TM1 Web 10.2 Integrated Login Kerberos setup
-
- Posts: 22
- Joined: Fri Mar 27, 2009 1:39 pm
- OLAP Product: TM1, SSAS
- Version: 10.2
- Excel Version: 2010
TM1 Web 10.2 Integrated Login Kerberos setup
Hi,
As TM1 Web 10.2 was rebuilt and is now a Java application, single sign-on (SSO) in IntegratedSecurityMode 2/3 is no longer supported. Integrated Login by typing in your Windows user name and password is however supposed to work in mode 2/3 (TM1 Web 10.2 FAQ).
There was a security issue in 10.2 RTM with Integrated Login, but that should be solved in Interim Fix 1 and FP1.
There is a section in the 10.2 documentation, "Configuring Integrated Login for Cognos TM1 Web using Kerberos", which I have tried to follow to get Integrated Login to work, but to no avail. The instructions are not very clear and I am guessing a bit as to what the configuration files should contain and where to put them (krb5.ini etc.). I am just getting "A server error has occurred" when trying to login to TM1 Web. I have tried IBM support for help and even provided them with a bunch of logs and all my configuration files, but I have kinda stopped hoping for any help from them after a couple of months of not getting any help at all on this.
So, my simple question to you guys is: have any of you figured out how to get Integrated Login with security mode 2/3 to work in TM1 Web 10.2? And if so - how did you do it?
Thanks!
As TM1 Web 10.2 was rebuilt and is now a Java application, single sign-on (SSO) in IntegratedSecurityMode 2/3 is no longer supported. Integrated Login by typing in your Windows user name and password is however supposed to work in mode 2/3 (TM1 Web 10.2 FAQ).
There was a security issue in 10.2 RTM with Integrated Login, but that should be solved in Interim Fix 1 and FP1.
There is a section in the 10.2 documentation, "Configuring Integrated Login for Cognos TM1 Web using Kerberos", which I have tried to follow to get Integrated Login to work, but to no avail. The instructions are not very clear and I am guessing a bit as to what the configuration files should contain and where to put them (krb5.ini etc.). I am just getting "A server error has occurred" when trying to login to TM1 Web. I have tried IBM support for help and even provided them with a bunch of logs and all my configuration files, but I have kinda stopped hoping for any help from them after a couple of months of not getting any help at all on this.
So, my simple question to you guys is: have any of you figured out how to get Integrated Login with security mode 2/3 to work in TM1 Web 10.2? And if so - how did you do it?
Thanks!
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
I would go down the CAM path and configure CAM SSO with Active Directory.
So far I managed to get TM1 Web and good old Perspective working with a limitation, I still get prompted for ID and password which is the domain ID/password.
The steps is pretty lengthy and not well documented. How I wish there is a single tech note from IBM that we can follow step by step to do this especially for old school TM1 user as Cognos BI stack is a big black hole to me.
Next in line will be getting Contributor Application portal, Cognos Insight and Workspace working.
So far I managed to get TM1 Web and good old Perspective working with a limitation, I still get prompted for ID and password which is the domain ID/password.
The steps is pretty lengthy and not well documented. How I wish there is a single tech note from IBM that we can follow step by step to do this especially for old school TM1 user as Cognos BI stack is a big black hole to me.
Next in line will be getting Contributor Application portal, Cognos Insight and Workspace working.
-
- Posts: 22
- Joined: Fri Mar 27, 2009 1:39 pm
- OLAP Product: TM1, SSAS
- Version: 10.2
- Excel Version: 2010
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Thanks for the reply!
I would definitely go for CAM if Cognos BI is also used, but we have a number of clients that are currently running TM1 10.1 without BI. We also have some custom processes and websheets for security administration, which would have to be rebuilt if we would go for CAM security with these clients. It seems a bit unnecessary to install the BI runtime just to get integrated security to work, but perhaps that's the way to do it nowadays.
I would definitely go for CAM if Cognos BI is also used, but we have a number of clients that are currently running TM1 10.1 without BI. We also have some custom processes and websheets for security administration, which would have to be rebuilt if we would go for CAM security with these clients. It seems a bit unnecessary to install the BI runtime just to get integrated security to work, but perhaps that's the way to do it nowadays.
-
- MVP
- Posts: 170
- Joined: Fri Dec 10, 2010 4:07 pm
- OLAP Product: TM1
- Version: [2.x ...] 11.x / PAL 2.0.9
- Excel Version: Excel 2013-2016
- Location: Germany
Re: TM1 Web 10.2 Integrated Login Kerberos setup
I have heard, that it will take several month until we get back Integrated Login for Web 10.2.
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
My view is even if IBM managed to get the Integrated Login works for TM1 Web, we are still faced with issue with Cognos Insight, TM1 Application portal etc that at the current state doesn't support a Windows Authentication without going through CAM.
Seems to me it's going the CAM direction.
Seems to me it's going the CAM direction.
-
- MVP
- Posts: 227
- Joined: Fri Mar 11, 2011 2:18 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2003 2007
Re: TM1 Web 10.2 Integrated Login Kerberos setup
What happens when you troubleshoot TM1 10.2 Windows Integrated Login (Kerberos Authentication as outlined by the IBM Technote 1662730 ?
http://www-01.ibm.com/support/docview.w ... wg21662730
How to Troubleshoot TM1Web 10.2 Windows Integrated Login (KERBEROS Authentication)
http://www-01.ibm.com/support/docview.w ... wg21662730
How to Troubleshoot TM1Web 10.2 Windows Integrated Login (KERBEROS Authentication)
-
- Posts: 22
- Joined: Fri Mar 27, 2009 1:39 pm
- OLAP Product: TM1, SSAS
- Version: 10.2
- Excel Version: 2010
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Integrated Login for TM1 Web 10.2 should already work. That is why I am trying to configure it. However single sign on (SSO) does not work (you have to type your Windows username and password).Gabor wrote:I have heard, that it will take several month until we get back Integrated Login for Web 10.2.
Yeah, seems that way to me as well.kangkc wrote:Seems to me it's going the CAM direction.
Thanks for the link, that technote didn't exist when I started trying to get this to work. I got the technote from IBM support as well and am in the middle of troubleshooting right now. I now have an error message, but I am stuck again. However IBM support have now woken up and are now very helpful, so we might actually get this to work. If so, I will post the solution here. IBM support also recommend CAM by the way.moby91 wrote:What happens when you troubleshoot TM1 10.2 Windows Integrated Login (Kerberos Authentication as outlined by the IBM Technote 1662730 ?
-
- MVP
- Posts: 227
- Joined: Fri Mar 11, 2011 2:18 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2003 2007
Re: TM1 Web 10.2 Integrated Login Kerberos setup
There is a new Proven Practice covering this topic:
http://www.ibm.com/developerworks/libra ... index.html
IBM Business Analytics Proven Practices: Configuring Integrated Security for Cognos TM1 Web 10.2
How to set up integrated Windows Authentication for TM1 Web which now is a Java application in Cognos TM1 10.2 release. This is a supplement to the currently incomplete documentation.
http://www.ibm.com/developerworks/libra ... 78-pdf.pdf
http://www.ibm.com/developerworks/libra ... index.html
IBM Business Analytics Proven Practices: Configuring Integrated Security for Cognos TM1 Web 10.2
How to set up integrated Windows Authentication for TM1 Web which now is a Java application in Cognos TM1 10.2 release. This is a supplement to the currently incomplete documentation.
http://www.ibm.com/developerworks/libra ... 78-pdf.pdf
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Has anyone managed to get TM1Web Integrated Login working on 10.2.20000.50183?
I have followed all the instructions from the "IBM Business Analytics Proven Practices: ConfiguringIntegrated Security for Cognos TM1 Web 10.2" but never get to a point in the login screen to select Windows authentication or not be prompted for credentials.
I have followed all the instructions from the "IBM Business Analytics Proven Practices: ConfiguringIntegrated Security for Cognos TM1 Web 10.2" but never get to a point in the login screen to select Windows authentication or not be prompted for credentials.
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Decided to give it a shot with the instruction in the document. Managed to get it working within an hour. Having the domain controller Administrator access does help to get it going. In summary, the instructions provided do work.GWT wrote:Has anyone managed to get TM1Web Integrated Login working on 10.2.20000.50183?
I have followed all the instructions from the "IBM Business Analytics Proven Practices: ConfiguringIntegrated Security for Cognos TM1 Web 10.2" but never get to a point in the login screen to select Windows authentication or not be prompted for credentials.
Do note that IBM specifically said that this is not a SSO solution in which user will still need to key in the domain account and password on the TM1Web login form.
-
- Posts: 18
- Joined: Thu Nov 13, 2014 10:03 am
- OLAP Product: TM1
- Version: 10.2.0
- Excel Version: 2010
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Hi kangkc,
While logging in to TM1Web 10.2 using "Windows Authentication", I am getting error message "An error has occured" after entering Windows login credentials.
I have followed the instructions in the below URL, "Configuring Integrated Security for Cognos TM1 Web 10.2" to ensure the settings are done as specified during setup.
URL:
https://www.ibm.com/developerworks/libr ... m-page678/
However, i am able to login to TM1Web with "Native Authentication" successfully.
tm1web_config.xml file, the parameter 'IntegratedSecurityModuleName' is assigned value 'TM1SignedOnUserLoginContext'.
Tm1s.cfg file has the parameter IntegratedSecurityMode set to 2.
I have gone through the previous posts where it was suggested to go via CAM authentication. But we dont have Cognos BI installed as we are using a different product for BI reporting.
I wanted to know if there is any resolution for this issue which enables us to login TM1Web 10.2 using Windows authentication.
My other question is, is there any process to enable "Windows authentication" to login TM1 Performance Modeler. Idont see an option to select the Authentication type.
Able to login to PM using TM1 login credentials.
While logging in to TM1Web 10.2 using "Windows Authentication", I am getting error message "An error has occured" after entering Windows login credentials.
I have followed the instructions in the below URL, "Configuring Integrated Security for Cognos TM1 Web 10.2" to ensure the settings are done as specified during setup.
URL:
https://www.ibm.com/developerworks/libr ... m-page678/
However, i am able to login to TM1Web with "Native Authentication" successfully.
tm1web_config.xml file, the parameter 'IntegratedSecurityModuleName' is assigned value 'TM1SignedOnUserLoginContext'.
Tm1s.cfg file has the parameter IntegratedSecurityMode set to 2.
I have gone through the previous posts where it was suggested to go via CAM authentication. But we dont have Cognos BI installed as we are using a different product for BI reporting.
I wanted to know if there is any resolution for this issue which enables us to login TM1Web 10.2 using Windows authentication.
My other question is, is there any process to enable "Windows authentication" to login TM1 Performance Modeler. Idont see an option to select the Authentication type.
Able to login to PM using TM1 login credentials.
- gtonkin
- MVP
- Posts: 1199
- Joined: Thu May 06, 2010 3:03 pm
- OLAP Product: TM1
- Version: Latest and greatest
- Excel Version: Office 365 64-bit
- Location: JHB, South Africa
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Hi kangkc,
Thanks for your reply - I think what was confusing me is the expectation of the Integrated Login tick box, not that I needed to enter credentials.
It seemed that the configuration in the KRB5.conf file was incorrect and thus not authenticating. Getting the correct KDC server FQDN is they key!
Thanks for your reply - I think what was confusing me is the expectation of the Integrated Login tick box, not that I needed to enter credentials.
It seemed that the configuration in the KRB5.conf file was incorrect and thus not authenticating. Getting the correct KDC server FQDN is they key!
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
If you are only interested to get TM1Web, Excel client and Performance Modeler with Windows Authentication, you do not need to go via the CAM path.tm1_user wrote:Hi kangkc,
While logging in to TM1Web 10.2 using "Windows Authentication", I am getting error message "An error has occured" after entering Windows login credentials.
I have followed the instructions in the below URL, "Configuring Integrated Security for Cognos TM1 Web 10.2" to ensure the settings are done as specified during setup.
URL:
https://www.ibm.com/developerworks/libr ... m-page678/
However, i am able to login to TM1Web with "Native Authentication" successfully.
tm1web_config.xml file, the parameter 'IntegratedSecurityModuleName' is assigned value 'TM1SignedOnUserLoginContext'.
Tm1s.cfg file has the parameter IntegratedSecurityMode set to 2.
I have gone through the previous posts where it was suggested to go via CAM authentication. But we dont have Cognos BI installed as we are using a different product for BI reporting.
I wanted to know if there is any resolution for this issue which enables us to login TM1Web 10.2 using Windows authentication.
My other question is, is there any process to enable "Windows authentication" to login TM1 Performance Modeler. Idont see an option to select the Authentication type.
Able to login to PM using TM1 login credentials.
Following the tech note does work and we have done that in two different setups. However Kerberos is never a easy setup and you must follow the steps in the document closely. Watch out on the Realm name as it is case sensitive.
-
- Posts: 18
- Joined: Thu Nov 13, 2014 10:03 am
- OLAP Product: TM1
- Version: 10.2.0
- Excel Version: 2010
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Hi kangkc,
Thanks for your response.
We are reviewing the installation setup and the krb5.ini setup file and others.
There seems to be a setup issue as KERBOROS parameter is not setup properly.
Thanks for your response.
We are reviewing the installation setup and the krb5.ini setup file and others.
There seems to be a setup issue as KERBOROS parameter is not setup properly.
- gtonkin
- MVP
- Posts: 1199
- Joined: Thu May 06, 2010 3:03 pm
- OLAP Product: TM1
- Version: Latest and greatest
- Excel Version: Office 365 64-bit
- Location: JHB, South Africa
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Here is a guide I created when I configured TM1Web in my lab.
Note that I used TM1 10.2.2 FP1, Tomcat etc, bog standard TM1 install for my server components.
1. References Required
TM1 Service Account – Used to start TM1 services
TM1 Server Name – Machine on which TM1 will be running
TM1 Domain Name – Domain on which TM1 server and Clients will be active
Domain Controller Name – Name of machine used to authenticate users (KDC)
TM1 Install folder – e.g. C:\program files\ibm\cognos\tm1_64
2. Service Account
Identify the account being used to start the TM1 Admin Server and instances, mine is called TM1-SVC
Ensure all TM1 services are configured to use this account and that account has prescribed permissions.
3. }ClientProperties Rule
Create/Update the rule to add the domain to configured clients.
Note: }ClientProperties set to use domain MYDOMAIN – MYDOMAIN.COM did not work!
4. TM1S.CFG
Update the TM1S.CFG to use Integrated Login with Kerberos
5. Link service account to domain
Example:
setspn -U -F -S tm1s/myserver.example.com example\tm1s_plan
From the command prompt, running as administrator, enter the following:
Note: Probably a good place to restart services and check the you can log in using Integrated through Architect/Perspectives to ensure that the basics are working.
6. TM1Web_Config.XML
On the TM1SERVER, edit the following file:
<TM1 Install>\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml
Locate the line that reads,
Replace the value of this key with TM1SignedOnUserLoginContext if not already done.
The line should read:
Save and close the file.
7. TM1WebLogin.config
In a text editor such as Notepad or vi, create a new empty file and save it under the name TM1WebLogin.config as
<TM1 Install>\bin64\jre\7.0\lib\security\TM1WebLogin.config
In the text editor, create a new login context with a name of TM1SignedOnUserLoginContext and specify the JRE's JAAS Kerberos login module.
Note the option useDefaultCcache had been included to disable the default credential cache. For an IBM JRE the contents of the file should look like this:
8. Java.security
Open the following file
<TM1 Install>\bin64\jre\7.0\lib\security\java.security
Search for the text login.config.url. This should identify a snippet which looks like this:
Replace the name of the file (login.config) in the line which is not a comment (does not start with a # character) with TM1WebLogin.config. The result should look as follows,
9. krb5.conf
Create a new file as
<TM1 Install>\bin64\jre\7.0\lib\security\krb5.conf
Update with the following:
Note: MYDC is the domain controller on the network to which TM1Server belongs.
9.1. Finding the KDC
Open up the computer properties for TM1Server that is on the relevant domain – Windows Key + Pause/Break
Or go to Control Panel, System and Security, System
Get the FQDN from the Domain: item
10. First time login
Restart Applications server to ensure Java is reloaded etc.
Connect to http://<TM1Server>:9510/tm1web
In Cognos TM1 Web version 10.2, you must enter your Microsoft Windows authentication in the Cognos TM1 Web login dialog box, there is not tick box for integrated log.
NOTE: If your TM1 server has underscores (or possibly other special characters) in the name e.g. TM1_SERVER, you will get an error message on login – Session timed out – check IBM Technote 1458105 https://www-304.ibm.com/support/docview ... wg21458105
GOOD LUCK!
Note that I used TM1 10.2.2 FP1, Tomcat etc, bog standard TM1 install for my server components.
1. References Required
TM1 Service Account – Used to start TM1 services
TM1 Server Name – Machine on which TM1 will be running
TM1 Domain Name – Domain on which TM1 server and Clients will be active
Domain Controller Name – Name of machine used to authenticate users (KDC)
TM1 Install folder – e.g. C:\program files\ibm\cognos\tm1_64
2. Service Account
Identify the account being used to start the TM1 Admin Server and instances, mine is called TM1-SVC
Ensure all TM1 services are configured to use this account and that account has prescribed permissions.
3. }ClientProperties Rule
Create/Update the rule to add the domain to configured clients.
Code: Select all
SKIPCHECK;
#=====ADMIN=====
['Admin','UniqueID']=S:'GEOTON@MYDOMAIN';
#================
#=====GENERAL=====
['UniqueID']=S:!}Clients|'@MYDOMAIN';
#==================
FEEDERS;
4. TM1S.CFG
Update the TM1S.CFG to use Integrated Login with Kerberos
Code: Select all
IntegratedSecurityMode=3
SecurityPackageName=Kerberos
ServicePrincipalName=tm1s/TM1SERVER.MYDOMAIN.COM@MYDOMAIN.COM
Example:
setspn -U -F -S tm1s/myserver.example.com example\tm1s_plan
From the command prompt, running as administrator, enter the following:
Code: Select all
Setspn –U –F –S tm1s/TM1SERVER.MYDOMAIN.COM TM1-SVC
6. TM1Web_Config.XML
On the TM1SERVER, edit the following file:
<TM1 Install>\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml
Locate the line that reads,
Code: Select all
<add key="IntegratedSecurityModuleName" value="LoginModule name"/>
The line should read:
Code: Select all
<add key="IntegratedSecurityModuleName" value="TM1SignedOnUserLoginContext"/>
7. TM1WebLogin.config
In a text editor such as Notepad or vi, create a new empty file and save it under the name TM1WebLogin.config as
<TM1 Install>\bin64\jre\7.0\lib\security\TM1WebLogin.config
In the text editor, create a new login context with a name of TM1SignedOnUserLoginContext and specify the JRE's JAAS Kerberos login module.
Note the option useDefaultCcache had been included to disable the default credential cache. For an IBM JRE the contents of the file should look like this:
Code: Select all
TM1SignedOnUserLoginContext {
com.ibm.security.auth.module.Krb5LoginModule required
useDefaultCcache=false
debug=true
credsType=initiator;
};
8. Java.security
Open the following file
<TM1 Install>\bin64\jre\7.0\lib\security\java.security
Search for the text login.config.url. This should identify a snippet which looks like this:
Code: Select all
# Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/login.config
Code: Select all
# Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/TM1WebLogin.config
9. krb5.conf
Create a new file as
<TM1 Install>\bin64\jre\7.0\lib\security\krb5.conf
Update with the following:
Code: Select all
[libdefaults]
default_realm = MYDOMAIN.COM
default_tkt_enctypes = rc4-hmac des-cbc-crc
default_tgs_enctypes = rc4-hmac des-cbc-crc
ticket_lifetime = 1200
[realms]
MYDOMAIN.COM = {
kdc = MYDC. MYDOMAIN.COM
admin_server = MYDC. MYDOMAIN.COM
default_domain = MYDOMAIN.com
}
[domain_realm]
. MYDOMAIN.com = MYDOMAIN.COM
[appdefaults]
9.1. Finding the KDC
Open up the computer properties for TM1Server that is on the relevant domain – Windows Key + Pause/Break
Or go to Control Panel, System and Security, System
Get the FQDN from the Domain: item
10. First time login
Restart Applications server to ensure Java is reloaded etc.
Connect to http://<TM1Server>:9510/tm1web
In Cognos TM1 Web version 10.2, you must enter your Microsoft Windows authentication in the Cognos TM1 Web login dialog box, there is not tick box for integrated log.
NOTE: If your TM1 server has underscores (or possibly other special characters) in the name e.g. TM1_SERVER, you will get an error message on login – Session timed out – check IBM Technote 1458105 https://www-304.ibm.com/support/docview ... wg21458105
GOOD LUCK!
-
- MVP
- Posts: 3653
- Joined: Fri Mar 13, 2009 11:14 am
- OLAP Product: TableManager1
- Version: PA 2.0.x
- Excel Version: Office 365
- Location: Switzerland
Re: TM1 Web 10.2 Integrated Login Kerberos setup
George - I take this to mean that you succeeded in getting windows integrated login to work with TM1 Web and Tomcat using the standard or "old" method of UniqueID=WindowsUser@Domain without using CAM ? I have certainly heard of integrated login being made to work after 1) implementing CAM, 2) integrating CAM with LDAP Namespace 3) setting up additional Cognos IIS gateway to capture the logged in user context from Kerberos and pass back to the JVM.
But this is the first time I heard of anyone succeeding with SSO for 10.2.2 TM1 Web without CAM (and all the extra complexity it brings plus needing full Cognos BI to do it since BI Runtime 10.1 is not officially supported for TM1 10.2.2 authentication). If your method works then despite the fact that it still sounds rather complicated it would be more straightforward and streamlined than the CAM alternative.
What about the complexity of multiple domains & domain controllers?
But this is the first time I heard of anyone succeeding with SSO for 10.2.2 TM1 Web without CAM (and all the extra complexity it brings plus needing full Cognos BI to do it since BI Runtime 10.1 is not officially supported for TM1 10.2.2 authentication). If your method works then despite the fact that it still sounds rather complicated it would be more straightforward and streamlined than the CAM alternative.
What about the complexity of multiple domains & domain controllers?
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
- gtonkin
- MVP
- Posts: 1199
- Joined: Thu May 06, 2010 3:03 pm
- OLAP Product: TM1
- Version: Latest and greatest
- Excel Version: Office 365 64-bit
- Location: JHB, South Africa
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
@Lotsaram - Just to be sure of what I did, this is TM1Web only, not Application which AFAIK only supports modes 1 and 5. We have not needed to use CAM, CAM with LDAP at this stage so cannot comment.
I have not needed to configure for multiple domain controllers but have got users on multiple domains. For these clients we add an attribute to the }Clients dimension and configure with the secondary domains e.g.
Hopefully other forum members can shed further light on the areas I cannot.
I have not needed to configure for multiple domain controllers but have got users on multiple domains. For these clients we add an attribute to the }Clients dimension and configure with the secondary domains e.g.
Code: Select all
#=====GENERAL=====
['UniqueID']=S:
!}Clients|'@'|IF(ATTRS('}Clients',!}Clients,'Domain')@<>'',ATTRS('}Clients',!}Clients,'Domain'),'@MYDOMAIN');
#==================
-
- Community Contributor
- Posts: 206
- Joined: Fri Oct 17, 2008 2:40 am
- OLAP Product: TM1, PA , TMVGate
- Version: 2.x
- Excel Version: 36x
- Location: Singapore
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Cautions:lotsaram wrote:George - I take this to mean that you succeeded in getting windows integrated login to work with TM1 Web and Tomcat using the standard or "old" method of UniqueID=WindowsUser@Domain without using CAM ? I have certainly heard of integrated login being made to work after 1) implementing CAM, 2) integrating CAM with LDAP Namespace 3) setting up additional Cognos IIS gateway to capture the logged in user context from Kerberos and pass back to the JVM.
But this is the first time I heard of anyone succeeding with SSO for 10.2.2 TM1 Web without CAM (and all the extra complexity it brings plus needing full Cognos BI to do it since BI Runtime 10.1 is not officially supported for TM1 10.2.2 authentication). If your method works then despite the fact that it still sounds rather complicated it would be more straightforward and streamlined than the CAM alternative.
What about the complexity of multiple domains & domain controllers?
We have the SSO setup with TM1Web in production environment and even though lots of testings was done to make sure all ok. After system cut-over, we have some client machines can't get through using TM1 Perspective with Kerberos. This is not a server setup issue but rather respective client machines issue with SPN.
Just be mindful that majority is running fine but there will be some may end up with problems which I think it's beyond TM1 but in the area of kerberos.
-
- Posts: 16
- Joined: Wed Nov 12, 2014 2:24 pm
- OLAP Product: TM1
- Version: 10.2.2
- Excel Version: 2010
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Hi, sorry to bring up the dead, but did anyone get this working sucessfully?
I have a new Windows 2008 Server VM, installed 10.2.2 and then the Fix Pack, however, the integrated login via the Web DOES NOT want to play... and the only error I get is "Login Failed, please try again.
I have gone through the various steps as other members have suggested but seem to be pulling my hair out. Integrated Login via Architect is working fine.
You patience in solving this issue is much appreciated.
Thanks,
AMIGO !
I have a new Windows 2008 Server VM, installed 10.2.2 and then the Fix Pack, however, the integrated login via the Web DOES NOT want to play... and the only error I get is "Login Failed, please try again.
I have gone through the various steps as other members have suggested but seem to be pulling my hair out. Integrated Login via Architect is working fine.
You patience in solving this issue is much appreciated.
Thanks,
AMIGO !
- gtonkin
- MVP
- Posts: 1199
- Joined: Thu May 06, 2010 3:03 pm
- OLAP Product: TM1
- Version: Latest and greatest
- Excel Version: Office 365 64-bit
- Location: JHB, South Africa
- Contact:
Re: TM1 Web 10.2 Integrated Login Kerberos setup
Hi Amigo, I did using the steps I posted further up in this thread - review and take note of the traps I fell into e.g Getting the correct KDC server FQDN is they key!
I had configured my VM as the Domain Controller too which made my test environment easier. Also be careful of the Admin_Server in the KRB5.CONF - this is not the TM1 server but the KDC!
Also check for underscores etc. in the host name - Web does not like this - you may need to alias through the Hosts file or try the IP address.
I still have an issue at a client where their implemntation of Kerberos seems to be quite complicated and the ticket never seems to be sent back to allow login.
Good luck!
I had configured my VM as the Domain Controller too which made my test environment easier. Also be careful of the Admin_Server in the KRB5.CONF - this is not the TM1 server but the KDC!
Also check for underscores etc. in the host name - Web does not like this - you may need to alias through the Hosts file or try the IP address.
I still have an issue at a client where their implemntation of Kerberos seems to be quite complicated and the ticket never seems to be sent back to allow login.
Good luck!