TM1 Forum

Hi Guys,

I am quite new to Active Directory authentication using tm1 (Mode 2 and 3).

I've noticed that is quite simple to configure architect to work with integrated login:

- TM1 authentication compares the user's domain-qualified Microsoft Windows login name to the contents of the UniqueID element of the }ClientProperties cube and if there is a match, the user is authenticated to TM1.

However I am still trying to understand how this process works for PAW. It seems there are more verification steps than architect to authenticate the user.
____________________________________________________________________________

I am trying to accomplish the following:

1-) Supposing I have tm1 server and PAW installed on oracle cloud.

2-) An external user_A from Company_A wants to connect to PAW from his browser (Chrome or Mozilla) using integrated Windows authentication.

3-) This user_A does not have access to oracle cloud, but he wants that PAW accepts integrated Windows authentication using credentials from his Company_A Ldap server.

4-) Oracle cloud does not use Company_A Ldap server (users can't login to oracle cloud machines). I just use ETLdap to export users UniqueID from Company_A Ldap server to }ClientProperties cube.
____________________________________________________________________________

It seems PAW Windows authentication login does not work the same way architect integrated login works. Using ETLdap to export users UniqueID from Company_A Ldap server to }ClientProperties cube is not enough to establish connection to user_A browser.

My question:

What else should I do in order to allow an external user to use PAW Windows authentication ? Do I need to use kerberos to allow this user_A ldap server ?

Hello.

I will not say that I am an expert in this area.
but I presume that the tm1 server must have access to the company's ldap server. Take server pav must have access to the server tm1.
Authorization occurs by redirecting a request from the pav server to the tm1 server from the tm1 server to the ldap server where the authorization status is transmitted and subsequently a session is formed on the tm1 server, which is used on the pav server. But in the latter, I'm not sure, maybe it has its own authorization mechanism maybe experts says more trusted info

kaleming wrote: ↑Mon Apr 19, 2021 12:57 am My question:

What else should I do in order to allow an external user to use PAW Windows authentication ? Do I need to use kerberos to allow this user_A ldap server ?

PaW and Architect actually work quite the same way (unlike Tm1web with SSO, sigh), you need an SPN set up for the tm1 service account that would allow users to be delegated:
https://www.ibm.com/docs/en/planning-an ... ed-tm1-web

If you use only 1 server you can get away with using NTLM security provider, if TM1 and PaW are on different servers you need Kerberos + SPN defined.

PaW server (or docker service) should share the same SPN you created and it will delegate users through.

4-) Oracle cloud does not use Company_A Ldap server (users can't login to oracle cloud machines). I just use ETLdap to export users UniqueID from Company_A Ldap server to }ClientProperties cube.

This won't work unless PaW server can connect to Company_A ldap server and verify the user token. User's browser literally says to PaW 'I am "John.smith@companyA"' and PAW must go to companyA directory server and verify that he is, otherwise you'd break that security by adjusting browser cookies at will.