Hi everyone,
This might seem like groundhog day or a throwback to 2013, but I have a client who does not want the Cognos Analytics overhead just for user authentication and they don't want to have to manage users in TM1 directly...so we're at IntegratedSecurityMode 3 (currently two while I sort this out).
This is for a Windows Server 2016 server and PA 2.0.6 local setup.
The documentation is good on this:
1) Crank up ETLDAP and get your users in (done with much fiddling and AD head scratching)
2) Add the following to config file:
IntegratedSecurityMode=2
SecurityPackagename=Kerberos
3) Checkbox Integrated Security in Perspectives.
4) All is well
...sadly all is not well.
"Log In Failed: SystemServerClientNotFound"
I have tried every permutation of user name in the "UniqueID" field in the }ClientProperties cube paying special attention to case. Nothing works.
I have switched on Audit Logging and have reviewed the unsuccessful login attempts. The IP it notes is correct, however there is no user name. I don't know if this is relevant or not.
All TM1 services are running under a domain account. That domain account is the SPN for all TM1 services. The account has delegation checked as "Trust this user for delegation to any service (Kerboros)" .
Have I missed some crucial configuration item?
Note this is just for Perspectives at the moment, if it doesn't work here, it sure isn't going to work for TM1Web!
Help with IntegratedSecurityMode 2/3
-
- Community Contributor
- Posts: 306
- Joined: Mon May 12, 2008 8:11 am
- OLAP Product: TM1
- Version: TM1 11 and up
- Excel Version: Too many to count
Re: Help with IntegratedSecurityMode 2/3
You could try NTLM rather than Kerberos.
Unique id should be username@domain; not sure that case makes a difference.
Unique id should be username@domain; not sure that case makes a difference.
Paul
-
- Posts: 16
- Joined: Fri May 18, 2012 10:23 am
- OLAP Product: TM1, Planning Analytics
- Version: 10.2.2, Planning Analytics 2.x
- Excel Version: Latest
- Location: UK
Re: Help with IntegratedSecurityMode 2/3
Thanks Paul, sadly that's a non starter. username@domain.x,Username@domain.x, username@Domain.x, UserName@Domain.x etc. have all failed along with any other form of a username under the sun. NTLM isn't an option here.
Last edited by Derezed on Wed Mar 13, 2019 7:31 pm, edited 1 time in total.
-
- MVP
- Posts: 2831
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: Help with IntegratedSecurityMode 2/3
Not sure what the ".x" is after the domain but it has to be just the domain. If your user id is userid@mycompany.com then then the user ID in TM1 would be user@mycompany. It is also case sensitive, both ID and domain.
-
- Posts: 16
- Joined: Fri May 18, 2012 10:23 am
- OLAP Product: TM1, Planning Analytics
- Version: 10.2.2, Planning Analytics 2.x
- Excel Version: Latest
- Location: UK
Re: Help with IntegratedSecurityMode 2/3
Hi Tomok,
The .x is just a sample. In this case users are .com and all lower case. Sadly that doesn't work so I gave a couple more options a go.
Am I right in thinking it is only the uniqueID field that has any bearing on authentication here?
Do unsuccessful logins from unknown clients ever show in the audit log with a user name entry or is it specifically a TM1 client name as opposed to whatever the credential that was passed to TM1?
Kerborus does a number on my head sadly because I don't understand how TM1 has implemented the checking of credentials or what the prerequisites for the AD setup are to make sure it works.
The .x is just a sample. In this case users are .com and all lower case. Sadly that doesn't work so I gave a couple more options a go.
Am I right in thinking it is only the uniqueID field that has any bearing on authentication here?
Do unsuccessful logins from unknown clients ever show in the audit log with a user name entry or is it specifically a TM1 client name as opposed to whatever the credential that was passed to TM1?
Kerborus does a number on my head sadly because I don't understand how TM1 has implemented the checking of credentials or what the prerequisites for the AD setup are to make sure it works.
-
- MVP
- Posts: 2831
- Joined: Tue Feb 16, 2010 2:39 pm
- OLAP Product: TM1, Palo
- Version: Beginning of time thru 10.2
- Excel Version: 2003-2007-2010-2013
- Location: Atlanta, GA
- Contact:
Re: Help with IntegratedSecurityMode 2/3
Don't use anything after the domain. If your full ID is fred.smith@mycompany.com then your TM1 ID would be "fred.smith" and the value in the unique ID field would be "fred.smith@mycompany". Note we are not including the ".com".
-
- Posts: 16
- Joined: Fri May 18, 2012 10:23 am
- OLAP Product: TM1, Planning Analytics
- Version: 10.2.2, Planning Analytics 2.x
- Excel Version: Latest
- Location: UK
Re: Help with IntegratedSecurityMode 2/3
Sadly that has failed to work too. From your post Tomok, is the client name is as important as the uniqueID field? I thought only the uniqueID was used to authenticate, but am likely wrong here. I have changed the client name a few times and am using the name as provided by WHOAMI in cmd. I know it definitely isn't the FQDN because that gives me a whopping great big AD definition of the user.
-
- Posts: 40
- Joined: Fri Jan 29, 2010 1:55 am
- OLAP Product: Cognos TM1
- Version: 9.5
- Excel Version: 2007
- Contact:
Re: Help with IntegratedSecurityMode 2/3
Have you set up the ServicePrincipalName?
https://www.ibm.com/support/knowledgece ... lname.html
Works for perspectives, pax, and paw.
Good luck setting up the TM1Web if you wish to connect directly. Works fine through paw.
https://www.ibm.com/support/knowledgece ... lname.html
Works for perspectives, pax, and paw.
Good luck setting up the TM1Web if you wish to connect directly. Works fine through paw.
-
- Posts: 16
- Joined: Fri May 18, 2012 10:23 am
- OLAP Product: TM1, Planning Analytics
- Version: 10.2.2, Planning Analytics 2.x
- Excel Version: Latest
- Location: UK
Re: Help with IntegratedSecurityMode 2/3
Hi olapuser, that sadly does nothing. I will have to review this one if we get as far as TM1Web. The initial login should not be using constrained delegation or any delegation for that matter. Does anybody know how TM1 gets registered with the domain controller in the first place? I am not sure the DC knows that TM1 exists which might be where my problem lies.