TM1 Forum

Hi everyone,

This might seem like groundhog day or a throwback to 2013, but I have a client who does not want the Cognos Analytics overhead just for user authentication and they don't want to have to manage users in TM1 directly...so we're at IntegratedSecurityMode 3 (currently two while I sort this out).

This is for a Windows Server 2016 server and PA 2.0.6 local setup.

The documentation is good on this:

1) Crank up ETLDAP and get your users in (done with much fiddling and AD head scratching)
2) Add the following to config file:
IntegratedSecurityMode=2
SecurityPackagename=Kerberos
3) Checkbox Integrated Security in Perspectives.
4) All is well

...sadly all is not well.

"Log In Failed: SystemServerClientNotFound"

I have tried every permutation of user name in the "UniqueID" field in the }ClientProperties cube paying special attention to case. Nothing works.

I have switched on Audit Logging and have reviewed the unsuccessful login attempts. The IP it notes is correct, however there is no user name. I don't know if this is relevant or not.

All TM1 services are running under a domain account. That domain account is the SPN for all TM1 services. The account has delegation checked as "Trust this user for delegation to any service (Kerboros)" .

Have I missed some crucial configuration item?

Note this is just for Perspectives at the moment, if it doesn't work here, it sure isn't going to work for TM1Web!

You could try NTLM rather than Kerberos.

Unique id should be username@domain; not sure that case makes a difference.

Thanks Paul, sadly that's a non starter. username@domain.x,Username@domain.x, username@Domain.x, UserName@Domain.x etc. have all failed along with any other form of a username under the sun. NTLM isn't an option here.

Not sure what the ".x" is after the domain but it has to be just the domain. If your user id is userid@mycompany.com then then the user ID in TM1 would be user@mycompany. It is also case sensitive, both ID and domain.

Hi Tomok,

The .x is just a sample. In this case users are .com and all lower case. Sadly that doesn't work so I gave a couple more options a go.

Am I right in thinking it is only the uniqueID field that has any bearing on authentication here?

Do unsuccessful logins from unknown clients ever show in the audit log with a user name entry or is it specifically a TM1 client name as opposed to whatever the credential that was passed to TM1?

Kerborus does a number on my head sadly because I don't understand how TM1 has implemented the checking of credentials or what the prerequisites for the AD setup are to make sure it works.

Derezed wrote: ↑Wed Mar 13, 2019 4:50 pm In this case users are .com and all lower case. Sadly that doesn't work

Don't use anything after the domain. If your full ID is fred.smith@mycompany.com then your TM1 ID would be "fred.smith" and the value in the unique ID field would be "fred.smith@mycompany". Note we are not including the ".com".

Sadly that has failed to work too. From your post Tomok, is the client name is as important as the uniqueID field? I thought only the uniqueID was used to authenticate, but am likely wrong here. I have changed the client name a few times and am using the name as provided by WHOAMI in cmd. I know it definitely isn't the FQDN because that gives me a whopping great big AD definition of the user.

Have you set up the ServicePrincipalName?

https://www.ibm.com/support/knowledgece ... lname.html

Works for perspectives, pax, and paw.
Good luck setting up the TM1Web if you wish to connect directly. Works fine through paw.

Hi olapuser, that sadly does nothing. I will have to review this one if we get as far as TM1Web. The initial login should not be using constrained delegation or any delegation for that matter. Does anybody know how TM1 gets registered with the domain controller in the first place? I am not sure the DC knows that TM1 exists which might be where my problem lies.