and single
signon using Kerberos delegation . If you install Content Manager on a Windows computer, you can configure Active Directory as your authentication source using an Active Directory namespace.
If you install Content Manager
on a UNIX computer, you must instead use an LDAP namespace to configure
Active Directory as your authentication source. If you install Content Manager
on Windows and UNIX computers, you must use an LDAP namespace to
configure Active Directory on all Content Manager computers. When
you use an LDAP namespace to authenticate against Active Directory
Server, you are limited to LDAP features only. You do not have access
to Active Directory features such as advanced properties for domains and single
signon using Kerberos delegation .
If you install Content Manager on a Linux computer, the same restrictions apply as for UNIX. You must use an LDAP namespace to configure Active Directory as your authentication source.
For more information, see Configure an LDAP Namespace for Active Directory Server.
If you want to use Microsoft SQL Server or Microsoft Analysis Server as a data source and use single signon for authentication, you must use Active Directory as your authentication source.
You cannot connect to the Active Directory Global Catalog, which is a caching server for Active Directory Server. If the connection uses port 3268, you must change it. By default, Active Directory Server uses port 389.
You can use Active Directory Server as your authentication provider.
You also have the option of making custom user properties from the Active Directory Server available to Cognos 8 components.
For Cognos 8 to work properly with Active Directory Server, you must ensure that the Authenticated users group has Read privileges for the Active Directory folder where users are stored.
If you are configuring an Active Directory namespace to support single signon with a Microsoft SQL Server or Microsoft Analysis Server data source, the following configuration is required:
The Cognos 8 gateway must be installed on an IIS Web server that is configured for Windows Integrated Authentication.
The gateway must be assigned to the local intranet Web site in your Web browser.
Content Manager must be installed on a Windows 2000 or Windows 2003 server.
Content Manager, the report server (Application Tier Components), IIS Web server, and the data source server (Microsoft SQL Server or Microsoft Analysis Server) must belong to the Active Directory domain.
The data source connection for Microsoft SQL Server or Microsoft Analysis Server must be configured for External Namespace and that namespace must be the Active Directory namespace.
For more information about data sources, see the Administration and Security Guide.
On every computer where you installed Content Manager, open Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and then click New resource, Namespace.
In the Name box, type a name for your authentication namespace.
In the Type list, click the appropriate namespace and then click OK.
The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.
Specify the values for all other required properties to ensure that Cognos 8 components can locate and use your existing authentication provider.
Specify the values for the Host and port property.
To support Active Directory Server failover, you can specify the domain name instead of a specific domain controller. For example, use mydomain.com:389 instead of dc1.mydomain.com:389.
If you want to be able to search for details when authentication fails, specify the user ID and password for the Binding credentials property.
Use the credentials of an Active Directory Server user who has search and read privileges for that server.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.
Cognos 8 loads, initializes, and configures the provider libraries for the namespace.
You can use arbitrary user attributes from your Active Directory Server in Cognos 8 components. To configure this, you must add these attributes as custom properties for the Active Directory namespace.
The custom properties are available as session parameters through Framework Manager. For more information about session parameters, see the Framework Manager User Guide
The custom properties can also be used inside command blocks that are used to configure Oracle sessions and connections. The command blocks can be used with Oracle light-weight connections and virtual private databases. For more information, see the Administration and Security Guide.
On every computer where you installed Content Manager, open Cognos Configuration.
In the Explorer window, under Security, Authentication, click the Active Directory namespace.
In the Properties window, click in the Value column for Custom properties and click the edit button.
In the Value - Custom properties window, click Add.
Click the Name column and enter the name you want Cognos 8 components to use for the session parameter.
Click the Value column and enter the name of the account parameter in your Active Directory Server.
Repeat steps 4 to 6 for each custom parameter.
Click OK.
From the File menu, click Save.
If you are using an SSL connection to the Active Directory Server, you must copy the certificate from the Active Directory Server to the Content Manager computer.
On every Content Manager computer, use your Web browser to connect to the Active Directory Server and copy the CA root certificate to a location on the Content Manager computer.
Add the CA root certificate to the certificate store of the account that you are using for the current Cognos session:
If you are running the Cognos session under a user account, use the same Web browser as in step 1 to import the CA root certificate to the certificate store for your user account.
For information, see the documentation for your Web browser.
If you are running the Cognos session under the local computer account, use Microsoft Management Console (MMC) to import the CA root certificate to the certificate store for the local computer.
For information, see the documentation for MMC.
In Cognos Configuration, restart the service:
In the Explorer window, click Cognos 8 service, Cognos 8.
From the Actions menu, click Restart.
When you configure an authentication namespace for Cognos 8, users from only one domain can log in. By using the Advanced properties for Active Directory Server, users from related (parent-child) domains and unrelated domain trees within the same forest can also log in.
If you set a parameter named chaseReferrals to true, users in the original authenticated domain and all child domains of the domain tree can log in to Cognos 8. Users above the original authenticated domain or in a different domain tree cannot log in.
If you set a parameter named MultiDomainTrees to true, users in all domain trees in the forest can log in to Cognos 8.
On every computer where you installed Content Manager, open Cognos Configuration.
In the Explorer window, under Security, Authentication, click the Active Directory namespace.
In the Properties window, specify the Host and port property:
For users in one domain, specify the host and port of a domain controller for the single domain.
For users in one domain tree, specify the host and port of the top-level controller for the domain tree.
For users in all domain trees in the forest, specify the host and port of any domain controller in the forest.
Click in the Value column for Advanced properties and click the edit button.
In the Value - Advanced properties window, click Add.
Specify two new properties, chaseReferrals and MultiDomainTrees, with the following values:
Authentication for | chaseReferrals | MultiDomainTrees |
One domain | False | False |
One domain tree | True | False |
All domain trees in the forest | True | True |
Click OK.
From the File menu, click Save.
By default, the Active Directory provider uses Kerberos delegation and integrates with the IIS Web server for single signon if Windows integrated authentication (formerly named NT Challenge Response) is enabled on the IIS Web server.
If Windows integrated authentication is enabled, you are not prompted to reenter authentication information when accessing Cognos content that is secured by the Active Directory namespace.
If you do not want Kerberos delegation, the provider can be configured to access the environment variable REMOTE_USER to achieve single signon. You must set the advanced property singleSignOnOption to the value IdentityMapping. You must also specify bind credentials for the Active Directory namespace. Microsoft sets REMOTE_USER by default when you enable Windows integrated authentication. If Kerberos authentication is bypassed, single signon to Microsoft OLAP (MSAS) data sources will not be possible.
Set up Windows integrated authentication on the IIS Web server.
Install Content Manager on a computer that is part of the domain, for the active and standby Content Manager computers.
Set up the computers, or the user account under which Content Manager runs, to be trusted for delegation.
When setting up the computers using the Active Directory user tool, do not select the Account attribute, which is sensitive and cannot be delegated.
On every computer where you installed Content Manager, open Cognos Configuration.
In the Explorer window, under Security, Authentication, click the Active Directory namespace.
Click in the Value column for Advanced properties and then click the edit button.
In the Value - Advanced properties dialog box, click Add.
In the Name column, type singleSignOnOption
In the Value column, type IdentityMapping.
Click OK.
Click in the Value column for Binding credentials, and then click the edit button.
In the Value - Binding credentials dialog box, specify a user ID and password and then click OK.
The Active Directory provider now uses REMOTE_USER for single signon.
Tip: To switch back to Kerberos delegation, edit Advanced properties and, in the Value column, type KerberosAuthentication.
