Help with IntegratedSecurityMode 2/3
Posted: Wed Mar 13, 2019 1:31 pm
Hi everyone,
This might seem like groundhog day or a throwback to 2013, but I have a client who does not want the Cognos Analytics overhead just for user authentication and they don't want to have to manage users in TM1 directly...so we're at IntegratedSecurityMode 3 (currently two while I sort this out).
This is for a Windows Server 2016 server and PA 2.0.6 local setup.
The documentation is good on this:
1) Crank up ETLDAP and get your users in (done with much fiddling and AD head scratching)
2) Add the following to config file:
IntegratedSecurityMode=2
SecurityPackagename=Kerberos
3) Checkbox Integrated Security in Perspectives.
4) All is well
...sadly all is not well.
"Log In Failed: SystemServerClientNotFound"
I have tried every permutation of user name in the "UniqueID" field in the }ClientProperties cube paying special attention to case. Nothing works.
I have switched on Audit Logging and have reviewed the unsuccessful login attempts. The IP it notes is correct, however there is no user name. I don't know if this is relevant or not.
All TM1 services are running under a domain account. That domain account is the SPN for all TM1 services. The account has delegation checked as "Trust this user for delegation to any service (Kerboros)" .
Have I missed some crucial configuration item?
Note this is just for Perspectives at the moment, if it doesn't work here, it sure isn't going to work for TM1Web!
This might seem like groundhog day or a throwback to 2013, but I have a client who does not want the Cognos Analytics overhead just for user authentication and they don't want to have to manage users in TM1 directly...so we're at IntegratedSecurityMode 3 (currently two while I sort this out).
This is for a Windows Server 2016 server and PA 2.0.6 local setup.
The documentation is good on this:
1) Crank up ETLDAP and get your users in (done with much fiddling and AD head scratching)
2) Add the following to config file:
IntegratedSecurityMode=2
SecurityPackagename=Kerberos
3) Checkbox Integrated Security in Perspectives.
4) All is well
...sadly all is not well.
"Log In Failed: SystemServerClientNotFound"
I have tried every permutation of user name in the "UniqueID" field in the }ClientProperties cube paying special attention to case. Nothing works.
I have switched on Audit Logging and have reviewed the unsuccessful login attempts. The IP it notes is correct, however there is no user name. I don't know if this is relevant or not.
All TM1 services are running under a domain account. That domain account is the SPN for all TM1 services. The account has delegation checked as "Trust this user for delegation to any service (Kerboros)" .
Have I missed some crucial configuration item?
Note this is just for Perspectives at the moment, if it doesn't work here, it sure isn't going to work for TM1Web!