Introduction
This blog article offers a detailed step-by-step guide to establishing a constrained Kerberos delegation for Single Sign-On in Cognos Analytics. It covers various essential steps, including the creation of SPNs, configuring delegation for required service types like ibmcognosba, and the inclusion of Domain Controllers as service type ldap.
The implementation outlined in this blog focuses on a Single Server environment, utilizing a single service account for constrained Kerberos authentication in Cognos. This setup can be expanded to accommodate a distributed Cognos Architecture using a single service account or adopting three distinct accounts, as detailed in our documentation.
Overview
Technologies Involved:
-
Cognos Analytics11.2.4 Fixpack 2 and 12.0.0
-
Active Directory Domain Controller
-
Internet Information services(IIS) Webserver
Prerequisites
-
Active Directory Infrastructure: Ensure a functional Active Directory setup that supports Kerberos authentication.
-
Service Accounts Understanding: Identify and establish appropriate service accounts for applications like Cognos Analytics, relevant servers, and services requiring delegation.
-
Kerberos Proficiency: Acquire expertise in Kerberos authentication mechanisms, SPNs, delegation types, and their configurations within your environment.
-
Admin Privileges: Obtain sufficient administrative access within the Active Directory domain to configure and manage delegation settings.
- Cognos Analytics Server Configured with an Active Directory Namespace
Content Overview
A.Create SPN for Cognos Services Account
Establish the Service Principal Name (SPN) for the account initiating Cognos services.
B.Configuring Kerberos delegation for service type ibmcognosba, HTTP and ldap
Set up delegation, adding necessary SPNs and service types.
C.Set up the Cognos Services to utilize the service account designated for Kerberos delegation
Configure the appropriate SPN for Cognos Analytics Services to operate under the same account configured for Kerberos delegation.
D.Configure Advanced Properties for Kerberos Single-Sign-On Authentication within the Active Directory namespace settings in Cognos.
Set up advanced properties for Active Directory namespace configured in Cognos Analytics for KerberosS4UAuthentication.
E.Configure the Content Manager sAMAccountName setting with service account designated for Kerberos delegation
Define the Value column for Content Manager sAMAccountName, entering the user's sAMAccountName.
F.Configure the Internet Information Services (IIS) webserver Application Pool to use the service account (UPN)
Configure the IIS application pool identity to utilize the account set up for delegation with the service type HTTP.
G.Verifying Kerberos Single-Sign-On Authentication in Cognos Analytics
Step-By-Step Guide
A.Create SPN for Cognos Services Account
To enable constrained delegation, define service principal names (SPN) for users running IBM® Cognos® Analytics components and the Microsoft Internet Information Services (IIS) web server's application pool in your Active Directory domain.
For this demonstration, we'll utilize the service account 'cmuser' for Kerberos Authentication.
Creating the SPN
Launch the command line as an administrator
setspn -A HTTP/proxima1.squad5.support.com SQUAD5\cmuser
setspn -A HTTP/proxima1 SQUAD5\cmuser
setspn -A ibmcognosba/cmuser SQUAD5\cmuser