Method of Authentication

[JamiseBondi]

Hey guys,

We are currently using TM1 authentication which works fine as there aren't too many users logging on to the TM1 servers and this can be managed. The problem comes in when passwords are set to expire. This has resulted in users not being able to login once their password expires but as they are all TM1web users, they don't get a prompt to say "your password will expire in 2 days.... would you like to change it?" for example - they just have no prompts so they never know when it's expiring.

Is there a way that users can be prompted before their passwords expire and a way to renew them? (they are all web users so no fat clients).

If not, then can integrated login or LDAP login work given the following:

Users are dotted around the world in different windows domains so their user accounts would be in a different domain to the one running the services on the TM1 server. TM1 servers are windows 2008 servers.
I've been reading up and there is a lot on how to configure integrated login and LDAP but I haven't come across the limitations on when it doesn't work. Does anyone have experience on making either integrated or LDAP authentication work across windows domains?

Thanks.

[lotsaram]

We have users on 5 domains connecting via integrated login with TM1 web. As long as domains are trusted and part of the same network then it should work. The best way is to test it out!

[mattgoff]

If not, then can integrated login or LDAP login work given the following:

Users are dotted around the world in different windows domains so their user accounts would be in a different domain to the one running the services on the TM1 server. TM1 servers are windows 2008 servers.
I've been reading up and there is a lot on how to configure integrated login and LDAP but I haven't come across the limitations on when it doesn't work. Does anyone have experience on making either integrated or LDAP authentication work across windows domains?

I can't speak to the TM1 Web question, but if you can I'd definitely move to integrated login if for nothing else than to eliminate a set of credentials for your users. You can definitely have different domains (we have three). In the }ClientProperties cube, UniqueID element, the syntax is username@domain. As lotsaram says, all domains must be trusted and in the same forest. Also, the TM1 server must be running under an account in one of the domains. Troubleshooting things to get it working can be a pain if you're new to AD, but once you have it set up it really makes things a lot easier.

Matt

[David Usherwood]

Looks like the responses relate to the 'old' TM1 LDAP/AD approach. IBM are pushing the CAM-based approach these days, doubtless because the rest of the Cognos stack use it. (AD still supported, note.) Interesting to hear forumers' views/experience/feedback on the two.

[mattgoff]

Looks like the responses relate to the 'old' TM1 LDAP/AD approach. IBM are pushing the CAM-based approach these days, doubtless because the rest of the Cognos stack use it. (AD still supported, note.) Interesting to hear forumers' views/experience/feedback on the two.

Unless I minsunderstand CAM it requires Cognos (the product, not the company-become-subsidiary). I'm not sure how IBM can realistically push an authentication scheme which requires a product many customers don't have....

[David Usherwood]

There is a BI Runtime product, not that I have ever found documentation on how to install and configure it. And there's a lot more 'Cognos' out there than there is 'TM1'

[failurehappening]

Here's a list of links that I found useful while getting the TM1 authenticating through the Cognos BI Runtime connecting to AD, the biggest pain was having to migrate the security in a production environment. If you're going down this road, I highly recommend starting off with SSO (Single Sign On) rather than trying to migrate an system that's already in production...

Cognos Business Intelligence version 10.1.1 Product Documentation
http://www-01.ibm.com/support/docview.w ... #v10r1m1en

Using email notifications in 10.1.1 IBM Cognos TM1 Applications
http://www-01.ibm.com/support/docview.w ... wg27035837

Windows 2008 IIS settings
http://www.ibm.com/developerworks/data/ ... ge555.html

Unable to remove contributor application
http://www.tm1forum.com/viewtopic.php?f=3&t=7605

Deploying Cognos TM1 with Cognos Business Intelligence
http://pic.dhe.ibm.com/infocenter/ctm1/ ... nosbi.html

Configuring Cognos TM1 Applications to use Cognos Business Intelligence Security
http://pic.dhe.ibm.com/infocenter/ctm1/ ... _cont.html

Unable to access TM1 Contributor: The planning service parameter was not specified or is not one of the configured locations
http://www-01.ibm.com/support/docview.w ... wg21502002

IBM Cognos10 Security – Best Practices
http://allthingscognos.wordpress.com/20 ... practices/

[JamiseBondi]

Many thanks to you guys for your experiences, suggestions and links posted. I'll give them a bash and let you know..... once I've got through all the red tape of the client site...