IBM Support

"AAA-AUT-0013 The user is already authenticated in all available namepaces" (after logon / logoff / logon of Excel link) when using SSO with Cognos Analytics, triggered by 'SSO Login' method enabled



User launches Excel. User clicks the 'Controller' add-in, and then clicks 'Log on...':
User chooses database. This works OK.
User then clicks "Log off". Again this works OK.
User then clicks "Log on...". User chooses database. An error message appears.


The user is already authenticated in all available namepaces.


There are several known causes of the 'AAA-AUT-0013' error.
  • TIP: For more examples, see separate IBM Technote #1346138.
This Technote specifically relates to the scenario where the cause is a limitation of Controller, when all of the following are true:
  • Controller using a Cognos Analytics report server
  • CA is using the default settings inside its 'logoff.xts' file.
  • Cognos Analytics and Controller are configured to use SSO
    • In other words, when users launch Controller they are not prompted to logon to Controller (instead, they are automatically logged on using their Active Directory username/password)
  • Cognos Analytics SSO is configured to have the 'SSO Login' method enabled:
More Information
The problem is caused by the CA logout redirecting back to the welcome page (instead of a logout page).
  • This causes a new CAM passport to be generated (and received by the Excel Add-in).


This behaviour has been seen with:
  • Controller 10.3.1
  • Controller 10.4.0 / Cognos Analytics 11.0.12

Resolving The Problem

Instant Fix:
1. Click "File - Exit" (to close Excel)
2. Re-launch Excel
3. Retry.
Long-term Fix:

Reconfigure the Cognos Analytics 'logoff.xts' file.



1. Logon to the Cognos Analytics server

  • TIP: For many 'smaller' customers, the CA server will probably be the same server as the 'main' Controller application server.

2. Browse to the following folder:  .../templates/ps/portal/

  • TIP: By default, this is located here: C:\Program Files\ibm\cognos\analytics\templates\ps\portal
3. As a precaution, create a backup copy of the following file:    logoff.xts
4. Edit the following file (for example in Notepad):    logoff.xts
5. Locate the following section:
<xos: entityBody>
<meta http-equiv="refresh" content="0; URL={$loggoffURL}"/>
<title> Logout Redirect </title>
6. Comment the line shown in bold (above)
  • In other words, modify the line so that it looks similar to:
<!--<meta http-equiv="refresh" content="0; URL={$loggoffURL}"/>-->
7. Stop the CA service.
  • TIP: By default, this means stopping the Windows service:    IBM Cognos
8. Browse to the following folder:       .../webapps/p2pd/WEB-INF/lib/
  • TIP: By default, this is located here:   C:\Program Files\ibm\cognos\analytics\webapps\p2pd\WEB-INF\lib
9. Rename the following file:   portal.jar
  • For example, rename it to:   portal.jar.backup
10. Start the CA service (by default, called:   IBM Cognos)
Reconfigure Cognos Analytics (CA) to use the 'Legacy SSO' method (instead of 'SSO Login' method).
  • NOTE: This will stop SSO working (for Cognos Analytics) when accessed through IE and a gateway.
1. Logon to the relevant CA server
2. Launch "Internet Information Services (IIS) Manager"
3. Expand "Default Web Site" - <site name hosting your CA SSO website>" (for example "ibmcognossso")
4. Select subfolder:  bi
5. On the right-hand page, double-click on:   URL Rewrite
6. Highlight the row 'SSO Login'
7. Click "Disable Rule"
  • It should now look 'greyed out', similar to:
8. Test.

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.3.1, 10.4.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
12 June 2019