IBM Support

Unable to negotiate authorization - Single sign-on stops working in Workspace after upgrading Planning Analytics to 2.0.9.1

Troubleshooting


Problem

A working environment has been updated to Planning Analytics 2.0.9.1.
This environment includes a TM1 Server configured for SSO, using Integrated Windows Authentication (IWA).
The tm1s.cfg of the TM1 Server contains these parameters to achieve this:
SecurityPackageName=kerberos
IntegratedSecurityMode=3
Since this upgrade, it is not possible to connect to Planning Analytics Workspace.
 

Symptom

The users are receiving these errors in the internet browser:
"Unexpected authentication error"
"Unable to negotiate authorization"

In the WAproxy.log (in <PAW>/log/wa-proxy) there is an error HTTP 401 during the Negotiate, followed by an error HTTP 500:
"Unable to perform TM1 JWT auth.  This service is not configured to perform TM1 JWT auth (missing JWT key)"

Cause

Since Planning Analytics 2.0.9.1, TM1 Server does not fall back to NTLM if Kerberos fails.

Environment

Windows

Diagnosing The Problem

Set all these parameters in the tm1s-log.properties that should be found in the same directory as your tm1s.cfg:
log4j.logger.TM1.HttpRequest=DEBUG
log4j.logger.TM1.Login=DEBUG
log4j.logger.TM1.SSPI=DEBUG
log4j.logger.TM1.SSPISecurity=DEBUG
If there is no existing tm1s-log.properties then copy it from the samples directory (C:\Program Files\ibm\cognos\tm1_64\samples\tm1\PlanSamp\tm1s-log.properties), add the above lines to this file, and place that file in the same directory as the tm1s.cfg configuration file of the TM1 server (no need to restart TM1 server).
After that, reproduce the error and take a look at the tm1server.log.
Most probably the following error will appear:
"Server is configured to only accept Kerberos package but the client is using NTLM when attempting to authenticate."
That means that, because Kerberos failed, the client is trying to use NTLM instead but the TM1 Server 2.0.9.1 refuses it.

Resolving The Problem

Indeed, there was a change in version Planning Analytics 2.0.9.1. In previous versions, TM1 Server would accept the use of NTLM if Kerberos is failing.
If the configuration really did not change on this environment, then it means that, most probably, Kerberos was not working either before the upgrade. It just could not be noticed because the connection was made anyway, thanks to NTLM. Now in Planning Analytics 2.0.9.1 this is not possible anymore.
In case of urgency, the problem can be worked around by specifying SecurityPackageName=NTLM in tm1s.cfg (TM1 server restart is necessary). This will give time to resolve the Kerberos problem.
In order to solve the Kerberos issue, it is important to consider that it never worked, which means that some of the basic configuration steps may have never been applied.
Here are the points to check:
---Check 1---
Verify that all servers are on the same domain.
---Check 2---
Verify that FQDN syntax (ServerName.YourDomain.Com) is used everywhere in the configuration and in the URL used by users.
---Check 3---
Make sure all the connection tests are done from an actual client, and not from one of the servers.
---Check 4---
The PAW server machine must have Trust enabled.
So, In Active Directory Users and Computers on the domain Controller, the Workspace server machine needs to have this setting : "Trust this computer for delegation to any service (Kerberos only)". This will make sure that trust has been enabled for the Workspace machine.
---Check 5---
- Login to TM1 Architect and connect to the TM1 Server as admin
- From "View" menu, ensure that "Display Control Objects" is checked
- Expand "Cubes" and open }ClientProperties cube
- Click "Automatic Recalcuate" button
- Scroll down }Clients looking for the UserID which is having a connection issue
- Ensure the UserID is set in "UniqueID" column in following manner:
<User ID>@YourDomain  (not YourDomain.Com)
- Save
- Security / Refresh Security
- Save Data
- Logout
---Check 6---
Using Internet Explorer, add the Workspace server to the either the 'Trusted Sites' security zone, with 'Automatic Logon with current user name and password' set, as follows:
1. On the client workstation, log in to Windows using the Windows userID for which we wish to use SSO
2. Launch Internet Explorer
3. Click "Tools - Internet Options"
4. Click the 'Security' tab
5. Click 'Trusted sites'
6. Click 'Sites'
7. Untick the box 'Require server verification (https:)...' (assuming that HTTP is used to connect to Workspace, otherwise let this checked)
8. Type the fully qualified URL of the Workspace server (http://ServerName.YourDomain.Com)
9. Click 'Close'
10. Make sure that 'Trusted Sites' is still highlighted
11. Click 'Custom Level'
12. Change to 'Medium-Low'
13. Click "Reset"
14. Click "Yes" to confirm
15. Scroll down to the bottom of the list of options, and change 'User Authentication' to "Automatic Logon with current user name and password"
16. Click OK, Yes, OK

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSCTEW","label":"IBM Planning Analytics Local"},"ARM Category":[{"code":"a8m50000000KzKMAA0","label":"Security->SSO"},{"code":"a8m0z000000blfjAAA","label":"Troubleshooting"}],"ARM Case Number":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All Version(s)","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
04 June 2020

UID

ibm16219292