Configuring TM1 with Active Directory

[gnampoothiry]

Does anyone have experience of configuring TM1 security with Active Directory?

I have a customer who only has Tm1 license and no Cognos Connection or Cognos Configuration.

They want to use active directory security which is probably IntegratedSecurityMode=3 in TM1s.cfg.

I dont have any prior experience of this setup.

Please share your experience and document if any.

Regards,
Girish

[paulsimon]

Girish

I think you just need IntegratedSecurity, not the full blown LDAP Security. This enables you to link a Windows User Id to a TM1 User Id so that authentication happens when they logon to Windows.

Regards


Paul Simon

[gnampoothiry]

Thanks Paul.

But how do we import the users from Active Directory into TM1? If found using ETLDAP a very difficult option. Is there any other alternative?

Regards,
Girish

[lotsaram]

You probably don't want to set up all AD users as TM1 clients ...

To set up integrated login all you need to do is configure the "Unique ID" field in the }ClientProperties cube to match the windows user ID on the Kerberos certificate. If TM1 clients have been set up with a little bit of forsight and intelligence this should be a very simple process of writing a rule to concatenate the client element name with the windows domain.

If you want to import users you can import with the ETLDAP tool but it involves a fair amount of mucking about to get it to work properly. Much easier to just export a text dump of your users and import them to TM1 via TI.

[LoadzaGrunt]

Can't you automate AD from within TI leveraging ExecuteCommand ?

GIYF

http://technet.microsoft.com/en-us/libr ... S.10).aspx

[paulsimon]

Girish

Sorry I shouldn't have assumed that you already knew the standard integrated login method.

The easiest way to set this up is to add the following rule to the }ClientProperties Cube. (You will need to select Display Control Objects on the View Menu in Server Explorer to see this).

Code: Select all

['UniqueID']= S: !}Clients | '@domain' ;

Where domain is the domain that your users sign on to.

This assumes the following:

1) TM1 User Names match their Windows User Names (If not then you can add a WinUserId attribute to the }Clients dimension to give the Windows User Id for each TM1 Id and reference that eg replace the !}Clients with attrs('}Clients', !}Clients, 'WinUserId') ;
2) The User Id that the TM1 Service runs under is on the same domain as the users (if not then there needs to be a trust relationship between the two domains)
3) The TM1 Server was installed with the Integrated Login Option, and not just TM1 Authentication.

If you have done all of that then this is a very simple way to get Windows Authentication without the need for all the hassle of LDAP and ETLDAP.

The downsides of this approach compared to full LDAP is that you cannot bring in groups etc. However, it is probably unlikely that the Groups that you have outside will necessarily match the Groups needed in TM1, for each TM1 may require a finer level of Group, and TM1 only allows a single level of Group.

You also need to set up a TM1 User Id, but then there is not much more work in this than in remembering to run ETLDAP every time a new user is set up. I tend to agree with others that it might be just as easy to use TI to read in the data and set up the new user and their Group allocation than to use ETLDAP. I tried it once and gave up, as it would have needed too much IT support and bureaucracy to set up.

Hope this helps.

Regards


Paul Simon

[paulsimon]

Girish,

I forgot to mention that users need to tick the Integrated Login in their TM1 options before they can use Windows Authentication to login to TM1.

Regards


Paul Simon

[gnampoothiry]

Hi Paul,

Is it required the TM1 Server runs as a Windows Service and not as an application to enable TM1 integrated login with Active Directory?

Regards,
Girish

[harrytm1]

hi,

I just posted a thread on my experience with IntegratedSecurityMode=3. I'm testing this on my local PC which is on Vista.

after entering the UniqueID in ClientProperties cube with the windowsID@mycompter format, I tried to achieve single sign-on. I have also checked the box "Integrated Login" in Server Explorer. the other parameter in tm1s.cfg is:
SecurityPackageName=Kerberos

when I double-click the server in Server Explorer, the following pops up:
Login Failed: SecurityServiceNotFound

Did i miss a step here? I'm running the server as a service. I tried it aas application, same error too.

FYI, my plan is to achieve single sign-on in Cognos Express's Xcelerator. this would mean that CAM will not be used. From this thread, it seems like i have covered everything. Is there a need to enable Kerberos? many thanks!

[Michel Zijlema]

hi,

I just posted a thread on my experience with IntegratedSecurityMode=3. I'm testing this on my local PC which is on Vista.

after entering the UniqueID in ClientProperties cube with the windowsID@mycompter format, I tried to achieve single sign-on. I have also checked the box "Integrated Login" in Server Explorer. the other parameter in tm1s.cfg is:
SecurityPackageName=Kerberos

when I double-click the server in Server Explorer, the following pops up:
Login Failed: SecurityServiceNotFound

Did i miss a step here? I'm running the server as a service. I tried it aas application, same error too.

FYI, my plan is to achieve single sign-on in Cognos Express's Xcelerator. this would mean that CAM will not be used. From this thread, it seems like i have covered everything. Is there a need to enable Kerberos? many thanks!

Hi,

As posted earlier today here, I'm pretty sure Cognos Express will only support CAM authentication.

Michel

[harrytm1]

Hi Michel,

Thanks for the reply.

In that case, can you or anyone advice on how to enable Active Directory connection to Cognos Express? I tried to find some useful info in CX Op guide, but it's patchy at best.

For instance, I managed to find this set-up/configuration screen in CX Manager that allows me to enter the domain and one more detail (can't remember what). this was also briefly mentioned in the guide. But what next? In fact, I'm not sure what is to be entered in those fields since the details are lacking.

Assume I manage to fill in the correct details, what next? Does AD require some authentication from CX in order to allow CX to look up the user IDs?

Many thanks in advance! I desperately need help here!

[Michel Zijlema]

Hi,

I haven't tested/configured Cognos Express with Active Directory yet, so I don't think I can be of much help here.
As CX uses CAM, maybe the IBM Cognos 8 Administration and Security Guide can be of help...

Michel

[jameswebber]

Here is a CE bug I have encountered:
http://www.tm1forum.com/viewtopic.php?f=3&t=7684