How to enable Single Signon in multiple domain environment using Active Directory
If customer tries to use an LDAP namespace, then this can only connect to a single domain (not entire Active Directory forest).
Resolving The Problem
In order to setup SSO in a multi-domain Active Directory environment, follow these steps:
1. Launch "Cognos Configuration"
2, Create a new namespace
3. Make sure that this is set to "Active Directory" (not LDAP)
4. Use the root domain as the hostname
5. Locate "Advanced properties" and click edit/modify button
6. Enable either 'ChaseReferrals' or 'MultiDomainTrees'.
- ChaseReferrals - This will allow users from 'child' domains (i.e. domains below the domain that your namespace is connected to) to logon
- This is often the best choice (for performance reasons).
- MultiDomainTrees - Allows users from ALL domains (inside the forest) to logon
- If you are unsure where your users will be located, 'MultiDomainTrees' can be the best option (to ensure that all users are able to logon, wherever they are located).
- However, this means that searches will traverse the entire forest, leading to performance slowdowns.
Once you have chosen, add one of the following entries:
- chaseReferrals: True
- multiDomainTrees: True
TIP: For more information, see attached document "KB 1041799 - ChaseReferrals and multiDomainTrees.pdf".
6. Decide on whether to use NTLM ("REMOTE_USER") or KERBEROS authentication.
If you want to use NTLM/REMOTE_USER, then also add the following entry:
- singleSignOnOption: IdentityMapping
Do not use this entry if you want to use Kerberos (which is the preferred option for many environments).
7. Perform a test on this namespace to make sure a connection can be made
8. Restart the service
TIP: Take care to ensure that users can access their content in Cognos Connection prior to removing an existing LDAP type namespace. If we are recognising them as new users their content will need to be migrated to the accounts under Active Directory.
15 June 2018