Configure the IBM Controller Authentication Method

After you configure the authentication provider, you must configure the Controller Web Services Server computers with IBM Controller or Windows authentication. The default authentication method is Native authentication.

If users access the IBM® Controller, IBM Controller Link for Microsoft Excel or IBM Controller Web applications when not being logged on as domain users, they receive a prompt to enter their domain credentials in order to be authenticated against the domain

With native authentication, logon information is configured in the IBM Controller databases and in the IBM Controller user interface. If you want to use Native authentication in your IBM Controller environment and you are using Cognos Analytics as the reporting component, the reporting components must run under anonymous access. When the reporting components run under anonymous access, no logon to Cognos Analytics is required. In IBM Cognos® Connection, anonymous access is enabled by default. Native authentication provides minimal security in your IBM Controller environment.

IBM Controller authentication is shared between IBM Controller and the reporting components. When you use the IBM Controller authentication method, you can use the IBM Controller built-in namespace to restrict access to defined users, or you can create an appropriate namespace for the type of authentication provider in your environment. Access is then restricted to users belonging to any group or role defined in the namespace. If you use the IBM Controller authentication method, when users log on to IBM Controller from IBM Cognos Connection or from a URL and have selected a database to log on to, they are prompted to log on to the namespace. Users are prompted with the same logon window when they log on to IBM Controller using the IBM Controller Link for Microsoft Excel. IBM Controller authentication uses shared memory for passport IDs. However, if your company security policy prohibits the use of shared memory, you can disable the use of shared memory for passport IDs. If you disable shared memory for passport IDs, users must log on separately to IBM Controller and to the IBM Controller Link for Microsoft Excel.

Windows Authentication is the authentication provided through the configuration of Internet Information Services (IIS). When Windows Authentication is enabled, user connections established with the Microsoft Internet Information Services Web server on Controller Web Services Server are validated against the domain that the server is part of. When users log on to client computers as users that are part of the Active Directory domain, they are not prompted with further logons when they run Controller or the Controller Link for Microsoft Excel.
Note: In Controller Web, users are still required to input their username and password.
If users access the Controller, Controller Link for Microsoft Excel or Controller Web applications when not logged on as domain users, they receive a prompt to enter their domain credentials to be authenticated against the domain.
Note:

To avoid using different authentication mechanisms, you should reuse IBM Cognos authentication if you have integrated your Controller environment with IBM Cognos Analytics or IBM Planning Analytics.

Before you begin

If you are using IBM Cognos authentication, ensure that you have configured the appropriate namespace. If you are using Windows Authentication, ensure that the Controller server is part of the domain that is to be used for authentication and that the Windows Authentication role service has been installed as part of IIS.

About this task

Perform this procedure on the Controller server.

Procedure

  1. From the Start menu, start IBM Controller Configuration.
  2. In the Explorer window, click Web Services Server, Server Authentication.
  3. In the Select authentication method box, click the drop-down arrow, and then select the authentication method:
    • Click IBM Cognos to enable IBM Controller authentication.
    • Click Windows Authentication to enable Windows Authentication.
  4. From the File menu, click Save.