Server principal name (SPN) ... error message

Post Reply
kpk
MVP
Posts: 214
Joined: Tue Nov 11, 2008 11:57 pm
OLAP Product: TM1, CX
Version: TM1 7x 8x 9x 10x CX 9.5 10.1
Excel Version: XP 2003 2007 2010
Location: Hungary

Server principal name (SPN) ... error message

Post by kpk »

Hello,

One of our users gets the following error message at login (Integrated login implemented):

"Server principal name (SPN) or the security context of the destination server could not be established."

Some weeks ago she could log in without any problem.

Thanks for any tip to fix this in advance.
Regards,

Peter
Best Regards,
Peter
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Server principal name (SPN) ... error message

Post by Steve Rowe »

Not seen this message, could you post more detail on TM1 version number and her environment?
Technical Director
www.infocat.co.uk
kpk
MVP
Posts: 214
Joined: Tue Nov 11, 2008 11:57 pm
OLAP Product: TM1, CX
Version: TM1 7x 8x 9x 10x CX 9.5 10.1
Excel Version: XP 2003 2007 2010
Location: Hungary

Re: Server principal name (SPN) ... error message

Post by kpk »

Hello,

Server: 9.0 SP3.
Client: 8.4.3

-Login worked yesterday morning for her and did not work from yesterday afternoon.
-The user has not changed password.
-She restarted her PC since then.
-The connection limit for her: 100.
-There are other users who could not log in with the same message.
-There are other ACTIVE users without experiencing this issue.

Regards,

Peter
Best Regards,
Peter
kpk
MVP
Posts: 214
Joined: Tue Nov 11, 2008 11:57 pm
OLAP Product: TM1, CX
Version: TM1 7x 8x 9x 10x CX 9.5 10.1
Excel Version: XP 2003 2007 2010
Location: Hungary

Re: Server principal name (SPN) ... error message

Post by kpk »

Sorry,

The following information is not TRUE: "-There are other ACTIVE users without experiencing this issue."
The users cannot log in with the integrated mode.

Regards,

Peter
Best Regards,
Peter
User avatar
Steve Rowe
Site Admin
Posts: 2410
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: TM1 v6,v7,v8,v9,v10,v11+PAW
Excel Version: Nearly all of them

Re: Server principal name (SPN) ... error message

Post by Steve Rowe »

So you are using the integrated log in functionality? [EDIT : Sorry just seen this in your OP]

Sounds to me like something is broken on the IT security side, have you checked with IT that they have not changed anything to do with the active directory? I've never used the integrated log-in functionality but sounds to me like this a problem outside of TM1.
Cheers,
Technical Director
www.infocat.co.uk
User avatar
George Regateiro
MVP
Posts: 326
Joined: Fri May 16, 2008 3:35 pm
OLAP Product: TM1
Version: 10.1.1
Excel Version: 2007 SP3
Location: Tampa FL USA

Re: Server principal name (SPN) ... error message

Post by George Regateiro »

As of right now I do not have a fix, but when we see this generally it will allow the user in after a couple of tries to login. We will see this sporadically (it has been about 6 months since the last occurence).

Our network admins think they have narrowed it down to some sort of AD issue where it seems that TM1 gets confused about what domain controler it is looking at, but I get told that they are not going to tackle it until they begin their project to restructure our AD.

Though it was never an offical case logged I had spoken with one of the Tm1 support folks and was basically given they that is on your end answer. You might have better luck with them, but like the other posts have said I think you will find that it is a communication problem on your network.
Martin Erlmoser
Community Contributor
Posts: 125
Joined: Wed May 28, 2008 1:22 pm
OLAP Product: TM1, Cognos Express,..
Version: 9.1.4 FP1
Excel Version: 2010
Location: Vienna
Contact:

Re: Server principal name (SPN) ... error message

Post by Martin Erlmoser »

i hope you use a domain user as service account which is active? (not locked out or something like that)

i found another issue with integrated login here with 9.1 SP3 (sorry for abusing the thread)

domainuser old: u12345
changed to
domainuser new: u98765

deleted the tm1user u12345
created the tm1user u98765
unique id = u98765@domain

client says that the specified user does not exist.
created user u12345 again with unique id u12345@domain

domainuser u98765 can login automatically with tm1user u12345 which has the unique id u12345@domain

but the user u12345 doesn't exist in the domain, he has been deleted.

regards,
martin
User avatar
Chengooi
Posts: 64
Joined: Tue Jan 13, 2009 7:46 am
OLAP Product: TM1
Version: 9.4
Excel Version: 2003
Location: Auckland, New Zealand
Contact:

Re: Server principal name (SPN) ... error message

Post by Chengooi »

The problem occur when TM1 client had it's intergrated login turn on and it's computer was not logoff when the server services shut down, and re-started. TM1 server can not recognise the user session hence the error pop up.

To fix it:

1) advise the user to logoff his/her machine - if TM1 is scheduled to restart daily
or 2) client machine should not have TM1 integrated login switch on
or 3) schedule TM1 service re-start on the weekend only assuming user do not logoff his/her machine before the weekend kicks in. :P
The most wasted of all days is one without laughter.
e e cummings (1894-1962)
kpk
MVP
Posts: 214
Joined: Tue Nov 11, 2008 11:57 pm
OLAP Product: TM1, CX
Version: TM1 7x 8x 9x 10x CX 9.5 10.1
Excel Version: XP 2003 2007 2010
Location: Hungary

Re: Server principal name (SPN) ... error message

Post by kpk »

The solution was that the technical TM1 user password expired.
Thanks for your replies.
Best Regards,
Peter
markoskyblue
Posts: 1
Joined: Tue Jul 14, 2009 1:14 am
OLAP Product: TM1
Version: 9.4
Excel Version: 2007

Re: Server principal name (SPN) ... error message

Post by markoskyblue »

I'd been experiencing the same issue but have a different solution.

Check the time on the server which hosts TM1. Ours was 8 minutes ahead of the Primary Domain Controller. After changing the time (and doing a reboot) the problem was fixed.

The server time has for some reason been creeping ahead.
ItsPat
Posts: 7
Joined: Sat Sep 05, 2009 9:50 pm
OLAP Product: TM1
Version: 9.4
Excel Version: 2007

Re: Server principal name (SPN) ... error message

Post by ItsPat »

I just finished setting up Kerberos in 9.4.3 FP3. I was having issues setting it up getting the error "Server principal name (SPN) or the security context of the destination server could not be established." I followed the Operations guide and went through all the steps but still was receiving the error. I finally found a note in the documentation updates for TM1 9.4.3 FP3 that mentions they added a new paramater to the tm1s.cfg file. Once that was added to the tm1s.cfg file everything worked smoothly on the web and in perspectives/architect. Below is the paramater:

Link: http://publib.boulder.ibm.com/infocente ... N_prm.html


ServicePrincipalName Parameter
This parameter is optional.

Specifies the service principal name (SPN) when using Integrated Login with TM1 Web and constrained delegation.

Use the following format to add the parameter to the Tm1s.cfg file:

ServicePrincipalName=SPN
The value you set here must match the service name that has also been mapped to a domain account on the Active Directory domain controller using the Microsoft command-line tool, setspn.exe.

For example, if you use setspn.exe to add an SPN as follows:

setspn -a FPM/TM1 WbSvr_Account
then you need to set the ServicePrincipalName parameter like this:

ServicePrincipalName=FPM/TM1
For more information about constrained delegation and SPN configuration, search the Microsoft Web site for the topic "Kerberos Technical Supplement for Windows".
Mithun.Mistry1103
Posts: 58
Joined: Thu Jul 03, 2014 1:14 pm
OLAP Product: cognos
Version: 10.2.2
Excel Version: 2010

Re: Server principal name (SPN) ... error message

Post by Mithun.Mistry1103 »

Hello.

I am trying to connect tm1 with ldap. So far, I have tried service principal name parameter etc that has been mentioned in this feed
.
What I am trying to resolve is everytime I click on an instance in architect, I get:

'Unable to log in to TM1: Server principal name (SPN) or the security context of the destination server could not be established.'

Nothing seems to work.

Is there anything else I can try to get this tm1 instance using ldap.

Thank you all
Post Reply