africa
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by gtonkin »

...And, do you know the preferred format of user & domain name for setting SPN for tm1s? I say that because I have different formats;...
Hard to say for sure but I generally use the domain returned from a plain whoami without any parameters.
...Means, I need to import them into TM1 using ETLDDAP? I thought, in one of the forums posts that I read here, that we can skip the step of manually importing users into TM1? Or perhaps, that is only true for Integrated Mode 3? With Integrated Mode 2, do we need to import users into TM1?..
AFAIK, this only applies to CAM but may stand to be corrected-all my LDAP/AD deployments required adding the clients who would actually need access-I always go the route of creating a CSV of relevant users and import that, rather than trying to import the AD/LDAP/Other server.

The other thing worth mentioning is that in my Domain measure (or in the rule), the Domain is always uppercase e.g. ACME rather then Acme or acme.
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

gtonkin wrote: Thu Aug 17, 2017 8:48 am
...And, do you know the preferred format of user & domain name for setting SPN for tm1s? I say that because I have different formats;...
Hard to say for sure but I generally use the domain returned from a plain whoami without any parameters.
...Means, I need to import them into TM1 using ETLDDAP? I thought, in one of the forums posts that I read here, that we can skip the step of manually importing users into TM1? Or perhaps, that is only true for Integrated Mode 3? With Integrated Mode 2, do we need to import users into TM1?..
AFAIK, this only applies to CAM but may stand to be corrected-all my LDAP/AD deployments required adding the clients who would actually need access-I always go the route of creating a CSV of relevant users and import that, rather than trying to import the AD/LDAP/Other server.

The other thing worth mentioning is that in my Domain measure (or in the rule), the Domain is always uppercase e.g. ACME rather then Acme or acme.
Thanks a lot gtonkin, it's working now. I had to
- Establish my user (windows user name with no domain) in the }Clients dimension.
- Update the rule to form UniquIeD using domain from whoami. My uniqueID looks like windowsusername@domain.

I am able to log on to TM1 without having enter my credentials, so that's great. However TM1Web is giving me grief. I have tried several combinations, including the client ID I added into }Clients (windows user name), as well as the UniqueID ( windowsusername@domain) but none of it works. I am getting a Login Failed message. Any idea what's going on ?

Thanks
Kaz
Thanks,

Kaz
User avatar
gtonkin
MVP
Posts: 1192
Joined: Thu May 06, 2010 3:03 pm
OLAP Product: TM1
Version: Latest and greatest
Excel Version: Office 365 64-bit
Location: JHB, South Africa
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by gtonkin »

I think you are going to require lots of patience if you head down this road.
There are two options AFAIK:
1) Single Signon
2) Integrated login

The two are not synonymous - Single Signon allows you to authenticate with your windows credentials i.e. type in your userid and password.
Integrated Login is the seemless click through where the magic happens in the background.

Single Signon is what is fairly easy to configure, Integrated Login requires some "hacks"

Have a look at this thread http://www.tm1forum.com/viewtopic.php?f=3&t=13112 it references the DeveloperWorks site with the workaround for Integrated Login

Also found this thread from a few years ago: TM1 Web 10.2 Integrated Login Kerberos setup deals with Single Signon.

Good Luck!
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

gtonkin wrote: Fri Aug 18, 2017 8:38 am I think you are going to require lots of patience if you head down this road.
There are two options AFAIK:
1) Single Signon
2) Integrated login

The two are not synonymous - Single Signon allows you to authenticate with your windows credentials i.e. type in your userid and password.
Integrated Login is the seemless click through where the magic happens in the background.

Single Signon is what is fairly easy to configure, Integrated Login requires some "hacks"

Have a look at this thread http://www.tm1forum.com/viewtopic.php?f=3&t=13112 it references the DeveloperWorks site with the workaround for Integrated Login

Also found this thread from a few years ago: TM1 Web 10.2 Integrated Login Kerberos setup deals with Single Signon.

Good Luck!
Hi gtonkin,

Hope you had a good weekend. I need a bit more of luck with TM1Web & Integrated Security, as TM1Web is an absolute mess right now.
I went through the IBM technote (https://www.ibm.com/developerworks/comm ... .2.2%20FP2) with TM1WebSSO.zip file and followed all the steps, but in vain. With TM1WebSSO, I am getting the following errors;
Errror in JSON file
Error: 87)TM1APIDOTNET Exception: - The specified server is not found


Error in TM1WebSSO\logs\tm1websso.log
2017-08-21 10:28:17,040 [7] ERROR Applix.TM1.API.Internal._TM1Main - Failed attempt to connect to host [Server_With_AdminHost] on port [5498] with SSLCertID [tm1adminserver]5495, 5498 Message [TM1APIDOTNET Exception: - System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The function requested is not supported]

2017-08-21 10:28:19,103 [7] ERROR Applix.TM1.API.Internal._TM1Main - Failed attempt to connect to host [Server_With_TMWeb_And_SSO] on port [5498] with SSLCertID [tm1adminserver] Message [TM1APIDOTNET Exception: - System.Net.Sockets.SocketException (0x80004005): No connection could be made because the target machine actively refused it IP_OF_Server_With_TMWeb_And_SSO:5498]


If I update my tm1web_config.xml file to reference the above SSO by adding
<add key="TM1WebSSOUrl" value="http://devcog04.wesenergy.local/tm1websso/Login.aspx",
TM1Web login page starts acting weirdly, the login box appears for a split second and disappears, leaving a blank page.

If I take the above entry off, TM1Web Login page loads up, with the options of Native & Windows authentication, but I get a Login Failed, Try again message, if I enter my Windows user name, or Widows user name@domain, or any other domain & user name combination along with my password. My TM1 Web log has the following entry;
2017-08-18 13:50:35,621 [http-9510-2] ERROR () com.ibm.cognos.tm1.datasource.javaapi.TM1Connection - Exception Error: null
Stack Trace: java.lang.NullPointerException
at com.applix.tm1.TM1Server.PerformSingleSignOn(TM1Server.java:2628)
at com.applix.tm1.TM1Server.connectIntegrated(TM1Server.java:2466)
at com.applix.tm1.TM1Bean.openConnection(TM1Bean.java:267)
at com.ibm.cognos.tm1.datasource.javaapi.TM1Connection.openConnection(TM1Connection.java:94)
at com.ibm.cognos.tm1.web.services.TM1AppService.loginSeverEx(TM1AppService.java:330)
at com.ibm.cognos.tm1.web.services.TM1AppService.createServerSession(TM1AppService.java:308)
at com.ibm.cognos.tm1.web.services.TM1AppService.loginServer(TM1AppService.java:131)
at com.ibm.cognos.tm1.web.services.TM1Service.loginServerIntegrated(TM1Service.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.directwebremoting.impl.CreatorModule$1.doFilter(CreatorModule.java:229)
at com.ibm.cognos.tm1.web.services.dwr.DwrServiceFilter.doFilter(DwrServiceFilter.java:49)
at org.directwebremoting.impl.CreatorModule$1.doFilter(CreatorModule.java:223)
at com.ibm.cognos.tm1.web.services.dwr.LoggingFilter$1.invoke(LoggingFilter.java:34)
at com.ibm.cognos.tm1.web.services.logging.ServiceLogging.logServiceCall(ServiceLogging.java:33)
at com.ibm.cognos.tm1.web.services.logging.ServiceLogging.monitorCall(ServiceLogging.java:102)
at com.ibm.cognos.tm1.web.services.dwr.LoggingFilter.doFilter(LoggingFilter.java:32)
at org.directwebremoting.impl.CreatorModule$1.doFilter(CreatorModule.java:223)
at org.directwebremoting.impl.CreatorModule.executeMethod(CreatorModule.java:241)
at org.directwebremoting.impl.DefaultRemoter.execute(DefaultRemoter.java:379)
at org.directwebremoting.impl.DefaultRemoter.execute(DefaultRemoter.java:332)
at org.directwebremoting.dwrp.BaseCallHandler.handle(BaseCallHandler.java:104)
at org.directwebremoting.servlet.UrlProcessor.handle(UrlProcessor.java:120)
at org.directwebremoting.servlet.DwrServlet.doPost(DwrServlet.java:141)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:643)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:723)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.ibm.cognos.tm1.web.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:40)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.ibm.cognos.tm1.web.GzipFilter.doFilter(GzipFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:612)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503)
at java.lang.Thread.run(Thread.java:798
)
Thanks,

Kaz
User avatar
gtonkin
MVP
Posts: 1192
Joined: Thu May 06, 2010 3:03 pm
OLAP Product: TM1
Version: Latest and greatest
Excel Version: Office 365 64-bit
Location: JHB, South Africa
Contact:

Re: Trouble setting up integrated login in TM1 10.2

Post by gtonkin »

HI Kaz, I have not been down the road of Method 2-Integrated Login using the DevWorks method (I like what little sanity I have)
I would however make sure that Method 1 is configured and works.
From the error logs, what comes to mind is SSL certificate updates i.e. the ones replaced last year-did you replace everywhere required e.g. into
%TM1_INSTALL_DIR%\webapps\pmpsvc\WEB-INF\bin64\ssl
Did you update the Java keystore, the PMPSVC batch file etc. etc?
I have a batch file a can share that show the steps I used if you need.
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

gtonkin wrote: Mon Aug 21, 2017 5:42 am HI Kaz, I have not been down the road of Method 2-Integrated Login using the DevWorks method (I like what little sanity I have)
I would however make sure that Method 1 is configured and works.
From the error logs, what comes to mind is SSL certificate updates i.e. the ones replaced last year-did you replace everywhere required e.g. into
%TM1_INSTALL_DIR%\webapps\pmpsvc\WEB-INF\bin64\ssl
Did you update the Java keystore, the PMPSVC batch file etc. etc?
I have a batch file a can share that show the steps I used if you need.
Hi gtonkin,

Thanks for the prompt reply. If memory serves me right, I did update all certs after TM1 10.2.2, on TM1 server box, Tm1 applications box and Tm1 clients. I reckon if there as a glitch with SSL certificate, then I'd have had a problem accessing TM1 from Architect, Excel and TM1Web. We don't use TM1Applications just yet, but I was able to access it. These logs have appeared only after I have started to play with Integrated Security. And, my TM1 CFG file has security mode = 2, not sure if that makes any different, and has to be set to 3.

For TM1Web SSO, to enable user log on without having to enter their passwords, this seems to be a hard nut to crack. I wonder if it works only on TM1 10.2.2 FP2, and nothing else.

Edit: And I would not say no the batch file offer; can you please send it to kaazimraza@gmail.com?
Thanks,

Kaz
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

Thanks gtonkin for all your help, appreciate.

I think I am going to stop probing this one now. I can't seem to configure SSO on TM1 10.2 Web with FP6. I tried the steps as described in this in this link https://www.ibm.com/developerworks/comm ... .2.2%20FP2 but no luck. When I try to use the special URL as mentioned in the end of this URL, I get Error: 87)TM1APIDOTNET Exception: - The specified server is not found, and other errors, which implies that either TM1 APis are not installed, or there is not communication between my web server and TM1 Admin server. Not sure what's wrong.
Thanks,

Kaz
BrianL
MVP
Posts: 264
Joined: Mon Nov 03, 2014 8:23 pm
OLAP Product: TM1
Version: 9.5.2 10.1 10.2 PA2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by BrianL »

Looking at the error message, port 5498 is the admin server port. Looks like the web sso component is trying (and failing) to connect to an admin server on the machine that's running TM1Web. If that's where you expect the admin server to be, check that there's no firewall blocking access.
kaazimraza
Posts: 95
Joined: Mon Jun 25, 2012 6:58 am
OLAP Product: TM1, SSAS, Power BI
Version: 10.2.2
Excel Version: 2016

Re: Trouble setting up integrated login in TM1 10.2

Post by kaazimraza »

BrianL wrote: Wed Aug 23, 2017 2:50 pm Looking at the error message, port 5498 is the admin server port. Looks like the web sso component is trying (and failing) to connect to an admin server on the machine that's running TM1Web. If that's where you expect the admin server to be, check that there's no firewall blocking access.
Hi Brian,

Apologies for delay in replying to your post. You are right, the error message suggests that the Web SSO component is expecting admin host to be on the same server as the Web Server, whereas I did specify the actual admin host server name in the AdminHost parameter in the test URL.

I opened all ports, inbound & outbound, on both TM1 Web Server as well as the actual Admin Host server, but no luck.

I've parked this for now, will take on this one end of September 2017, after we go live with TM 10.2.2.

Thanks
Kaz
Thanks,

Kaz
Post Reply