TM1 Web 10.2 Integrated Login Kerberos setup

[bergstrand]

Hi,

As TM1 Web 10.2 was rebuilt and is now a Java application, single sign-on (SSO) in IntegratedSecurityMode 2/3 is no longer supported. Integrated Login by typing in your Windows user name and password is however supposed to work in mode 2/3 (TM1 Web 10.2 FAQ).

There was a security issue in 10.2 RTM with Integrated Login, but that should be solved in Interim Fix 1 and FP1.

There is a section in the 10.2 documentation, "Configuring Integrated Login for Cognos TM1 Web using Kerberos", which I have tried to follow to get Integrated Login to work, but to no avail. The instructions are not very clear and I am guessing a bit as to what the configuration files should contain and where to put them (krb5.ini etc.). I am just getting "A server error has occurred" when trying to login to TM1 Web. I have tried IBM support for help and even provided them with a bunch of logs and all my configuration files, but I have kinda stopped hoping for any help from them after a couple of months of not getting any help at all on this.

So, my simple question to you guys is: have any of you figured out how to get Integrated Login with security mode 2/3 to work in TM1 Web 10.2? And if so - how did you do it?

Thanks!

[kangkc]

I would go down the CAM path and configure CAM SSO with Active Directory.
So far I managed to get TM1 Web and good old Perspective working with a limitation, I still get prompted for ID and password which is the domain ID/password.

The steps is pretty lengthy and not well documented. How I wish there is a single tech note from IBM that we can follow step by step to do this especially for old school TM1 user as Cognos BI stack is a big black hole to me.

Next in line will be getting Contributor Application portal, Cognos Insight and Workspace working.

[bergstrand]

Thanks for the reply!

I would definitely go for CAM if Cognos BI is also used, but we have a number of clients that are currently running TM1 10.1 without BI. We also have some custom processes and websheets for security administration, which would have to be rebuilt if we would go for CAM security with these clients. It seems a bit unnecessary to install the BI runtime just to get integrated security to work, but perhaps that's the way to do it nowadays.

[Gabor]

I have heard, that it will take several month until we get back Integrated Login for Web 10.2.

[kangkc]

My view is even if IBM managed to get the Integrated Login works for TM1 Web, we are still faced with issue with Cognos Insight, TM1 Application portal etc that at the current state doesn't support a Windows Authentication without going through CAM.
Seems to me it's going the CAM direction.

[moby91]

What happens when you troubleshoot TM1 10.2 Windows Integrated Login (Kerberos Authentication as outlined by the IBM Technote 1662730 ?

http://www-01.ibm.com/support/docview.w ... wg21662730
How to Troubleshoot TM1Web 10.2 Windows Integrated Login (KERBEROS Authentication)

[bergstrand]

I have heard, that it will take several month until we get back Integrated Login for Web 10.2.

Integrated Login for TM1 Web 10.2 should already work. That is why I am trying to configure it. However single sign on (SSO) does not work (you have to type your Windows username and password).

Seems to me it's going the CAM direction.

Yeah, seems that way to me as well.

What happens when you troubleshoot TM1 10.2 Windows Integrated Login (Kerberos Authentication as outlined by the IBM Technote 1662730 ?

Thanks for the link, that technote didn't exist when I started trying to get this to work. I got the technote from IBM support as well and am in the middle of troubleshooting right now. I now have an error message, but I am stuck again. However IBM support have now woken up and are now very helpful, so we might actually get this to work. If so, I will post the solution here. IBM support also recommend CAM by the way.

[moby91]

There is a new Proven Practice covering this topic:


http://www.ibm.com/developerworks/libra ... index.html
IBM Business Analytics Proven Practices: Configuring Integrated Security for Cognos TM1 Web 10.2

How to set up integrated Windows Authentication for TM1 Web which now is a Java application in Cognos TM1 10.2 release. This is a supplement to the currently incomplete documentation.

http://www.ibm.com/developerworks/libra ... 78-pdf.pdf

[GWT]

Has anyone managed to get TM1Web Integrated Login working on 10.2.20000.50183?

I have followed all the instructions from the "IBM Business Analytics Proven Practices: ConfiguringIntegrated Security for Cognos TM1 Web 10.2" but never get to a point in the login screen to select Windows authentication or not be prompted for credentials.

[kangkc]

Has anyone managed to get TM1Web Integrated Login working on 10.2.20000.50183?

I have followed all the instructions from the "IBM Business Analytics Proven Practices: ConfiguringIntegrated Security for Cognos TM1 Web 10.2" but never get to a point in the login screen to select Windows authentication or not be prompted for credentials.

Decided to give it a shot with the instruction in the document. Managed to get it working within an hour. Having the domain controller Administrator access does help to get it going. In summary, the instructions provided do work.

Do note that IBM specifically said that this is not a SSO solution in which user will still need to key in the domain account and password on the TM1Web login form.

[tm1_user]

Hi kangkc,

While logging in to TM1Web 10.2 using "Windows Authentication", I am getting error message "An error has occured" after entering Windows login credentials.
I have followed the instructions in the below URL, "Configuring Integrated Security for Cognos TM1 Web 10.2" to ensure the settings are done as specified during setup.
URL:
https://www.ibm.com/developerworks/libr ... m-page678/

However, i am able to login to TM1Web with "Native Authentication" successfully.

tm1web_config.xml file, the parameter 'IntegratedSecurityModuleName' is assigned value 'TM1SignedOnUserLoginContext'.
Tm1s.cfg file has the parameter IntegratedSecurityMode set to 2.

I have gone through the previous posts where it was suggested to go via CAM authentication. But we dont have Cognos BI installed as we are using a different product for BI reporting.

I wanted to know if there is any resolution for this issue which enables us to login TM1Web 10.2 using Windows authentication.

My other question is, is there any process to enable "Windows authentication" to login TM1 Performance Modeler. Idont see an option to select the Authentication type.
Able to login to PM using TM1 login credentials.

[gtonkin]

Hi kangkc,

Thanks for your reply - I think what was confusing me is the expectation of the Integrated Login tick box, not that I needed to enter credentials.
It seemed that the configuration in the KRB5.conf file was incorrect and thus not authenticating. Getting the correct KDC server FQDN is they key!

[kangkc]

Hi kangkc,

While logging in to TM1Web 10.2 using "Windows Authentication", I am getting error message "An error has occured" after entering Windows login credentials.
I have followed the instructions in the below URL, "Configuring Integrated Security for Cognos TM1 Web 10.2" to ensure the settings are done as specified during setup.
URL:
https://www.ibm.com/developerworks/libr ... m-page678/

However, i am able to login to TM1Web with "Native Authentication" successfully.

tm1web_config.xml file, the parameter 'IntegratedSecurityModuleName' is assigned value 'TM1SignedOnUserLoginContext'.
Tm1s.cfg file has the parameter IntegratedSecurityMode set to 2.

I have gone through the previous posts where it was suggested to go via CAM authentication. But we dont have Cognos BI installed as we are using a different product for BI reporting.

I wanted to know if there is any resolution for this issue which enables us to login TM1Web 10.2 using Windows authentication.

My other question is, is there any process to enable "Windows authentication" to login TM1 Performance Modeler. Idont see an option to select the Authentication type.
Able to login to PM using TM1 login credentials.

If you are only interested to get TM1Web, Excel client and Performance Modeler with Windows Authentication, you do not need to go via the CAM path.
Following the tech note does work and we have done that in two different setups. However Kerberos is never a easy setup and you must follow the steps in the document closely. Watch out on the Realm name as it is case sensitive.

[tm1_user]

Hi kangkc,

Thanks for your response.

We are reviewing the installation setup and the krb5.ini setup file and others.
There seems to be a setup issue as KERBOROS parameter is not setup properly.

[gtonkin]

Here is a guide I created when I configured TM1Web in my lab.
Note that I used TM1 10.2.2 FP1, Tomcat etc, bog standard TM1 install for my server components.

1. References Required
TM1 Service Account – Used to start TM1 services
TM1 Server Name – Machine on which TM1 will be running
TM1 Domain Name – Domain on which TM1 server and Clients will be active
Domain Controller Name – Name of machine used to authenticate users (KDC)
TM1 Install folder – e.g. C:\program files\ibm\cognos\tm1_64

2. Service Account
Identify the account being used to start the TM1 Admin Server and instances, mine is called TM1-SVC
Ensure all TM1 services are configured to use this account and that account has prescribed permissions.

3. }ClientProperties Rule
Create/Update the rule to add the domain to configured clients.

Code: Select all

SKIPCHECK;
#=====ADMIN=====
['Admin','UniqueID']=S:'GEOTON@MYDOMAIN';
#================
#=====GENERAL=====
['UniqueID']=S:!}Clients|'@MYDOMAIN';
#==================
FEEDERS;

Note: }ClientProperties set to use domain MYDOMAIN – MYDOMAIN.COM did not work!

4. TM1S.CFG
Update the TM1S.CFG to use Integrated Login with Kerberos

Code: Select all

IntegratedSecurityMode=3
SecurityPackageName=Kerberos
ServicePrincipalName=tm1s/TM1SERVER.MYDOMAIN.COM@MYDOMAIN.COM

5. Link service account to domain
Example:
setspn -U -F -S tm1s/myserver.example.com example\tm1s_plan

From the command prompt, running as administrator, enter the following:

Code: Select all

Setspn –U –F –S tm1s/TM1SERVER.MYDOMAIN.COM TM1-SVC

Note: Probably a good place to restart services and check the you can log in using Integrated through Architect/Perspectives to ensure that the basics are working.

6. TM1Web_Config.XML
On the TM1SERVER, edit the following file:
<TM1 Install>\webapps\tm1web\WEB-INF\configuration\tm1web_config.xml
Locate the line that reads,

Code: Select all

<add key="IntegratedSecurityModuleName" value="LoginModule name"/>

Replace the value of this key with TM1SignedOnUserLoginContext if not already done.
The line should read:

Code: Select all

<add key="IntegratedSecurityModuleName" value="TM1SignedOnUserLoginContext"/>

Save and close the file.

7. TM1WebLogin.config
In a text editor such as Notepad or vi, create a new empty file and save it under the name TM1WebLogin.config as
<TM1 Install>\bin64\jre\7.0\lib\security\TM1WebLogin.config

In the text editor, create a new login context with a name of TM1SignedOnUserLoginContext and specify the JRE's JAAS Kerberos login module.
Note the option useDefaultCcache had been included to disable the default credential cache. For an IBM JRE the contents of the file should look like this:

Code: Select all

TM1SignedOnUserLoginContext {
 com.ibm.security.auth.module.Krb5LoginModule required
 useDefaultCcache=false
 debug=true
 credsType=initiator;
};

8. Java.security
Open the following file
<TM1 Install>\bin64\jre\7.0\lib\security\java.security

Search for the text login.config.url. This should identify a snippet which looks like this:

Code: Select all

# Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/login.config

Replace the name of the file (login.config) in the line which is not a comment (does not start with a # character) with TM1WebLogin.config. The result should look as follows,

Code: Select all

# Default login configuration file
#login.config.url.1=file:${user.home}/.java.login.config
login.config.url.1=file:${java.home}/lib/security/TM1WebLogin.config

9. krb5.conf
Create a new file as
<TM1 Install>\bin64\jre\7.0\lib\security\krb5.conf

Update with the following:

Code: Select all

[libdefaults]
 default_realm = MYDOMAIN.COM
 default_tkt_enctypes = rc4-hmac des-cbc-crc
 default_tgs_enctypes = rc4-hmac des-cbc-crc
 ticket_lifetime = 1200
[realms]
 MYDOMAIN.COM = {
 kdc = MYDC. MYDOMAIN.COM
 admin_server = MYDC. MYDOMAIN.COM
 default_domain = MYDOMAIN.com
 }
[domain_realm]
 . MYDOMAIN.com = MYDOMAIN.COM
[appdefaults]

Note: MYDC is the domain controller on the network to which TM1Server belongs.

9.1. Finding the KDC
Open up the computer properties for TM1Server that is on the relevant domain – Windows Key + Pause/Break
Or go to Control Panel, System and Security, System
Get the FQDN from the Domain: item

10. First time login
Restart Applications server to ensure Java is reloaded etc.
Connect to http://<TM1Server>:9510/tm1web
In Cognos TM1 Web version 10.2, you must enter your Microsoft Windows authentication in the Cognos TM1 Web login dialog box, there is not tick box for integrated log.

NOTE: If your TM1 server has underscores (or possibly other special characters) in the name e.g. TM1_SERVER, you will get an error message on login – Session timed out – check IBM Technote 1458105 https://www-304.ibm.com/support/docview ... wg21458105

GOOD LUCK!

[lotsaram]

George - I take this to mean that you succeeded in getting windows integrated login to work with TM1 Web and Tomcat using the standard or "old" method of UniqueID=WindowsUser@Domain without using CAM ? I have certainly heard of integrated login being made to work after 1) implementing CAM, 2) integrating CAM with LDAP Namespace 3) setting up additional Cognos IIS gateway to capture the logged in user context from Kerberos and pass back to the JVM.

But this is the first time I heard of anyone succeeding with SSO for 10.2.2 TM1 Web without CAM (and all the extra complexity it brings plus needing full Cognos BI to do it since BI Runtime 10.1 is not officially supported for TM1 10.2.2 authentication). If your method works then despite the fact that it still sounds rather complicated it would be more straightforward and streamlined than the CAM alternative.

What about the complexity of multiple domains & domain controllers?

[gtonkin]

@Lotsaram - Just to be sure of what I did, this is TM1Web only, not Application which AFAIK only supports modes 1 and 5. We have not needed to use CAM, CAM with LDAP at this stage so cannot comment.
I have not needed to configure for multiple domain controllers but have got users on multiple domains. For these clients we add an attribute to the }Clients dimension and configure with the secondary domains e.g.

Code: Select all

#=====GENERAL=====
['UniqueID']=S:
!}Clients|'@'|IF(ATTRS('}Clients',!}Clients,'Domain')@<>'',ATTRS('}Clients',!}Clients,'Domain'),'@MYDOMAIN');
#==================

Hopefully other forum members can shed further light on the areas I cannot.

[kangkc]

George - I take this to mean that you succeeded in getting windows integrated login to work with TM1 Web and Tomcat using the standard or "old" method of UniqueID=WindowsUser@Domain without using CAM ? I have certainly heard of integrated login being made to work after 1) implementing CAM, 2) integrating CAM with LDAP Namespace 3) setting up additional Cognos IIS gateway to capture the logged in user context from Kerberos and pass back to the JVM.

But this is the first time I heard of anyone succeeding with SSO for 10.2.2 TM1 Web without CAM (and all the extra complexity it brings plus needing full Cognos BI to do it since BI Runtime 10.1 is not officially supported for TM1 10.2.2 authentication). If your method works then despite the fact that it still sounds rather complicated it would be more straightforward and streamlined than the CAM alternative.

What about the complexity of multiple domains & domain controllers?

Cautions:
We have the SSO setup with TM1Web in production environment and even though lots of testings was done to make sure all ok. After system cut-over, we have some client machines can't get through using TM1 Perspective with Kerberos. This is not a server setup issue but rather respective client machines issue with SPN.
Just be mindful that majority is running fine but there will be some may end up with problems which I think it's beyond TM1 but in the area of kerberos.

[amigo]

Hi, sorry to bring up the dead, but did anyone get this working sucessfully?

I have a new Windows 2008 Server VM, installed 10.2.2 and then the Fix Pack, however, the integrated login via the Web DOES NOT want to play... and the only error I get is "Login Failed, please try again.

I have gone through the various steps as other members have suggested but seem to be pulling my hair out. Integrated Login via Architect is working fine.

You patience in solving this issue is much appreciated.

Thanks,

AMIGO !

[gtonkin]

Hi Amigo, I did using the steps I posted further up in this thread - review and take note of the traps I fell into e.g Getting the correct KDC server FQDN is they key!
I had configured my VM as the Domain Controller too which made my test environment easier. Also be careful of the Admin_Server in the KRB5.CONF - this is not the TM1 server but the KDC!
Also check for underscores etc. in the host name - Web does not like this - you may need to alias through the Hosts file or try the IP address.

I still have an issue at a client where their implemntation of Kerberos seems to be quite complicated and the ticket never seems to be sent back to allow login.
Good luck!