Integrated Security affecting TM1Top

[conflax]

Hi all,

I am experiencing a problem with TM1Top when setting Integrated Security.

I have increased the Integrated Security setting in TM1S.CFG from 2 to 3 :-
IntegratedSecurityMode=3

Since doing this, one of our users who has Admin rights is no longer able to verify themselves as Admin on TM1TOP so cannot cancel users/processes.

I also have Admin rights and for my login there are no problems. We are both logging in as our own usernames (ie not the ADMIN login), we are both set as ADMIN in }ClientGroups and we both have a UniqueID in }ClientProperties. It seems to only affect TM1TOP, other Admin functions such as editing Dimensions are fine so I am assuming he is correctly setup as Admin.

Has anyone seen this before or can offer any thoughts please?

Thanks

[lotsaram]

I am experiencing a problem with TM1Top when setting Integrated Security.

I have increased the Integrated Security setting in TM1S.CFG from 2 to 3 :-
IntegratedSecurityMode=3

Since doing this, one of our users who has Admin rights is no longer able to verify themselves as Admin on TM1TOP so cannot cancel users/processes.

I'm not quite sure what you mean by increasing security settings from 2 to 3. Mode 3 is "mixed mode" meaning that the TM1 server will accept both user name + pwd entry (mode 1) and windows integrated login (mode 2) depending on the connection request from the client. I think most people would see this as a decrease as opposed to increase in security??

[conflax]

That's interesting. I am getting my info from a #note in my TM1Top file that reads as follows :-

# If IntegratedSecurityMode is set to 1. All clients must provide a database
# username and password. This is traditionally done through a login screen.
#
# If IntegratedSecurityMode is set to 2. The clients will have the choice
# to connect provide a database username and password or use the single-login
# mechanism for authentication.
#
# If IntegratedSecurityMode is set to 3. All clients must use the single-login
# mechanism for authentication.
#
# If this is not set the parameter will be set to 1 by default.


This implies it should be 3 for WA only security - is this wrong? Once it's set to 3 I am unable to login if I un-check the "Use Integrated login" checkbox in TM1 File-Options so it seems to work.

The only problem then appears to be the other Admin user. Could I have a different setting somewhere I haven't thought of?

[declanr]

Conflax I think is right on this one.

I have always understood mode 3 to be ONLY integrated and 2 to allow both methods.


I am however intrigued by the issue, if you have mode 3 set, TM1 top should just automatically pass your authentication when you press "v"... which it sounds like is working correctly for you.
Just out of interest are there any difference as to how the "uniqueID" is set up? Although I expect since the other Admin has full integrated access working for actual TM1 then it should be fine.

I have noticed a few oddities with TM1 Users now and again where recreating them seems to solve issues (although its probably thinks I just haven't noticed), you should try deleting the user and then setting it up again from scratch with full admin access again and see what happens.

[lotsaram]

My bad. Got 2 & 3 mixed up. I can't count past 10 you know without taking off my shoes and socks.

[conflax]

Hi,

Thanks for the replies, have tried deleting the user and replacing with a new one, ADMIN rights and no other properties. The UniqueID is the same as all other users (apart fom the ID) and the same as it was before i changed the security settings.

There are no problems with performing admin functions in TM1 itself it's just TM1Top that gives an issue. Attached is a pic of the message. I'm a bit stumped!

[lotsaram]

Is the user on the same domain or a different one to others where it is working? Is the server using Kerberos or NTLM?

[conflax]

Hi,

It' using Kerberos and same domain - however the problem has now resolved itself.

Having deleted and created the user before, I had omitted to restart the server. An overnight restart has cleared the problem.

Thanks for your help everyone, I haven't worked out why it happened in the first place but will rack it up as a one off event now solved, and move on!


Cheers