TM1 Forum

Hi Guys,

I have installed a new version of TM1 9.5.1 for which I have just installed. However I seem to be having a problem with Integrated Login.

Integrated login is currently working in our 9.4 version, but not the 9.5

I have created a username by the same name as my domain username (just like what we have in our 9.4 version), I have setup the tm1s.cfg with the following parameters:

SecurityPackageName=NTLM
IntegratedSecurityMode=2

If I login with Integrated login turned off, it accepts my username and I can login. However If I tick the integrated login, I get the following error:
"Client Name does not exist on server"

I know my logged in username is the same as the account that I have setup in TM1, so its strange. Is there anything different that I need to do with 9.5.1?

Thanks,
Damien

Hi Damien,

You need to make sure that the UniqueID field in the }ClientProperties cube contains the Windows ID (usually like user@domain) for the regarding user.

Michel

In the past (that is up to 9.4) all that was needed for integrated login was security mode 2 or 3 in tm1s.cfg and the client name in the UniqueID in }ClientProperties to match the windows user ID. As of 9.5 it seem that to enable integrated login you must select the integrated login option during the install. I haven't had a chance to dig around to find out why this is so but try a reinstall and review the 9.5 documentation and follow the steps to setup integrated login and I think it will fix the problem.

lotsaram wrote:In the past (that is up to 9.4) all that was needed for integrated login was security mode 2 or 3 in tm1s.cfg and the client name in the UniqueID in }ClientProperties to match the windows user ID. As of 9.5 it seem that to enable integrated login you must select the integrated login option during the install. I haven't had a chance to dig around to find out why this is so but try a reinstall and review the 9.5 documentation and follow the steps to setup integrated login and I think it will fix the problem.

Do you have to select it in the install? The docs have a section called "Manually Configuring Integrated Login for the ServerTM1" for 9.5.1

No you're right I wrote that in a bit of a hurry. It's not so much needing to select integrated login option during install (I think that does nothing more than write the security mode line in the config file for you) but needing to run the ETLDAP utility in order to get integrated login to work which you never had to bother with previously.

damientaylorcreata wrote:SecurityPackageName=NTLM

Are you should be using NTLM? It has been my experience that Kerberos is usually the correct setting, unless you plan on running the TM1 server and TM1Web on different boxes. Try changing it to Kerberos.

lotsaram wrote:No you're right I wrote that in a bit of a hurry. It's not so much needing to select integrated login option during install (I think that does nothing more than write the security mode line in the config file for you) but needing to run the ETLDAP utility in order to get integrated login to work which you never had to bother with previously.

The ETLDAP utility is for synchronizing your TM1 users IDs and groups with special Active Directory groups you have set up to be imported into TM1. Integrated Login like what he is talking about here is simply allowing the TM1 server to the determine who each user is by querying their NT authentication information, matching that with the UniqueID property in the }ClientProperties cube and moving over in the lookup table, so to speak, and determining the TM1 ID. In effect, you're letting people in to TM1 without making them have to sign in again.

I use this setup all the time and I've never once run the ETLDAP utility. However, I've found that you have to check "Integrated Login" as the security mechanism during the TM1 install or it won't work. There must be some DLLs that get registered only when you make that selection or something like that. You can easily turn it off by putting a different value in the tm1s.cfg file.

I use this setting all the time too and up until 9.5.1 had never bothered with anything other than the UniqueID field and it worked just fine. As of the last install on 9.5.1 it required both selecting integrated login during install (maybe it does register some additiona components as opposed to just changing the config file who knows?) AND running ETLDAP utility once to "give the system a kick" then it worked, prior to running the utility integrated login didn't work. It doesn't need to be re-run to import users just the once seemed to do the trick. Usually I would never bother with importing from LDAP unless it was a mandated requirement as its not worth the effort. I haven't had a chance to look into it, maybe it was just a quirky install but if something has changed with integrated login and someone has the tme to investigate then I'd be interested in hearing the result.

Thanks guys for all of your replys on this question. I have tried all of your suggestions.

I tried reinstalling TM1 and making sure I ticked the boxes relating to Integrated login. I added back the user three times,
1 x my account (e.g. damien)
1 X my account plus domain (e.g. damien@domain)
1 x my account plus full qualified domain (e.g. damien@domain.com)

Still not working.

I tried both NTLM and Kerberos, still not working

I tried opening the etldap utility and connecting to our LDAP server, not sure if I need to do anything else in this tool in order to get the integrated login working.. However it is still giving the same error: "Client name does not exist on the server". So frustrating!

Any other ideas of what I may be doing wrong?

Thanks guys,
Damien

Sorry to be so basic but just checking that you do have "damien@domain.com" set up for user "damien" against UniqueID in }ClientProperties.

I'm assuming the answer is yes.

In which case next set of questions:
- this is a new development/test server?
- is the server joined to the domain?
- is the server trusted on the domain?

damientaylorcreata wrote:1 X my account plus domain (e.g. damien@domain)

I have found that the domain part of the UniqueID field is case sensitive. I have had situations where damien@domain will not work but damien@DOMAIN will. Give that a try.

Perfect!!! I updated the }clientProperties cube with unique ID and it works now!! Thankyou so much guys

I installed without choosing the Integrated Login option.

The only thing that I had to do was set the UniqueID, set Secruity mode in the Config to 2. No Eldap utility or other settings needed FYI.

I put the rule blow in the Clients cube to auto generate the UniqeID. I did not use .Com, I did use all uppercase for the Domain Name.

['UniqueID']=S: !}Clients | '@DOMAIN';