Integrated Login: Domain Account Vs Local System

[sbalaz]

Hi Guys,

We are going to implement integrated login (TM1 9.4.1 FP1). I have modified tm1s.cfg file (IntegratedSecurityMode=2), updated }ClientProperties cube (UniqueID = user@domain) and ticked Use Integrated Login parameter in TM1 Options.

When service is running on the Domain Account which is local admin on the server, I am getting error "Server principal name (SPN) or the security context of the destination server could not be established".

I have assigned Local System account to TM1 service to isolate the issue and it worked well (then changed back to domain account to have access to network shares).

It seems there is a problem with permissions granted to Domain Account... However I do not know what exactly I should ask our IT department to change. Can you advice?

Thanks for your help in advance.

Regards,
Stanislav

[lotsaram]

Just today I have come accross exactly the same problem. Integrated login works with local system account but not with the TM1 system domain account (which has local admin rights and access to various network locations for file imports and exports which are required.)

It must be something to do with the active directory profile / setup of the TM1 system account and I am sure others have faced and sucessfully solved this issue before. (Provided you have helpful windows admins who know their stuff I'm sure it must be a relatively easy fix ...)

Does anyone have guides on what to fix with the profile setup for the system account?

[paulsimon]

Hi

There are steps in the TM1 Operations Guide that cover this. It is relatively easy to set up for TM1 Client Integrated Login. In fact if you get the right settings during the installation it should work straight away. One thing that you may have missed from the web.config is the impersonate setting. As you mentioned the web.config, then I am assuming that you are trying to get it working via TM1.Web. That is a little harder, sometimes a lot harder.

Is the web server on the same machine as the Tm1 server? If not then you will probably need to set up a trust relationship and you will probably need to get IT involved to do that. This is covered in the Ops Guide.

If the web server is on the same machine as the TM1 server then it is easier.

Is the TM1 server running under a domain account that is on the same domain as the users?

You may need to make some changes in IIS. Again these are covered in the Ops Guide.

I have done it so it is possible, but it wasn't as easy as it could be.

Regards


Paul Simon

[lotsaram]

Paul, IIS and the web.config file are red herrings. The issue isn't integrated login with web but the perspectives fat client.

I repeat, if the TM1 service is running as a local system account then everything works, if the service is running under a domain account with local admin rights then we get the SPN error.

[sivan307]

Please don't kill me for posting this, but will this thread help. not sure..
http://www.tm1forum.com/viewtopic.php?f=3&t=589

[paulsimon]

Hi Guys,

We are going to implement integrated login (TM1 9.4.1 FP1). I have modified tm1s.cfg file (IntegratedSecurityMode=2), updated }ClientProperties cube (UniqueID = user@domain) and ticked Use Integrated Login parameter in TM1 Options.

When service is running on the Domain Account which is local admin on the server, I am getting error "Server principal name (SPN) or the security context of the destination server could not be established".

I have assigned Local System account to TM1 service to isolate the issue and it worked well (then changed back to domain account to have access to network shares).

It seems there is a problem with permissions granted to Domain Account... However I do not know what exactly I should ask our IT department to change. Can you advice?

Thanks for your help in advance.

Regards,
Stanislav

Hi

I'm not sure where I picked up the web thing from, so ignore that.

If you follow sivan's link that should give most of the points.

I can't remember which version this applies to, but integrated login on the server side used to only work if you actually selected that option during the server installation, so you might want to try that.

Also check that the users are on the same domain as the TM1 service account

Regards

Paul Simon

[sbalaz]

If you follow sivan's link that should give most of the points.

1. Server hosting TM1 has the same time as domain controller.
2. Password is not expired.
3. We have not installed 9.4.1 FP3 yet, thus ServerPrincipalName parameter is not applicable. I also understood this parameter is important for TM1 Web, not Perspectives...

I can't remember which version this applies to, but integrated login on the server side used to only work if you actually selected that option during the server installation, so you might want to try that.

4. I tried to reinstall testing environment (local machine) and selected Integrated Login during installation - did not help. It is the same in my testing environment: It works with Local System. It does not work with domain account, which is admin on local machine.

Also check that the users are on the same domain as the TM1 service account

5. It is the same domain. I used my domain account in testing evironment for the service (it is admin on my machine) and it did not work.

What I am still thinking of is:
Local System account do not have any privileges on the network thus it should retrieve all the information on Local Machine. THEN domain account (which is local admin) is probably missing some privileges on the local machine... But which ones?
...

[lotsaram]

What I am still thinking of is:
Local System account do not have any privileges on the network thus it should retrieve all the information on Local Machine. THEN domain account (which is local admin) is probably missing some privileges on the local machine... But which ones?
...

This is also what I am thinking but similarly stuck.

[paulsimon]

Hi

Integrated Login via the client is normally never a problem. The Web is fiddly, but not the Client. The only thing that I can suggest is that you try looking at the TM1 Server Log, and that you also try looking at the Event Viewers on both the TM1 Server and the Client. The Security Event Viewer is probably the most relevant, but I would also check the Application and System Event Viewers.

Including the following in the TM1S.CFG may also provide some additional information on where the problem is

ServerLogging=T

Regards


Paul Simon