Enabling single signon to use Kerberos authentication with constrained delegation
To be able to use constrained delegation, you must define the service principal names (SPN) for the users that are configured to run the IBM®Cognos® components and your Microsoft Internet Information Services (IIS) web server's application pool in your Active Directory domain.
If you use Kerberos with constrained delegation, you must add an sAMAccountName user for Content Manager when you configure your gateway. All active and stand by Content Managers must be configured to run under the same account.
If you are configuring single signon to your database servers, you must configure the sAMAccountName for the user who runs the Application Tier Components when you add the Active Directory namespace. All Application Tier Components must be configured to run under the same account.
The SPNs are the users that you enter in the sAMAccountName fields in IBM Cognos Configuration.
For
example, assume that you have one user who runs the Content Manager
component, another who runs the Application Tier Components, and another
who runs your web server's application pool. The Content Manager user
is CognosCMUser
. The Application Tier Components
user is CognosATCUser
. The application pool user
is IISUser
. Each user is in the MyDomain
domain.
You must set up IIS so that your
MyDomain\IISUser
is the application pool identityRun the setspn command for the computer where IIS is running.
For example:
setspn -A http/IISServerName MyDomain\IISUser setspn -A http/IISServerName.MyDomain.com MyDomain\IISUser
Run the setspn command for your IBM Cognos users.
For example:
setspn -A ibmcognosba/CognosCMUser MyDomain\CognosCMUser setspn -A ibmcognosba/CognosATCUser MyDomain\CognosATCUser
In these commands, you must use
ibmcognosba
as shown in the examples. The user names and domains must match your environment.Note: In this example, the sAMAccountName users you must enter areCognosCMUser
andCognosATCUser
.If you are configuring single signon to your Microsoft SQL Server or Microsoft SQL Server Analysis Services database server, you must set up the SPN for the database server. For more information, see you database server documentation.
Finally, you must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (
IISUser
,CognosCMUser
, andCognosATCUser
), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.And then you must add the required SPNs. For example, add
ibmcognosba
as a service type. And addDomainController1
andDomainController2
as service typeldap
.If you are configuring single signon for the datasource, add the MSQLSVC service.