Enable single signon between Active Directory Server and IBM Cognos components

By default, the Active Directory provider uses Kerberos authentication. It integrates with the Microsoft Internet Information Services (IIS) web server for single signon if Windows authentication (formerly named NT Challenge Response) is enabled on the IIS web server.

If Windows authentication is enabled, you are not prompted to reenter authentication information when you access IBM® Cognos® content that is secured by the Active Directory namespace.

If you use Kerberos authentication, you can choose to use Service for User (S4U). S4U allows users to access IBM Cognos Analytics with Watson from computers not on the Active Directory domain. To enable S4U, you must use enable constrained delegation.

For example, you have users whose computers do not belong to the domain, but they do have the domain account. When they open their web browsers, they are prompted for their domain account. However, they get the Kerberos ticket with Identity privilege only, which prevents them from getting authenticated to IBM Cognos Analytics with Watson. To resolve this issue, you can use S4U.

If you do not want Kerberos authentication, you can configure the provider to access the environment variable REMOTE_USER to achieve single signon.

Important: Ensure that you use only the variable REMOTE_USER. Using another variable can cause a security vulnerability.

To enable single signon to use Kerberos authentication, you must ensure that you complete the following tasks:

  1. Configure Windows authentication on your Microsoft IIS web server for the ibmcognos/cgi-bin application.
  2. Install Content Manager on a computer that is part of the Active Directory domain, for the active and standby Content Managers.
  3. Set up the computers, or the user account under which Content Manager runs, to be trusted.

For more information, see the following technote documents: