Cognos Express AD Authentication Stopped working

[jameswebber]

Below describes an issue I had an how to fix it.

The summary:
I believe he Cognos Express method of LDAP lookup (possibly TM1 too) is non standard.
After the implementation of the windows update http://technet.microsoft.com/en-us/secu ... n/ms11-095 on our domain controllers I found that both Cognos Express (CE) 9.5 and CE 10.1 would not longer perform AD authentication.
The very unhelpful error message is: The provided credentials are invalid. Please type your credentials for authentication.
Even thought the credentials are correct,
I belive rolling back this windows update will fix the issue but at the time of writing have not applied the fix to our live domain controller

[jameswebber]

More detail and useful steps to check is trying to fix this or something similar:
All our servers are windows 2008 r2 boxes

Anyway my issue was that ldap active directory authentication is not working on Cognos Express 9.5 or 10
It has been working on both and I know it was working on here is a screenshot of it working on CE 10 in mid June:

Working CETtest.png (8.22 KiB) Viewed 13993 times

Sometime after 6th of July it stopped working on both my CE 10 server and my CE9.5 server which I have not touched.

I have not yet set up SSO on this box.

I am wondering if this is a known IBM issue related to windows updates as all our other ldap services Microsoft and non-Microsoft are working fine. I have even tested another apache ldap service. Putting all windows updates on and rebooting but it was working.
Steps to recreate the issue:
1. Goto: http://IRLCETEST:19300/cognos_express/manager
Select domain (IRL in my case)
2. Redirects to http://irlcetest:19300/p2pd/servlet/dis ... s/manager/
3. Choose IRL as a namespace and choose okay
4. Redirects to http://irlcetest:19300/p2pd/servlet/dispatch, Put in known good AD credentials
5. Does not log me in give error:
The provided credentials are invalid. Please type your credentials for authentication.

irlcetestLogon.png (12.11 KiB) Viewed 13993 times

Tried with IRL\j.webber and other users credentials and does not work.

The Setup
I have setup the AD namespace as per below:

LDAP_Setup_in_CE.png (29.57 KiB) Viewed 13993 times

I have also tried <ldap server>:389 and also using the secure ldap port 636.

Things I have tried:
Windows Firewall
I have installed ldap services on the server and found that ldp.exe (installed if you add the light weight direcotry serivices role to you window server) to connect to ldap wasn’t working.
I then stopped all the windows firewalls on the server and rebooted. Ldp.exe now works but CE doesn’t.

I have stopped the windows firewall temporary on our DC and hard coded to that DC, rebooted and tested CE10 and Ce9.5 and still no luck.

Cognos Config
Tried various settings in Cognos config (including binding to various AD acocunts). Interesting the test works okay but the it never works via the ie portal.


Rebuilding Cognos Credentials
I have followed the steps below
http://www-01.ibm.com/support/docview.w ... wg21346342

Windows Updates
Rolling back windows updates on CE server until before the know good date but still no luck but I have a hunch that the following windows update could be causing an issue:
http://support.microsoft.com/kb/2640045
I think this could be a problem on the DC and needs to be rolled back.

[jameswebber]

Fundamentally this is an IBM issue if other ldap services work but CE doesn't then IBM will need to come up with a workaround.

• Checked cognos expres logs, and enabled CAM logging tracing.
• Tested with third party ldap tool
• Used wireshark to packet sniff
• Tested other AD accounts, created new add accounts just in users AD group
• Rebuilt Congos Server with no windows updates

In the end create an isolated AD environment with DC's with no windows updates CE server with no windows updates. This works fine.
Apply http://support.microsoft.com/kb/2640045 to DC and suddenly CE ldap is broken.

I'm going to go back and ask IBM for a fix.

[Terramup]

Hi,

Do you have a PMR? I think I have a similar issue and wanted to give my IBM tech the number.

Thanks,
ScottB

[jameswebber]

Sure it's:
PMR 49037, 220, 796 - ldap active directory authentication is not working,

The Domain controllers need to be rebooted for the change to take effect.

I have agreed with my ops team (after a little negotiation) that we roll back the MS update but use SSL on port 636 and bind credentials in live. In our test domain this work fine (with the windows update listed rolled back)

[Terramup]

In our case it was related to this tech note:
http://www-01.ibm.com/support/docview.w ... wg21446996

The AD server was saying that the name was invalid. We had to change the service to start with a domain account instead of local system.

Thanks,
ScottB

[jameswebber]

That might be worth a try for me,
Assuming you mean the IBM Cognos Analytic Server - CXMD service?

[jameswebber]

Works a treat!
1 Created new account in AD,
2 Added this account to local admins on the server.
3 Changed the IBM Cognos Express service to use my new account instead of local,
4 Rebooted

All works fine happy days.

Still think (through my testing) that the windows update is related to this issue but this work around is great.

Thanks so much Scott

[Terramup]

You are welcome.