Help with IntegratedSecurityMode 2/3

Post Reply
Derezed
Posts: 14
Joined: Fri May 18, 2012 10:23 am
OLAP Product: TM1, Planning Analytics
Version: 10.2.2, Planning Analytics 2.x
Excel Version: Latest
Location: UK

Help with IntegratedSecurityMode 2/3

Post by Derezed » Wed Mar 13, 2019 1:31 pm

Hi everyone,

This might seem like groundhog day or a throwback to 2013, but I have a client who does not want the Cognos Analytics overhead just for user authentication and they don't want to have to manage users in TM1 directly...so we're at IntegratedSecurityMode 3 (currently two while I sort this out).

This is for a Windows Server 2016 server and PA 2.0.6 local setup.

The documentation is good on this:

1) Crank up ETLDAP and get your users in (done with much fiddling and AD head scratching)
2) Add the following to config file:
IntegratedSecurityMode=2
SecurityPackagename=Kerberos
3) Checkbox Integrated Security in Perspectives.
4) All is well

...sadly all is not well.

"Log In Failed: SystemServerClientNotFound"

I have tried every permutation of user name in the "UniqueID" field in the }ClientProperties cube paying special attention to case. Nothing works.

I have switched on Audit Logging and have reviewed the unsuccessful login attempts. The IP it notes is correct, however there is no user name. I don't know if this is relevant or not.

All TM1 services are running under a domain account. That domain account is the SPN for all TM1 services. The account has delegation checked as "Trust this user for delegation to any service (Kerboros)" .

Have I missed some crucial configuration item?

Note this is just for Perspectives at the moment, if it doesn't work here, it sure isn't going to work for TM1Web!

Paul Segal
Community Contributor
Posts: 257
Joined: Mon May 12, 2008 8:11 am
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: Help with IntegratedSecurityMode 2/3

Post by Paul Segal » Wed Mar 13, 2019 2:55 pm

You could try NTLM rather than Kerberos.

Unique id should be username@domain; not sure that case makes a difference.
Paul

Derezed
Posts: 14
Joined: Fri May 18, 2012 10:23 am
OLAP Product: TM1, Planning Analytics
Version: 10.2.2, Planning Analytics 2.x
Excel Version: Latest
Location: UK

Re: Help with IntegratedSecurityMode 2/3

Post by Derezed » Wed Mar 13, 2019 4:13 pm

Thanks Paul, sadly that's a non starter. username@domain.x,Username@domain.x, username@Domain.x, UserName@Domain.x etc. have all failed along with any other form of a username under the sun. NTLM isn't an option here.
Last edited by Derezed on Wed Mar 13, 2019 7:31 pm, edited 1 time in total.

tomok
MVP
Posts: 2559
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Help with IntegratedSecurityMode 2/3

Post by tomok » Wed Mar 13, 2019 4:18 pm

Not sure what the ".x" is after the domain but it has to be just the domain. If your user id is userid@mycompany.com then then the user ID in TM1 would be user@mycompany. It is also case sensitive, both ID and domain.
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/

Derezed
Posts: 14
Joined: Fri May 18, 2012 10:23 am
OLAP Product: TM1, Planning Analytics
Version: 10.2.2, Planning Analytics 2.x
Excel Version: Latest
Location: UK

Re: Help with IntegratedSecurityMode 2/3

Post by Derezed » Wed Mar 13, 2019 4:50 pm

Hi Tomok,

The .x is just a sample. In this case users are .com and all lower case. Sadly that doesn't work so I gave a couple more options a go.

Am I right in thinking it is only the uniqueID field that has any bearing on authentication here?

Do unsuccessful logins from unknown clients ever show in the audit log with a user name entry or is it specifically a TM1 client name as opposed to whatever the credential that was passed to TM1?

Kerborus does a number on my head sadly because I don't understand how TM1 has implemented the checking of credentials or what the prerequisites for the AD setup are to make sure it works.

tomok
MVP
Posts: 2559
Joined: Tue Feb 16, 2010 2:39 pm
OLAP Product: TM1, Palo
Version: Beginning of time thru 10.2
Excel Version: 2003-2007-2010-2013
Location: Atlanta, GA
Contact:

Re: Help with IntegratedSecurityMode 2/3

Post by tomok » Wed Mar 13, 2019 6:03 pm

Derezed wrote:
Wed Mar 13, 2019 4:50 pm
In this case users are .com and all lower case. Sadly that doesn't work
Don't use anything after the domain. If your full ID is fred.smith@mycompany.com then your TM1 ID would be "fred.smith" and the value in the unique ID field would be "fred.smith@mycompany". Note we are not including the ".com".
Tom O'Kelley - Manager Finance Systems
American Tower
http://www.onlinecourtreservations.com/

Derezed
Posts: 14
Joined: Fri May 18, 2012 10:23 am
OLAP Product: TM1, Planning Analytics
Version: 10.2.2, Planning Analytics 2.x
Excel Version: Latest
Location: UK

Re: Help with IntegratedSecurityMode 2/3

Post by Derezed » Wed Mar 13, 2019 7:30 pm

Sadly that has failed to work too. From your post Tomok, is the client name is as important as the uniqueID field? I thought only the uniqueID was used to authenticate, but am likely wrong here. I have changed the client name a few times and am using the name as provided by WHOAMI in cmd. I know it definitely isn't the FQDN because that gives me a whopping great big AD definition of the user.

olapuser
Posts: 40
Joined: Fri Jan 29, 2010 1:55 am
OLAP Product: Cognos TM1
Version: 9.5
Excel Version: 2007
Contact:

Re: Help with IntegratedSecurityMode 2/3

Post by olapuser » Wed Mar 13, 2019 11:41 pm

Have you set up the ServicePrincipalName?

https://www.ibm.com/support/knowledgece ... lname.html

Works for perspectives, pax, and paw.
Good luck setting up the TM1Web if you wish to connect directly. Works fine through paw.

Derezed
Posts: 14
Joined: Fri May 18, 2012 10:23 am
OLAP Product: TM1, Planning Analytics
Version: 10.2.2, Planning Analytics 2.x
Excel Version: Latest
Location: UK

Re: Help with IntegratedSecurityMode 2/3

Post by Derezed » Thu Mar 14, 2019 2:28 pm

Hi olapuser, that sadly does nothing. I will have to review this one if we get as far as TM1Web. The initial login should not be using constrained delegation or any delegation for that matter. Does anybody know how TM1 gets registered with the domain controller in the first place? I am not sure the DC knows that TM1 exists which might be where my problem lies. :cry:

Post Reply