Professional Documents
Culture Documents
Copyright
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated). Cognos ULC
is an IBM Company. While every attempt has been made to ensure that the
information in this document is accurate and complete, some typographical
errors or technical inaccuracies may exist. Cognos does not accept
responsibility for any kind of loss resulting from the use of information
contained in this document. This document shows the publication date. The
information contained in this document is subject to change without notice.
Any improvements or changes to the information contained in this document
will be documented in subsequent editions. This document contains
proprietary information of Cognos. All rights are reserved. No part of this
document may be copied, photocopied, reproduced, stored in a retrieval
system, transmitted in any form or by any means, or translated into another
language without the prior written consent of Cognos. Cognos and the
Cognos logo are trademarks of Cognos ULC (formerly Cognos Incorporated)
in the United States and/or other countries. IBM and the IBM logo are
trademarks of International Business Machines Corporation in the United
States, or other countries, or both. All other names are trademarks or
registered trademarks of their respective companies. Information about
Cognos products can be found at www.cognos.com
This document is maintained by the Best Practices, Product and Technology
team. You can send comments, suggestions, and additions to
cscogpp@ca.ibm.com .
Contents
1 INTRODUCTION ............................................................................................ 4
1.1 PURPOSE ............................................................................................................4
1.2 APPLICABILITY .....................................................................................................4
1.3 EXCLUSIONS AND EXCEPTIONS ..................................................................................4
2 ACTIVE DIRECTORY ...................................................................................... 5
2.1 ACTIVE DIRECTORY TERMINOLOGY .............................................................................5
2.1.1 Overview ..........................................................................................................5
2.1.2 Domain Relationships.........................................................................................6
2.1.3 Global Catalog...................................................................................................7
3 IBM COGNOS REPORTNET AND IBM COGNOS 8 BI ...................................... 8
3.1 AUTHENTICATION PROCESS ......................................................................................8
3.1.1 Application Start Up ...........................................................................................8
3.1.2 Basic Sign On....................................................................................................8
3.1.3 Domain Failover .............................................................................................. 10
3.2 BIND USER CREDENTIALS ...................................................................................... 10
3.2.1 LDAP Provider ................................................................................................. 10
3.2.2 Active Directory Provider .................................................................................. 11
3.3 SINGLE SIGN ON................................................................................................. 12
3.3.1 Kerberos Prerequisites...................................................................................... 12
3.3.2 Verification of the Prerequisites ......................................................................... 13
3.3.3 Single Sign On Using REMOTE_USER ................................................................. 16
3.4 MULTIPLE DOMAINS ............................................................................................. 16
3.5 MULTIPLE FORESTS ............................................................................................. 16
3.6 CONFIGURING THE ACTIVE DIRECTORY PROVIDER ......................................................... 16
3.6.1 Standard Parameters ....................................................................................... 16
3.6.2 Advanced Properties ........................................................................................ 17
3.7 CONFIGURING THE LDAP PROVIDER ......................................................................... 18
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story 4
1 Introduction
1.1 Purpose
This document details how IBM Cognos ReportNet and IBM Cognos 8 BI fits
into a multi domain Active Directory environment.
1.2 Applicability
Due to the use of the Active Directory authentication provider, the document
content does not apply to UNIX installations, unless the Content Manager
component is installed on a Windows server. For installations where all
components are located on UNIX servers, the LDAP provider will have to be
used.
2 Active Directory
2.1 Active Directory Terminology
2.1.1 Overview
Part of a successful deployment of the IBM Cognos suite into an Active
Directory environment, is the ability to understand the meaning of Microsoft’s
terminology and how each component of Active Directory fits into the
environment as a whole. Part of this document will focus on distinguishing
between domains, domain trees (trees), and forests.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story 6
Root – The root domain identifies which domain is at the foundation of the
domain tree. Whether the domain tree is made up of multiple domains or is a
stand-alone single domain, there will always be a domain root. In the
myCorp.com domain tree example shown below, the root domain would be
the myCorp.com domain.
Parent – Similar to the child domain, the parent domain is the domain
located immediately above the selected domain in the hierarchy. The parent
domain to Finance.myCorp.com would be myCorp.com.
Sibling – Sibling domains are domains that share a common parent domain.
In The myCorp.com domain tree, Sales.myCorp.com and
Finance.myCorp.com are siblings, as are the Pre.sales.myCorp.com and
Post.sales.myCorp.com domains.
Disjointed – Disjointed domains are domains that are in the same forest but
not hierarchically related.
Because the global catalog does not contain all of the attributes, configuring
the AD authentication provider to look at the GC may not always be a feasible
solution.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story 8
Phase 2 – The dispatcher looks for the presence of the cam_passport session
variable. Because this is the first request to the dispatcher from the browser
session, the request is sent to CAM.
Phase 6 – Leveraging the Microsoft API’s, the user name and password is
passed encrypted to the Active Directory domain handling the authentication.
This is true as long as the CAM component is running in the same forest as
the domain to which the user is attempting to logon to.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
10
Phase 7 – If a user account in Active Directory matches the credentials being
supplied, a cam_passport session variable is created in the user’s browser
session and access to Cognos Connection is granted.
By default, the binding credentials are left blank which indicates that the
application should bind anonymously to Active Directory. To set the binding
credentials, locate and click on the option in the list of available parameters
for the Active Directory authentication provider. Once the parameter is
selected, click on the pencil icon on the far right of the value box.
This will display the ‘Value – Binding credentials’ dialog box in which the user
account that will be used to bind to Active Directory will be entered. It is
important to note that the full DN (Distinguished Name) to the user account
should be supplied, not just the user ID.
When basic signons are being used to access Cognos Connection, and
binding credentials are supplied in Cognos Configuration, the authentication
process will bind to Active Directory using the supplied credentials in order to
locate the account logging in. Once the account is located, the authentication
provider connects to Active Directory using the credentials supplied at login in
order to retrieve the users’ information. This information would include user
name, email address, group membership, etc. If the user Lookup parameter
value is contained within parentheses “()” then the previous behaviour holds
true. If the parameter value is not within parentheses, then the value will be
considered the DN containing the user accounts, so no search will be
performed, and IBM Cognos 8 will attempt to bind as the user.
In the case of Single Sign On, the password of the account attempting the
login is not available to the authentication process. This means that the
binding credentials will be used to bind to Active Directory to locate the user
account, as well as retrieving the users’ details. The authentication works in
this manner because without the password, the application is unable to
connect to Active Directory as the login user account in order to execute the
query to retrieve the account information. This also means that when SSO is
being used, all Active Directory objects where read privileges have been
granted to the user account being used as the binding credentials, will be
displayed on the ‘Tools -> Directory -> Users, Groups, and Roles’
administrative page within Cognos Connection. Special consideration should
be taken when assigning administrative rights to users, when using SSO.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
12
1. When using basic authentication (user is prompted for username and
password) and a failure while authenticating occurs, more information
regarding the failure can be obtained in the log files by specifying
valid bind credentials. Upon an unsuccessful login attempt, the error
messages returned from Active Directory may not reveal the true
reason nature of the failure. If valid bind credentials are supplied, the
messages returned to the application may be more detailed because
AD knows that the request comes from a ‘trusted’ source.
2. When identity mapping is being used (section 3.3.5) bind credentials
MUST be supplied. For more information, consult section 3.2.1.
• The user trying to logon does not have the Account is sensitive and
cannot be delegated attribute checked.
The next item to verify is that the user logging in to the application does not
have the ‘Account is sensitive and cannot be delegated’ attribute checked.
This can be verified by examining the users properties in the ADS Users and
Computers interface. The required information is located on the ‘Account’ tab.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
14
For every server that makes up the environment, namely the Content
Manager server(s) and web server(s), the following three settings must be
verified.
The last item on the checklist that needs to be in place is that Kerberos
authentication must be the active WWW-Authenticate header. This is more
difficult to verify but can be determined by enabling the CAM IPF tracing.
Examining the IPF trace will show the value for the AUTH_TYPE variable:
<item>
<name xsi:type="xsd:string">AUTH_TYPE</name>
<value xsi:type="xsd:string">Negotiate</value>
</item>
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
16
Host and Port – Machine name, or IP Address, as well as the port number
of the active directory domain to be used for authentication purposes. For
more details regarding which domain should be specified, section 3.6.2
should be consulted.
Both the Time out in seconds and Size limit parameters should be left at
the default -1 value which forces the value to be pulled from the underlying
security provider.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
18
chaseReferrals – When this advanced property is enabled, value set to
True, the topology gathering process (as described in section 3.1.1) changes
slightly. The chaseReferrals parameter indicates that there may be
descendants of the domain specified in the ‘Host and Port’ parameter of the
Active Directory authentication provider. When the IBM Cognos ReportNet or
IBM Cognos 8 service is started on the Content Manager server, this setting
will be read and all descendants of the configured domain will be retrieved
and stored in the domain topology. This means that users from the
configured domain and any of the descendant domains will be able to log into
Cognos Connection. The use of this parameter is not dependant on the use of
the multiDomainTrees property. If multiDomainTrees is not enabled, then
only users of a descendant domain would have access to Cognos Connection.
For more information regarding the use of bind credentials and Single Sign
On, please consult sections 3.2 and 3.3 respectively.
Copyright © 2008 Cognos ULC (formerly Cognos Incorporated), an IBM Company. All rights reserved.
The Active Directory Story
20