Troubleshooting
Problem
- In other words, their Windows credentials are automatically sent to the Cognos product, so they never have to type in their username/password when they lauch the product (for example the Controller client).
Symptom
- Customer would like to change this so that users are never prompted to logon to Cognos (instead, they are automatically logged on with their Windows username).
Cause
This means that SSO (for CA) never works (because it will not link in with IIS).
Resolving The Problem
(a) Ensure that you are using CA version CA 11.0.4 (or later)
(b) Make sure that your CA server has the 'Optional Gateway' component installed
- IMPORTANT: This is not installed via a default installation!
(c) Configure the CA gateway components to integrate with Windows authentication, to give SSO
(d) Configure the client devices to automatically send their Windows credentials to the gateway website.
Steps:
1. Ensure that you have downloaded CA version 11.0.4 (or later)
2. Ensure that your CA server is a member of the relevant Active Directory domain
3. When you install CA, make sure that you choose a 'Custom' installation:
3. Inside the 'Choose Components' screen, select ALL of the components (including 'Optional Gateway')
4. Configure CA to use SSO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are two methods to achieve this. Choose whichever method you prefer:
- Manual method - instructions here: https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.inst_cr_winux.doc/t_gateway_iis.html
- or Automatic (batch file) method here: http://www-01.ibm.com/support/docview.wss?uid=swg22000097
!! IMPORTANT !!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
5. Due to a limitation in Controller/CA, you must now reconfigure the Cognos Analytics 'logoff.xts' file.
- For instructions, see separate IBM Technote #0884136.
6. Modify the settings inside 'Cognos Configuration' as appropriate
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For most environments, the following are correct:
- In the Namespace add an advanced property:
- Name : singleSignonOption
- Value: IdentityMapping
- Inside "Authentication" configure "Allow session information to be shared between client application" to be "True"
TIP: For more information on some of the settings you need to configure, see separate IBM Technote #1380099.
7. Configure the end user's Internet Explorer to be configured to 'Automatic logon with current username and password' (in the security zone that the web site belongs to)
- For instructions, see separate IBM Technote #1380099.
8. Test that the client machine successfully has SSO on the CA gateway, by launching a link similar to: http://[servername]/ibmcognos/
- Make sure that the user is automatically authenticated (not asked to logon)
- This will validate that SSO is working for CA via IIS
9. Launch 'Controller Configuration' and ensure:
- 'Server authentication' is set to CAM
- Report server (and Dispatcher URI) settings are similar to:
NOTE: The report server URL is slightly different from how it looks when integrating Controller with Cognos BI.
10. Finally, test that Controller SSO works OK by launching Controller.
Related Information
1380099 - How to Configure Controller to use Single Sig
2000097 - Automate the configuration of Microsoft's Int
Configuring IIS in Cognos Analytics 11.0.4 and later ve
0884136 - "AAA-AUT-0013 The user is already authenticated in all available name…
6218316 - Controller client disappears (after selecting the database) when usin…
301009 - How to properly clear Microsoft's Internet Information Service (IIS) c…
Was this topic helpful?
Document Information
Modified date:
28 August 2020
UID
swg22002465