Server refuses Integrated login,Integrated login has been se
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Server refuses Integrated login,Integrated login has been se
Hi Everyone,
Currently we are using IBM Cognos TM1 9.5.1
We are getting the below error, when we are trying to connect TM1 to Active Directory.
Server refuses Integrated login,Integrated login has been set apropriately. Retry connection.
We have followed the below steps in TM1 to connect Active Directory.
1) Created the below rule in }Client Properties cube
['UniqueID'] =S: !}Clients | '@DOMAIN';
Client properties cube is working fine with the rule.
2) In TM1s.cfg we made changes in below parameters.
SecurityPackageName=Kerberos (Tried with NTLM also instead of Kerberos)
IntegratedSecurityMode=2
We have logged in the admin domain account which we were used to install TM1 initially and also created the same user account in TM1 as well.
We have tried so many ways but still it’s giving the same error, even there are no errors in TM1 log file.
Also I have gone through the tm1forum,I didn’t get any solution for the same.
Can you please give us any suggestions to resolve the problem?
Thanks for your help.
Regards,
Kinshuk
Currently we are using IBM Cognos TM1 9.5.1
We are getting the below error, when we are trying to connect TM1 to Active Directory.
Server refuses Integrated login,Integrated login has been set apropriately. Retry connection.
We have followed the below steps in TM1 to connect Active Directory.
1) Created the below rule in }Client Properties cube
['UniqueID'] =S: !}Clients | '@DOMAIN';
Client properties cube is working fine with the rule.
2) In TM1s.cfg we made changes in below parameters.
SecurityPackageName=Kerberos (Tried with NTLM also instead of Kerberos)
IntegratedSecurityMode=2
We have logged in the admin domain account which we were used to install TM1 initially and also created the same user account in TM1 as well.
We have tried so many ways but still it’s giving the same error, even there are no errors in TM1 log file.
Also I have gone through the tm1forum,I didn’t get any solution for the same.
Can you please give us any suggestions to resolve the problem?
Thanks for your help.
Regards,
Kinshuk
- Attachments
-
- TM1 Integrated Login Error1.docx
- (18.22 KiB) Downloaded 316 times
- qml
- MVP
- Posts: 1094
- Joined: Mon Feb 01, 2010 1:01 pm
- OLAP Product: TM1 / Planning Analytics
- Version: 2.0.9 and all previous
- Excel Version: 2007 - 2016
- Location: London, UK, Europe
Re: Server refuses Integrated login,Integrated login has bee
Is your TM1 Windows Service running under a Windows domain account?
Kamil Arendt
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Yes, it is running under windows domain account.qml wrote:Is your TM1 Windows Service running under a Windows domain account?
-
- MVP
- Posts: 170
- Joined: Fri Dec 10, 2010 4:07 pm
- OLAP Product: TM1
- Version: [2.x ...] 11.x / PAL 2.0.9
- Excel Version: Excel 2013-2016
- Location: Germany
Re: Server refuses Integrated login,Integrated login has bee
Did you check the delegation rights for your account/server machine?
To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.
To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.
To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Thanks Gabor, we have tried with your suggestion,evertyhing is in right place only, but we have selected the option which you mentioned in delegation tab
but there is no luck for me, still its giving same error.
but there is no luck for me, still its giving same error.
Gabor wrote:Did you check the delegation rights for your account/server machine?
To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.
To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Any other suggestions that will be helpful for me,since two weeks I am working the same issue on test Environment. I tried my best I dont know where I am missing.Kinshuk wrote:Thanks Gabor, we have tried with your suggestion,evertyhing is in right place only, but we have selected the option which you mentioned in delegation tab
but there is no luck for me, still its giving same error.
Gabor wrote:Did you check the delegation rights for your account/server machine?
To verify settings for domain user accounts used to access reports/application
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the domain user account, right-click the user account, and then click Properties.
4. On the Account tab, under Account options, verify that the following option is not selected: Account is sensitive and cannot be delegated.
To configure the middle tier computer/user account to use Kerberos with full delegation
1. Go to the Control Panel.
2. From Administrative Tools, open Active Directory Users and Computers.
3. Locate the middle tier computer/user account, right-click it and then click Properties.
4. On the Delegation tab, verify that the following options is selected: Trust this computer for delegation to any service (Kerberos only).
Note: If the Delegation tab is not visible, there is no SPN configured for the account. Add an SPN and then perform the procedure.
Is there any problem with Hotfix? we have installed HotFix9.
Is there any problem with TM1 config file? do we need to add any extra parameters in config file?
Sorry, I forgot to mentioned the Server details in my previous mail.
we have installed Cognos TM1 on Windows Server 2008 R2 Enterprise Edition.
Thanks,
Kinshuk
- paulsimon
- MVP
- Posts: 808
- Joined: Sat Sep 03, 2011 11:10 pm
- OLAP Product: TM1
- Version: PA 2.0.5
- Excel Version: 2016
- Contact:
Re: Server refuses Integrated login,Integrated login has bee
Hi Kinshuk
Does the User Id under which the server is running have Admin Rights? Is it on the same Domain as the users who are trying to sign in? Are you getting the error when you sign in from the TM1 Client or TM1 Web. (If with TM1 Web the easiest approach is to use NTLM and have IIS on the same server as TM1, and there are some edits you need to make in the Web.Config and IIS settings). However, if you are just getting the problem from the TM1 Client ie TM1 from Excel then there must be some other issue. Are the user ids in }Clients matching the ones that the users have in Windows?
Does the error appear if you try integrated login on the same box as the TM1 Server?
Regards
Paul Simon
Does the User Id under which the server is running have Admin Rights? Is it on the same Domain as the users who are trying to sign in? Are you getting the error when you sign in from the TM1 Client or TM1 Web. (If with TM1 Web the easiest approach is to use NTLM and have IIS on the same server as TM1, and there are some edits you need to make in the Web.Config and IIS settings). However, if you are just getting the problem from the TM1 Client ie TM1 from Excel then there must be some other issue. Are the user ids in }Clients matching the ones that the users have in Windows?
Does the error appear if you try integrated login on the same box as the TM1 Server?
Regards
Paul Simon
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
paulsimon wrote:Hi Kinshuk
Does the User Id under which the server is running have Admin Rights? Is it on the same Domain as the users who are trying to sign in? Are you getting the error when you sign in from the TM1 Client or TM1 Web. (If with TM1 Web the easiest approach is to use NTLM and have IIS on the same server as TM1, and there are some edits you need to make in the Web.Config and IIS settings). However, if you are just getting the problem from the TM1 Client ie TM1 from Excel then there must be some other issue. Are the user ids in }Clients matching the ones that the users have in Windows?
Does the error appear if you try integrated login on the same box as the TM1 Server?
Regards
Paul Simon
Thanks for your mail Paul...
1) Does the User Id under which the server is running have Admin Rights?
Yes, the User ID has admin rights.
2) Is it on the same Domain as the users who are trying to sign in?
Yes, All the users are under the same domain, but currently I am working on Test environment, in that i have created only one TM1 user account( it is a windows ID with admin access)
3) Are you getting the error when you sign in from the TM1 Client or TM1 Web?
Yes, we are getting the same error when I sign in from TM1 Client, In Tm1 web we made a changes in Web.Config, TM1 Server and TM1 web both applications are installed in the same machine( Even we have tried with NTLM also).
In TM1 Web we are getting different error(Integrated Login Failed. Please Try Again.. 154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login.), we got the same error thread in IBM and followed the below link and created the SPN for TM1. In TM1 Web also no luck.......
http://www-01.ibm.com/support/docview.w ... wg21437878
4) Does the error appear if you try integrated login on the same box as the TM1 Server?
Yes, on the same box as the TM1 Server.
We are getting the problem from TM1 Client Side and TM1 server as well.
Thanks,
Kinshuk
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Can you please verify the SPN which I created for TM1 Web.
Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web?
I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)
ServicePrincipalName=WSMAN/TM1ExcelService
Thanks,
Kinshuk
Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web?
I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)
ServicePrincipalName=WSMAN/TM1ExcelService
Thanks,
Kinshuk
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Hi Everyone,Kinshuk wrote:Can you please verify the SPN which I created for TM1 Web.
Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web?
I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)
ServicePrincipalName=WSMAN/TM1ExcelService
Thanks,
Kinshuk
I got the solution for Server refuses integrated login, I haven't make any changes in TM1, Yesterday we had a problem in Server room.
Today morning I tried once, automatically it got conneted to Active Directory. I think problem with the servers or Network.
Thanks to all for your help and suggestions......
Now I am able to connect Integrated login through TM1 architet and TM1 Perspectives.
But I am not able to connect thorugh TM1 web, I made the changes in Web.Config file still I am getting the below error.
(154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login), we got the same error thread in IBM and followed the below link and created the SPN for TM1
http://www-01.ibm.com/support/docview.w ... wg21437878
As per IBM thread I have created SPN for TM1 and added the parameter in Tm1s.cfg file, but I am not sure whether I have created SPN correctly or not.
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
ServicePrincipalName=HTTP/machinename.Domain
Can you please let me know any suggestions on the same.
Thanks,
Kinshuk
-
- Posts: 8
- Joined: Thu May 16, 2013 1:26 pm
- OLAP Product: TM1
- Version: 9.5.1
- Excel Version: 2007
Re: Server refuses Integrated login,Integrated login has bee
Hi Everyone,
I got the Solution for below TM1web error long back but I am posting today.
(154: TM1APIDOTNET Exception: - Failed to create Client Credentials for integrated login),
As per IBM Cogon’s TM1 PDF, I have followed the steps and created SPN as follows.
Set the Service Principal Name (SPN)
To set the SPN, complete the following steps.
Steps
1. Download the SetSPN.exe utility from the Microsoft support for Windows 2000 website.
2. As a domain administrator, execute the following commands:
setspn -A HTTP/web_server_name domain_name\user_acct_for_TM1_services
setspn -A HTTP/webservername.domain_name domain_name\user_acct_for_TM1_services
So I have added below parameter in TM1s.cfg file
ServicePrincipalName=HTTP/machinename
I have followed the below link to add windows authentication role service in TM1 web authentication for windows 2008 R2 server.
http://www.iis.net/configreference/syst ... entication
Activate Windows Authentication. Then “Windows Authentication” will be visible in IIS.
But make sure that, you need to Deactivate "Anonymous Authentication” and Activate Windows Authentication. After that you need to Restart IIS.
Thanks to everyone.............
Regards,
Kinshuk
I got the Solution for below TM1web error long back but I am posting today.
(154: TM1APIDOTNET Exception: - Failed to create Client Credentials for integrated login),
As per IBM Cogon’s TM1 PDF, I have followed the steps and created SPN as follows.
Set the Service Principal Name (SPN)
To set the SPN, complete the following steps.
Steps
1. Download the SetSPN.exe utility from the Microsoft support for Windows 2000 website.
2. As a domain administrator, execute the following commands:
setspn -A HTTP/web_server_name domain_name\user_acct_for_TM1_services
setspn -A HTTP/webservername.domain_name domain_name\user_acct_for_TM1_services
So I have added below parameter in TM1s.cfg file
ServicePrincipalName=HTTP/machinename
I have followed the below link to add windows authentication role service in TM1 web authentication for windows 2008 R2 server.
http://www.iis.net/configreference/syst ... entication
Activate Windows Authentication. Then “Windows Authentication” will be visible in IIS.
But make sure that, you need to Deactivate "Anonymous Authentication” and Activate Windows Authentication. After that you need to Restart IIS.
Thanks to everyone.............
Regards,
Kinshuk
Kinshuk wrote:Hi Everyone,Kinshuk wrote:Can you please verify the SPN which I created for TM1 Web.
Active Directory SPN's:
C:\Users\tm1_admin>setspn -l machinename
WSMAN/machinename
WSMAN/machinename.Domain
TERMSRV/machinename.Domain
TERMSRV/machinename
RestrictedKrbHost/machinename
HOST/machinename
RestrictedKrbHost/machinename.Domain
HOST/machinename.Domain
In the above AD SPN's, which one do we need to pick for TM1 Web?
I have created the following SPN for TM1 and added the parameter in Tm1s.cfg file
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
WSMAN/TM1ExcelService (for TM1Web)
ServicePrincipalName=WSMAN/TM1ExcelService
Thanks,
Kinshuk
I got the solution for Server refuses integrated login, I haven't make any changes in TM1, Yesterday we had a problem in Server room.
Today morning I tried once, automatically it got conneted to Active Directory. I think problem with the servers or Network.
Thanks to all for your help and suggestions......
Now I am able to connect Integrated login through TM1 architet and TM1 Perspectives.
But I am not able to connect thorugh TM1 web, I made the changes in Web.Config file still I am getting the below error.
(154: TM1APIDOTNET Exception :- Failed to create Client Credentials for integrated login), we got the same error thread in IBM and followed the below link and created the SPN for TM1
http://www-01.ibm.com/support/docview.w ... wg21437878
As per IBM thread I have created SPN for TM1 and added the parameter in Tm1s.cfg file, but I am not sure whether I have created SPN correctly or not.
C:\Users\tm1_admin>setspn -l Domain\Username or Username
HTTP/machinename.Domain
HTTP/machinename
ServicePrincipalName=HTTP/machinename.Domain
Can you please let me know any suggestions on the same.
Thanks,
Kinshuk