TM1 Web 10.2 Integrated Login Kerberos setup

Gabor
MVP
Posts: 170
Joined: Fri Dec 10, 2010 4:07 pm
OLAP Product: TM1
Version: [2.x ...] 11.x / PAL 2.0.9
Excel Version: Excel 2013-2016
Location: Germany

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by Gabor »

Assuming you have used the default install of TM1, there should be a log available under "C:\Program Files\ibm\cognos\tm1_64\logs\pmpsvc-stdout.2015-03-11.log" which usually tells you more about the reason, why your Kerberos handshake fails.

Have you tried to use your fully qualified ID on TM1 Web login screen like "myid@MYSUBDOMAIN1.MYDOMAIN.COM". This can help to avoid a couple of cross domain / realm issues, before you go to further debugging.

If you try to login from another subdomain and your network does not provide direct trust, you need to provide your parent realm in krb5.conf in addition to your realms, which belong to the subdomains (all under realm section).
If you struggle with having the correct name / IP of your controller hosts, just start using the domain locator feature by referring to the respective domain.

That's how your initial krb5.conf could look like under [realms]:
MYDOMAIN.COM = {
kdc = mydomain.com
admin_server = mydomain.com
default_domain = mydomain.com
}
MYSUBDOMAIN1.MYDOMAIN.COM = {
kdc = mysubdomain1.mydomain.com
admin_server = mysubdomain1.mydomain.com
default_domain = mysubdomain1.mydomain.com
}
MYSUBDOMAIN2.MYDOMAIN.COM = {
kdc = mysubdomain2.mydomain.com
admin_server = mysubdomain2.mydomain.com
default_domain = mysubdomain2.mydomain.com
}

If you think you have trouble with your "MIT super long Kerberos SPN fully registered etc. name" and assuming you run a more or less standard Win network, just try the good old way running it under Local System. That should work as well, especially if it works in Perspectives.
The only thing you need to do then is making your Service Principal Name all in upper case, while the standard is, that the domain appears in lower case without a special line in tm1s.cfg.
So you need to change the default Principle Name (it appears in the tm1server.log) from "MYTM1SERVERHOSTNAME@mysubdomain2.mydomain.com" by adding this:
"ServicePrincipalName=MYTM1SERVERHOSTNAME@MYSUBDOMAIN2.MYDOMAIN.COM"
User avatar
mattgoff
MVP
Posts: 516
Joined: Fri May 16, 2008 1:37 pm
OLAP Product: TM1
Version: 10.2.2.6
Excel Version: O365
Location: Florida, USA

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by mattgoff »

amigo wrote:Hi, sorry to bring up the dead, but did anyone get this working sucessfully?

I have a new Windows 2008 Server VM, installed 10.2.2 and then the Fix Pack, however, the integrated login via the Web DOES NOT want to play... and the only error I get is "Login Failed, please try again.

I have gone through the various steps as other members have suggested but seem to be pulling my hair out. Integrated Login via Architect is working fine.
I have had a ticket open with IBM since December, and have had no luck getting it resolved. My error mechanism is exactly the same as yours: Architect is fine, Web fails with that error message (which seems to be stumping support). If I ever get a resolution, I'll post here.
Please read and follow the Request for Assistance Guidelines. It helps us answer your question and saves everyone a lot of time.
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by lotsaram »

When you say "integrated login" you do mean CAM with LDAP Namespace plus SSO?
Because that's the only way logon without being challenged for user name and password is going to work in the new 10.2 web world.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
User avatar
mattgoff
MVP
Posts: 516
Joined: Fri May 16, 2008 1:37 pm
OLAP Product: TM1
Version: 10.2.2.6
Excel Version: O365
Location: Florida, USA

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by mattgoff »

lotsaram wrote:When you say "integrated login" you do mean CAM with LDAP Namespace plus SSO?
Because that's the only way logon without being challenged for user name and password is going to work in the new 10.2 web world.
Yes, SSO via Kerberos. I suppose "integrated login" isn't an accurate description for 10.2 Web in that you have to manually re-authenticate now, but all of the documentation and inis still refer to it that way. The key thing for us that that it's via AD credentials, not TM1, to avoid a bunch of SOX headaches. Nearly all of our users use Architect, so it's only a handful who I have on TM1 credentials in the interim.
Please read and follow the Request for Assistance Guidelines. It helps us answer your question and saves everyone a lot of time.
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by lotsaram »

You don't have to reauthenticate. It is possible to get "proper" SSO with CAM.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

How hard can this be......... 10 days and still not working......tried all of the above and more.... running out of ideas.
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

There is a log file....pmpsvc-stdout.2015-03-18.log

that gives the following error message:

Applix TM1->PerformSingleSignOn Exception org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential

Any ideas would be appreciated....

Thanks,
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

The log file.....pmpsvc-stdout.2015-03-18.log.... shows the following error....

Applix TM1->PerformSingleSignOn Exception org.ietf.jgss.GSSException, major code: 11, minor code: 0
major string: General failure, unspecified at GSSAPI level
minor string: Error: java.lang.Exception: Error: java.lang.Exception: No credential

Any other pointers would be greatly appreciated.
Gabor
MVP
Posts: 170
Joined: Fri Dec 10, 2010 4:07 pm
OLAP Product: TM1
Version: [2.x ...] 11.x / PAL 2.0.9
Excel Version: Excel 2013-2016
Location: Germany

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by Gabor »

If you scroll up a little in your log file, there you can check the Kerberos authentication steps, which need to happen first.
This usually gives a bit more information. Here is what I see for a successful login:

[JGSS_DBG_CRED] http-9510-8 No Kerberos creds in cache for principal userid@MYSUBDOMAIN1.MYDOMAIN.COM
[JGSS_DBG_CRED] http-9510-8 Doing Kerberos login for principal userid@MYSUBDOMAIN1.MYDOMAIN.COM
[JGSS_DBG_CRED] http-9510-8 Doing Kerberos login for principal: userid@MYSUBDOMAIN1.MYDOMAIN.COM
[JGSS_DBG_CRED] http-9510-8 Kerberos login complete
[JGSS_DBG_CRED] http-9510-8 Login successful
[JGSS_DBG_CRED] http-9510-8 kprincipal : userid@MYSUBDOMAIN1.MYDOMAIN.COM
[JGSS_DBG_CRED] http-9510-8 userid@MYSUBDOMAIN1.MYDOMAIN.COM added to Subject
[JGSS_DBG_CRED] http-9510-8 Kerberos ticket for userid@MYSUBDOMAIN1.MYDOMAIN.COM added to Subject
[JGSS_DBG_CRED] http-9510-8 No keys to add to Subject for userid@MYSUBDOMAIN1.MYDOMAIN.COM
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

I have the follow but the last bit is the concern...

[JGSS_DBG_CRED] http-9510-1 No Kerberos creds in cache for principal Roddyco
[JGSS_DBG_CRED] http-9510-1 Doing Kerberos login for principal myname@mycompany.COM
[JGSS_DBG_CRED] http-9510-1 Doing Kerberos login for principal: myname@mycompany.COM
[JGSS_DBG_CRED] http-9510-1 Kerberos login complete
[JGSS_DBG_CRED] http-9510-1 Login successful
[JGSS_DBG_CRED] http-9510-1 kprincipal : myname@mycompany.COM
[JGSS_DBG_CRED] http-9510-1 myname@mycompany.COMadded to Subject
[JGSS_DBG_CRED] http-9510-1 Kerberos ticket for myname@mycompany.COMadded to Subject
[JGSS_DBG_CRED] http-9510-1 No keys to add to Subject for myname@mycompany.COM
com.ibm.security.krb5.KrbException, status code: 0
message: Cannot find KDC for realm mycompany.COM
Gabor
MVP
Posts: 170
Joined: Fri Dec 10, 2010 4:07 pm
OLAP Product: TM1
Version: [2.x ...] 11.x / PAL 2.0.9
Excel Version: Excel 2013-2016
Location: Germany

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by Gabor »

Not sure, if this really causes the problem, but your realm name should be in upper case, something like "myname@MYCOMPANY.COM".
So please review the krb5.conf to get this corrected. First step, what happens (after TM1 Application service restart), if you have changed it to ...
[libdefaults]
default_realm = MYCOMPANY.COM
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

Hi, thanks for taking the time out to reply.

They are in upper case... however, please could you confirm where I can get the default_realm name from as well as the kdc (just so I can confirm I "have " the right data in there already)

Thanks

AMIGO
Gabor
MVP
Posts: 170
Joined: Fri Dec 10, 2010 4:07 pm
OLAP Product: TM1
Version: [2.x ...] 11.x / PAL 2.0.9
Excel Version: Excel 2013-2016
Location: Germany

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by Gabor »

Hi AMIGO,
the REALM usually equals your domain name, but is managed with upper case, so a domain "mydomain.com" would have a REALM mapped to it called "MYDOMAIN.COM". That's a kind of best practise, however your network folks might have used a different name, but only they can tell you about.

As long as you are in Win you can use the KDC auto locator by having just the lower case domain name as the KDC source.
This would read like " kdc = mydomain.com" under [realms] in krb5.conf.
Another option would be to use the "Active Directory Domains and Trusts" feature, which is part of the administrative tools on your Windows server to catch the domain controller name.

Regards
Gabor
amigo
Posts: 16
Joined: Wed Nov 12, 2014 2:24 pm
OLAP Product: TM1
Version: 10.2.2
Excel Version: 2010

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by amigo »

So, it works.... just trying to to it again to make sure it was not a fluke.... will be posting again soon (after a few celebration beers).

OK, so, all seemed to work, but then realised that the main services are still running under the LOCAL account....so, changed it to Service Account and guess what.... it does not work...looks like we are back to square one) ... tomorrow, as it is a new VM, I just want the Network department so confirm that the account is regisered on this server. (or am I missing something)??
JamiseBondi
Posts: 141
Joined: Wed Nov 14, 2012 10:37 am
OLAP Product: TM1
Version: 2.0
Excel Version: Office 365

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by JamiseBondi »

Thanks gtonkin for your notes.

I got integrated login working in TM1web on 10.2 using the built in apache web server using gtonkins notes and this link
http://www.ibm.com/developerworks/libra ... index.html

So we can now login on the web and it's using the users AD credentials but you still need to provide the username and password. It's not a SSO scenario where you can simply select the server name to login into and click login.

This link here mentions that since 10.2 where the web server moved away from IIS to a java web server that SSO is no longer available (but integrated login still is). See point 11 under "known differences".
http://www-01.ibm.com/support/docview.w ... wg27039576

I haven't tried using CAM to get SSO working.

Does anyone know if the following scenario is possible (I thought SSO might achieve this but now I don't think so).

Lets say I have 2 TM1 servers (Server1 and server2 - both with all roles - admin host, application, web server)
If I have a workbook with two tabs, one tab pointing to a cube in server1 and another tab pointing to a cube in server2, using perspectives and first logging into both server1 and server2, I can use these two tabs in the same workbook while they're accessing two separate instances/servers and read and write to those cubes.

I'm trying to achieve the same outcome in the web where a user using a websheet can access servers outside of the server he logged into - so the websheet's two tabs are pointing to two separate instances. Is this possible?
I'm guessing not as the authentication phase is once off and can't be invoked again to gain access to the second server.

We'll have to opt for multiple TIs with staging cubes to multiple instances and replicate but wanted to confirm that this option is not possible in the web?

many thanks.
lotsaram
MVP
Posts: 3651
Joined: Fri Mar 13, 2009 11:14 am
OLAP Product: TableManager1
Version: PA 2.0.x
Excel Version: Office 365
Location: Switzerland

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by lotsaram »

JamiseBondi wrote:Does anyone know if the following scenario is possible (I thought SSO might achieve this but now I don't think so).

Lets say I have 2 TM1 servers (Server1 and server2 - both with all roles - admin host, application, web server)
If I have a workbook with two tabs, one tab pointing to a cube in server1 and another tab pointing to a cube in server2, using perspectives and first logging into both server1 and server2, I can use these two tabs in the same workbook while they're accessing two separate instances/servers and read and write to those cubes.

I'm trying to achieve the same outcome in the web where a user using a websheet can access servers outside of the server he logged into - so the websheet's two tabs are pointing to two separate instances. Is this possible?
For this you need CAM. When using CAM if you have DBRW references to multiple servers on a single websheet then as long as username and password match on both instances then TM1Web will automatically log on to the additional instances. Works like a charm. If CAM is configured for SSO then it is click and connect without entering username & password.

These days wherever SSO is a requirement for TM1 Web I would always implement CAM.
Please place all requests for help in a public thread. I will not answer PMs requesting assistance.
JamiseBondi
Posts: 141
Joined: Wed Nov 14, 2012 10:37 am
OLAP Product: TM1
Version: 2.0
Excel Version: Office 365

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by JamiseBondi »

Thanks Lotsaram,

The client doesn't have a Cognos BI environment nor do they intend to go that way as they have SAP BI in place.
I just wanted to pose one last question on this issue. If I were using websphere instead of the bundled apache web server, could I access multiple TM1 models from within TM1web?
yes it's a long shot, I'm not expecting a yes but am hoping for one ;-)
User avatar
qml
MVP
Posts: 1094
Joined: Mon Feb 01, 2010 1:01 pm
OLAP Product: TM1 / Planning Analytics
Version: 2.0.9 and all previous
Excel Version: 2007 - 2016
Location: London, UK, Europe

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by qml »

JamiseBondi wrote:The client doesn't have a Cognos BI environment nor do they intend to go that way as they have SAP BI in place.
Full Cognos BI not required to use CAM. All you need is something that's called 'IBM Cognos Business Intelligence Runtime' which you can download from the same location as your TM1 installation package.
Kamil Arendt
JamiseBondi
Posts: 141
Joined: Wed Nov 14, 2012 10:37 am
OLAP Product: TM1
Version: 2.0
Excel Version: Office 365

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by JamiseBondi »

Thanks Kamil and Lotsaram,

I've managed to get my hands on the runtime environment and am using this link to configure TM1 to use CAM authentication
https://www.ibm.com/support/knowledgece ... urity.html

I'm trying to work through an error starting the Cognos service:
'ContentManager', 'getActiveContentManager', 'Failure'.
DPR-CMI-4006 Unable to determine the active Content Manager. Will retry periodically.

I've been looking up possibilities but have yet to find a cause. Have looked at this:
http://www-01.ibm.com/support/docview.w ... wg21646350

Thought I'd ask, seeing as though this is just a runtime environment and not the full BI server, do I need to install all 3 components to get TM1 web using CAM authentication?
Application Tier Components
Gateway
Content Manager

If any of you have used a different doc/pdf/URL to get this achieved (using Cognos CAM in TM1 web) pls post the link? many thanks.
kangkc
Community Contributor
Posts: 206
Joined: Fri Oct 17, 2008 2:40 am
OLAP Product: TM1, PA , TMVGate
Version: 2.x
Excel Version: 36x
Location: Singapore
Contact:

Re: TM1 Web 10.2 Integrated Login Kerberos setup

Post by kangkc »

In your BI install, did you include Content Database ? Suggest you include this with the default content database before you switch to other RDBMS.

We have gone through many CAM (with AD) integration with 10.2.2 and enabling TM1 Application Servers with 3rd party SSL certs. Not exactly smooth nor easy but technically can be done, for all TM1 components.
Post Reply