IBM Support

How to configure Controller to use Active Directory authentication directly (*without* using Cognos CAM)

How To


Summary

Customer would like their end users to logon to Controller by using their Windows (domain / active directory) username and password.
How can they achieve this?

NOTE: This Technote specifically relates to the new feature (introduced in Controller 10.4.2) which allows AD authentication directly - without using Cognos Analytics (or Cognos BI) as the authentication mechanism.
* If you still want to use Cognos Analytics, then see separate IBM Technote #302865.
* If you still want to use Cognos BI , then see separate IBM Technote #623043.

Objective

Cognos Controller can use the following 3 different types of security logon authentication methods:
1. Native
2. CAM Authentication (also known as 'Cognos authentication')
3. Windows Authentication (direct)
This Technote relates to the scenario where the customer would like to use 'Windows Authentication' directly (not via a Cognos namespace).
  • This is a new feature (since Controller 10.4.2)

Environment

All of the following must be true:
  • Controller 10.4.2 (or later)
  • Controller application server hosted on Windows 2012 (or later)
  • The Controller application server must belong to the same Microsoft AD domain that the end users (who logon to Controller) reside in

Steps

1. Logon to the Controller application server
2. Launch Internet Information Services Manager
3. Select the application:  controllerserver
image 3559
4. Double-click Authentication.
5. Enable both of the following:
  • Anonymous Authentication
  • Windows Authentication
For example, right-click on the entry and choose 'Enable':
image 3563
~~~~~~~~~~~~~~~~~~~~
TIP: If "Windows Authentication" is missing then perform the steps inside 'Appendix' below
~~~~~~~~~~~~~~~~~~~~

6. Launch Controller Configuration
7. Select Server Authentication
8. In the authentication method, select Windows Authentication:
image 3564
 
9. Under Authentication settings, set the following values: 
  • Active Directory Domain <Domain name of the Active Directory>
    • You can use the NetBIOS domain name (for example "MYDOMAIN") or the FQDN domain name (for example "mydomain.mycompany.com")
  • Active Directory Base DN <Search path from which look up of users is done>
  • Active Directory User <User to bind to the Active Directory>
    • This can be any user (does not have to be a domain administrator for example). Typically this would be a special 'service' account (for example 'controller_service') created in the Active Directory for just this purpose.
    • IMPORTANT: You must make sure that this user's password never expires or changes!
  • Active Directory User Password <Password of the Active Directory user>
For example:
image 3713
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TIP: If you are unsure of the answers to the above, type the following (in a command prompt): dsquery *
image 3711
The value for 'Active Directory Base DN' should be where all your users reside, for example in my demonstration example the users are in the default 'Users' container:
image 3714
Therefore the setting should be:     CN=Users,DC=mydomain,DC=mycompany,DC=com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10. Click Save
 
~~~~~~~~~~~~~~~~~~~~~~~~~
TIP: If you are not using Controller Web, you can skip directly to step 14
~~~~~~~~~~~~~~~~~~~~~~~~~
11. Open the 'fcm.web' folder
  • TIP: By default this is here: C:\Program Files\ibm\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web
12. Edit the following file (for example in Notepad):   com.ibm.cognos.fcm.web.properties
13. Modify the value for 'loginMode' to be:
  • loginMode=ACTIVE_DIRECTORY
image 3567
14. Choose which Windows user you want to map to the Controller user 'ADM'
  • In this example, I shall choose:   MYDOMAIN\Administrator
15. Logon to the client device using that Windows user
16. Launch Controller 'classic' client, and choose the relevant database
  • This first Windows user will automatically get mapped (during the logon process) to the Controller user 'ADM'
  • You can visibly see this by opening the Controller database table "XWINDOWSUSER", for example:
image 3716
  
17. Inside Controller client, click "Maintain - Rights - Users"
18. Map existing Controller users (if they exist) to Active Directory users by performing the following:
  • Select an existing (unmapped) user from the left hand side (for example "Fred" in the below example)
  • Click on the browse button () in the 'Active Directory User' section:
image 3720
  • Choose which Active Directory user (for example 'MYDOMAIN\Richard') that you want mapped to the Controller user (for example 'FRED')
  
19. Create new Controller users (if required) by performing the following:
  • Change 'Create New' to 'Users'
  • Click on the browse button () in the 'Active Directory User' section
  • Select the user which you want to use (for example 'MYDOMAIN\Richard'):
image 3717
  • Complete any other sections/settings (as desired) and press Save:
image 3718
20. Repeat for all required new/existing users
  • TIP: You can verify that the users have been mapped, by looking at the Controller database table "XWINDOWSUSER", for example:
 image 3724
  
21. Test in Controller 'Classic' by:
  • Logon to Windows using the new user's Active Directory user account
  • Launch Controller client
  • Click "Help - System Info"
  • Near the top it should show the user's correct Controller (not Active Directory) username, for example:
image 3721
22. Test in Controller Web by:
  • In your web browser, type the URL (for example: http://<servername>:9080 )
  • Ensure your username looks similar to:   <domainname>\<username>
For example: 
image 3727
 
23. Be aware that there is a potential problem when using Excel link, relating to missing value of 'LastUser' inside the end user's CCR.CONFIG file.
  • See separate IBM Technote #6243458 for more details.
 
==========================================
Appendix:
If 'Windows Authentication' is missing from the list of choices...
image 3560
...then perform the following steps:
1. On the taskbar, click Server Manager
2. In Server Manager, click the Manage menu, and then click Add Roles and Features
3. In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
4. On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Windows Authentication:
image 3562
Click Next.

5. On the Select features page, click Next.
6. On the Confirm installation selections page, click Install.
7. On the Results page, click Close.
TIP: For more details, see official Microsoft link below.
==========================================

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
03 July 2020

UID

ibm16209654

Page Feedback