HELP! SSO broken by disabling AD user account?

Post Reply
User avatar
Harvey
Community Contributor
Posts: 236
Joined: Mon Aug 04, 2008 4:43 am
OLAP Product: PA, TM1, CX, Palo
Version: TM1 8.3 onwards
Excel Version: 2003 onwards
Contact:

HELP! SSO broken by disabling AD user account?

Post by Harvey »

Hi all,

I inherited a PA / PAW server that was installed with SSO before I arrived. It's a Windows Server 2016 machine with IIS 10 and PA 57 installed.

For reasons I won't go into, the server was setup using my colleague's AD account, rather than a dedicated service account. The account ended up being used for everything -- the Windows services, API Authentication and database connection, and who knows what else.

When my colleague resigned, his AD account was disabled, and of course all hell broke loose.

I re-enabled the account temporarily and did my best to unravel the maze of dependencies as best I could. However, when it came to disabling the AD account again, I found it caused SSO to stop working.

Users can still log in by typing their AD username and password and everything works as expected, but it would be ideal to re-establish SSO.

I can't for the life of me understand how the SSO could be dependent on an AD account, but I have reenabled the account and the SSO magically starts working again. It is definitely the cause.

Does anyone have any suggestions what could be happening?
Take your TM1 experience to the next level - TM1Innovators.net
User avatar
Ajay
Regular Participant
Posts: 183
Joined: Wed May 14, 2008 8:27 am
OLAP Product: TM1
Version: 10.2.0, PA 2.0.9
Excel Version: 2016
Location: London

Re: HELP! SSO broken by disabling AD user account?

Post by Ajay »

Harvey

I am assuming you have a local install.

Have you checked what account is being used in the "ApplicationPoolIdentity" within the ICAPool of IIS ?

Once you've changed the account STOP and then START the ICAPool

Does this work ?

Ajay
burnstripe
Regular Participant
Posts: 197
Joined: Wed May 06, 2020 2:58 pm
OLAP Product: Planning Analytics
Version: 2.0.9
Excel Version: 2016

Re: HELP! SSO broken by disabling AD user account?

Post by burnstripe »

Ajays response would be my first bet. But some other questions if that doesn't work... What method of single sign on is setup, kerberos or identity mapping. If you have a single sign on option set to identity mapping within advanced properties of the ca config, the it's identity mapping, otherwise its kerberos. If its kerberos is kerberos account set up may not have privileges to pass the token.

Have you had to change the binding account for the active directory/authentication within cognos configuration?
User avatar
Harvey
Community Contributor
Posts: 236
Joined: Mon Aug 04, 2008 4:43 am
OLAP Product: PA, TM1, CX, Palo
Version: TM1 8.3 onwards
Excel Version: 2003 onwards
Contact:

Re: HELP! SSO broken by disabling AD user account?

Post by Harvey »

The Applcation Pool was ok, but burnstripe's suggestion about the CA Binding Identity did the trick. Thanks so much to you both!
Take your TM1 experience to the next level - TM1Innovators.net
Post Reply