Trouble setting up integrated login in TM1 10.2
Posted: Wed Aug 16, 2017 4:22 pm
Hi everyone,
We are in the mid of migrating from TM1 10.1.1 to 10.2.2, and testing the waters for security without Cognos BI runtime or CAM. Our main goals is to enable SSO via AD, and applying group based security rights on cubes, dimensions and processes. I am testing Integrated security on the TM1 server box itself, so Admin Host, TM1 Server and Architect, all are installed and being used on the same box for now.
I have updated my cfg file as follows, and restarted the server.
SecurityLogging=F
SecurityPackagename=Kerberos
IntegratedSecurityMode=2
Servername=finance
In Architect, I am able to log on without enabling Integrated login (checkbox) using default admin credentials. But when I enable integrated security, I am getting the "SystemServerClientNotFound' error message.
I have looked at this technote from IBM, but no luck, http://www-01.ibm.com/support/docview.w ... wg21974502, as well as this thread, http://www.tm1forum.com/viewtopic.php?t=2310, and followed what Paul suggested, but I keep getting the above error message. And, as mentioned in the above forum thread, I haven't used ETLDAP tool to import all AD users. Not sure if that is a mandatory step.
Going back to the IBM technote (above), one of the points I am confused about how to form my UniqueID. With CAM security, logged on users were formed as "domain\user" format in }Clients dimension, while I am trying to form the UniqueID as "user@doman". Not sure if this has something to do with the error I am getting.
EDIT: I have tried couple combinations to form domain & user name, including "user@domain", "domain\user" in the }ClientProperties Cube, but no luck so far. domain refers to what I see as the output of systeminfo | findstr /B /C:"Domain" command, and what is displayed in the properties of My Computer. TM1 server is running under the context of a domain user, tm1admin@domain.
Appreciate help from the experts.
Thanks
Kaz
We are in the mid of migrating from TM1 10.1.1 to 10.2.2, and testing the waters for security without Cognos BI runtime or CAM. Our main goals is to enable SSO via AD, and applying group based security rights on cubes, dimensions and processes. I am testing Integrated security on the TM1 server box itself, so Admin Host, TM1 Server and Architect, all are installed and being used on the same box for now.
I have updated my cfg file as follows, and restarted the server.
SecurityLogging=F
SecurityPackagename=Kerberos
IntegratedSecurityMode=2
Servername=finance
In Architect, I am able to log on without enabling Integrated login (checkbox) using default admin credentials. But when I enable integrated security, I am getting the "SystemServerClientNotFound' error message.
I have looked at this technote from IBM, but no luck, http://www-01.ibm.com/support/docview.w ... wg21974502, as well as this thread, http://www.tm1forum.com/viewtopic.php?t=2310, and followed what Paul suggested, but I keep getting the above error message. And, as mentioned in the above forum thread, I haven't used ETLDAP tool to import all AD users. Not sure if that is a mandatory step.
Going back to the IBM technote (above), one of the points I am confused about how to form my UniqueID. With CAM security, logged on users were formed as "domain\user" format in }Clients dimension, while I am trying to form the UniqueID as "user@doman". Not sure if this has something to do with the error I am getting.
EDIT: I have tried couple combinations to form domain & user name, including "user@domain", "domain\user" in the }ClientProperties Cube, but no luck so far. domain refers to what I see as the output of systeminfo | findstr /B /C:"Domain" command, and what is displayed in the properties of My Computer. TM1 server is running under the context of a domain user, tm1admin@domain.
Appreciate help from the experts.
Thanks
Kaz