Server refuses Integrated login,Integrated login has been se

Post Reply
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Server refuses Integrated login,Integrated login has been se

Post by Kinshuk »

Hi Everyone,

Currently we are using IBM Cognos TM1 9.5.1
We are getting the below error, when we are trying to connect TM1 to Active Directory.

Server refuses Integrated login,Integrated login has been set apropriately. Retry connection.

We have followed the below steps in TM1 to connect Active Directory.
1) Created the below rule in }Client Properties cube
['UniqueID'] =S: !}Clients | '@DOMAIN';
Client properties cube is working fine with the rule.
2) In TM1s.cfg we made changes in below parameters.
SecurityPackageName=Kerberos (Tried with NTLM also instead of Kerberos)
IntegratedSecurityMode=2
We have logged in the admin domain account which we were used to install TM1 initially and also created the same user account in TM1 as well.
We have tried so many ways but still it’s giving the same error, even there are no errors in TM1 log file.
Also I have gone through the tm1forum,I didn’t get any solution for the same.
Can you please give us any suggestions to resolve the problem?
Thanks for your help.
Regards,
Kinshuk
Attachments
TM1 Integrated Login Error1.docx
(18.22 KiB) Downloaded 310 times
User avatar
qml
MVP
Posts: 1094
Joined: Mon Feb 01, 2010 1:01 pm
OLAP Product: TM1 / Planning Analytics
Version: 2.0.9 and all previous
Excel Version: 2007 - 2016
Location: London, UK, Europe

Re: Server refuses Integrated login,Integrated login has bee

Post by qml »

Is your TM1 Windows Service running under a Windows domain account?
Kamil Arendt
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

qml wrote:Is your TM1 Windows Service running under a Windows domain account?
Yes, it is running under windows domain account.
Gabor
MVP
Posts: 170
Joined: Fri Dec 10, 2010 4:07 pm
OLAP Product: TM1
Version: [2.x ...] 11.x / PAL 2.0.9
Excel Version: Excel 2013-2016
Location: Germany

Re: Server refuses Integrated login,Integrated login has bee

Post by Gabor »

Did you check the delegation rights for your account/server machine?

To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.

To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

Thanks Gabor, we have tried with your suggestion,evertyhing is in right place only, but we have selected the option which you mentioned in delegation tab
but there is no luck for me, still its giving same error.

Gabor wrote:Did you check the delegation rights for your account/server machine?

To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.

To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

Kinshuk wrote:Thanks Gabor, we have tried with your suggestion,evertyhing is in right place only, but we have selected the option which you mentioned in delegation tab
but there is no luck for me, still its giving same error.

Gabor wrote:Did you check the delegation rights for your account/server machine?

To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.

To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
Any other suggestions that will be helpful for me,since two weeks I am working the same issue on test Environment. I tried my best I dont know where I am missing.

Is there any problem with Hotfix? we have installed HotFix9.
Is there any problem with TM1 config file? do we need to add any extra parameters in config file?
Sorry, I forgot to mentioned the Server details in my previous mail.
we have installed Cognos TM1 on Windows Server 2008 R2 Enterprise Edition.

Thanks,
Kinshuk
User avatar
paulsimon
MVP
Posts: 808
Joined: Sat Sep 03, 2011 11:10 pm
OLAP Product: TM1
Version: PA 2.0.5
Excel Version: 2016
Contact:

Re: Server refuses Integrated login,Integrated login has bee

Post by paulsimon »

Hi Kinshuk

Does the User Id under which the server is running have Admin Rights? Is it on the same Domain as the users who are trying to sign in? Are you getting the error when you sign in from the TM1 Client or TM1 Web. (If with TM1 Web the easiest approach is to use NTLM and have IIS on the same server as TM1, and there are some edits you need to make in the Web.Config and IIS settings). However, if you are just getting the problem from the TM1 Client ie TM1 from Excel then there must be some other issue. Are the user ids in }Clients matching the ones that the users have in Windows?

Does the error appear if you try integrated login on the same box as the TM1 Server?

Regards

Paul Simon
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

paulsimon wrote:Hi Kinshuk

Does the User Id under which the server is running have Admin Rights? Is it on the same Domain as the users who are trying to sign in? Are you getting the error when you sign in from the TM1 Client or TM1 Web. (If with TM1 Web the easiest approach is to use NTLM and have IIS on the same server as TM1, and there are some edits you need to make in the Web.Config and IIS settings). However, if you are just getting the problem from the TM1 Client ie TM1 from Excel then there must be some other issue. Are the user ids in }Clients matching the ones that the users have in Windows?

Does the error appear if you try integrated login on the same box as the TM1 Server?

Regards

Paul Simon

Thanks for your mail Paul...

1) Does the User Id under which the server is running have Admin Rights?
Yes, the User ID has admin rights.
2) Is it on the same Domain as the users who are trying to sign in?
Yes, All the users are under the same domain, but currently I am working on Test environment, in that i have created only one TM1 user account( it is a windows ID with admin access)
3) Are you getting the error when you sign in from the TM1 Client or TM1 Web?
Yes, we are getting the same error when I sign in from TM1 Client, In Tm1 web we made a changes in Web.Config, TM1 Server and TM1 web both applications are installed in the same machine( Even we have tried with NTLM also).
In TM1 Web we are getting different error(Integrated Login Failed. Please Try Again.. 154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login.), we got the same error thread in IBM and followed the below link and created the SPN for TM1. In TM1 Web also no luck.......

http://www-01.ibm.com/support/docview.w ... wg21437878

4) Does the error appear if you try integrated login on the same box as the TM1 Server?
Yes, on the same box as the TM1 Server.

We are getting the problem from TM1 Client Side and TM1 server as well.

Thanks,
Kinshuk
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

Can you please verify the SPN which I created for TM1 Web.

Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web? :?

I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file

C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)

ServicePrincipalName=WSMAN/TM1ExcelService


Thanks,
Kinshuk
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

Kinshuk wrote:Can you please verify the SPN which I created for TM1 Web.

Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web? :?

I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file

C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)

ServicePrincipalName=WSMAN/TM1ExcelService


Thanks,
Kinshuk
Hi Everyone,

I got the solution for Server refuses integrated login, I haven't make any changes in TM1, Yesterday we had a problem in Server room.

Today morning I tried once, automatically it got conneted to Active Directory. I think problem with the servers or Network.

Thanks to all for your help and suggestions......

Now I am able to connect Integrated login through TM1 architet and TM1 Perspectives.

But I am not able to connect thorugh TM1 web, I made the changes in Web.Config file still I am getting the below error.

(154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login), we got the same error thread in IBM and followed the below link and created the SPN for TM1

http://www-01.ibm.com/support/docview.w ... wg21437878

As per IBM thread I have created SPN for TM1 and added the parameter in Tm1s.cfg file, but I am not sure whether I have created SPN correctly or not.

C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename

ServicePrincipalName=HTTP/machinename.Domain

Can you please let me know any suggestions on the same.

Thanks,
Kinshuk
Kinshuk
Posts: 8
Joined: Thu May 16, 2013 1:26 pm
OLAP Product: TM1
Version: 9.5.1
Excel Version: 2007

Re: Server refuses Integrated login,Integrated login has bee

Post by Kinshuk »

Hi Everyone,

I got the Solution for below TM1web error long back but I am posting today.

(154: TM1APIDOTNET Exception: - Failed to create Client Credentials for integrated login),
As per IBM Cogon’s TM1 PDF, I have followed the steps and created SPN as follows.
Set the Service Principal Name (SPN)
To set the SPN, complete the following steps.
Steps
1. Download the SetSPN.exe utility from the Microsoft support for Windows 2000 website.
2. As a domain administrator, execute the following commands:
setspn -A HTTP/web_server_name domain_name\user_acct_for_TM1_services
setspn -A HTTP/webservername.domain_name domain_name\user_acct_for_TM1_services
So I have added below parameter in TM1s.cfg file
ServicePrincipalName=HTTP/machinename
I have followed the below link to add windows authentication role service in TM1 web authentication for windows 2008 R2 server.
http://www.iis.net/configreference/syst ... entication
Activate Windows Authentication. Then “Windows Authentication” will be visible in IIS.

But make sure that, you need to Deactivate "Anonymous Authentication” and Activate Windows Authentication. After that you need to Restart IIS.

Thanks to everyone............. :)

Regards,
Kinshuk

Kinshuk wrote:
Kinshuk wrote:Can you please verify the SPN which I created for TM1 Web.

Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web? :?

I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file

C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)

ServicePrincipalName=WSMAN/TM1ExcelService


Thanks,
Kinshuk
Hi Everyone,

I got the solution for Server refuses integrated login, I haven't make any changes in TM1, Yesterday we had a problem in Server room.

Today morning I tried once, automatically it got conneted to Active Directory. I think problem with the servers or Network.

Thanks to all for your help and suggestions......

Now I am able to connect Integrated login through TM1 architet and TM1 Perspectives.

But I am not able to connect thorugh TM1 web, I made the changes in Web.Config file still I am getting the below error.

(154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login), we got the same error thread in IBM and followed the below link and created the SPN for TM1

http://www-01.ibm.com/support/docview.w ... wg21437878

As per IBM thread I have created SPN for TM1 and added the parameter in Tm1s.cfg file, but I am not sure whether I have created SPN correctly or not.

C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename

ServicePrincipalName=HTTP/machinename.Domain

Can you please let me know any suggestions on the same.

Thanks,
Kinshuk
Post Reply