Cognos Analytics

 View Only

Cognos Analytics: Configuring Single-Sign-On Authentication With Kerberos Constrained Delegation

By Dhruva J Mazumdar posted Mon December 18, 2023 09:13 PM

  

Introduction

This blog article offers a detailed step-by-step guide to establishing a constrained Kerberos delegation for Single Sign-On in Cognos Analytics. It covers various essential steps, including the creation of SPNs, configuring delegation for required service types like ibmcognosba, and the inclusion of Domain Controllers as service type ldap.

The implementation outlined in this blog focuses on a Single Server environment, utilizing a single service account for constrained Kerberos authentication in Cognos. This setup can be expanded to accommodate a distributed Cognos Architecture using a single service account or adopting three distinct accounts, as detailed in our documentation.

Overview

Technologies Involved:

  • Cognos Analytics11.2.4 Fixpack 2 and 12.0.0

  • Active Directory Domain Controller

  • Internet Information services(IIS) Webserver

Prerequisites

  1. Active Directory Infrastructure: Ensure a functional Active Directory setup that supports Kerberos authentication.

  2. Service Accounts Understanding: Identify and establish appropriate service accounts for applications like Cognos Analytics, relevant servers, and services requiring delegation.

  3. Kerberos Proficiency: Acquire expertise in Kerberos authentication mechanisms, SPNs, delegation types, and their configurations within your environment.

  4. Admin Privileges: Obtain sufficient administrative access within the Active Directory domain to configure and manage delegation settings.

  5. Cognos Analytics Server Configured with an Active Directory Namespace

Content Overview

A.Create SPN for Cognos Services Account

Establish the Service Principal Name (SPN) for the account initiating Cognos services.

 

B.Configuring Kerberos delegation for service type ibmcognosba, HTTP and ldap

Set up delegation, adding necessary SPNs and service types.

 

C.Set up the Cognos Services to utilize the service account designated for Kerberos delegation

Configure the appropriate SPN for Cognos Analytics Services to operate under the same account configured for Kerberos delegation.

 

D.Configure Advanced Properties for Kerberos Single-Sign-On Authentication within the Active Directory namespace settings in Cognos.

Set up advanced properties for Active Directory namespace configured in Cognos Analytics for KerberosS4UAuthentication.

 

E.Configure the Content Manager sAMAccountName setting with service account designated for Kerberos delegation

Define the Value column for Content Manager sAMAccountName, entering the user's sAMAccountName.

 

F.Configure the Internet Information Services (IIS) webserver Application Pool to use the service account (UPN)

Configure the IIS application pool identity to utilize the account set up for delegation with the service type HTTP.

G.Verifying Kerberos Single-Sign-On Authentication in Cognos Analytics

Step-By-Step Guide

A.Create SPN for Cognos Services Account

To enable constrained delegation, define service principal names (SPN) for users running IBM® Cognos® Analytics components and the Microsoft Internet Information Services (IIS) web server's application pool in your Active Directory domain.

For this demonstration, we'll utilize the service account 'cmuser' for Kerberos Authentication.

Creating the SPN 

Launch the command line as an administrator

setspn -A HTTP/proxima1.squad5.support.com SQUAD5\cmuser

setspn -A HTTP/proxima1 SQUAD5\cmuser

setspn -A ibmcognosba/cmuser  SQUAD5\cmuser

B.Configuring Kerberos delegation for service type ibmcognosba,HTTP and ldap
To set up constrained delegation, navigate to the 'Delegation' tab within the Active Directory Users and Computers admin tool. For the user 'cmuser'  select 'Trust this user for delegation to specified services only' and 'Use Kerberos only' and add the required SPNs with servicetype ibmcognosba, HTTP and LDAP.
Adding the service type ibmcognosba and HTTP
Adding the the service type ldap
Note:If multiple domain controllers exist, ensure adding the LDAP service type for all hosts that are hosting the Active Directory domain controllers.
 
The final output under delegation tab for the service account starting the Cognos Analytics services as depicted below
C.Set up the Cognos Services to utilize the service account designated for Kerberos delegation
Configure Cognos services to run under the 'cmuser' service account. Access Windows services, choose 'Log On As,' and select 'cmuser' as the service account to start the Cognos Services.
D.Configure Advanced Properties for Kerberos Single-Sign-On Authentication within the Active Directory namespace settings in Cognos
  1. Open IBM Cognos Configuration.
  2. In the Explorer window, under Security > Authentication, and select the Active Directory namespace.
  3. Click in the Value column for Advanced properties and then click the edit icon.
  4. In the Value - Advanced properties dialog box, click Add.
  5. In the Name column, type singleSignonOption
  6. In the Value column, enter one of the following values:
E.Configure the Content Manager sAMAccountName setting with service account designated for Kerberos delegation
  1. Open IBM Cognos Configuration.
  2. In the Explorer window, click Environment.
  3. Navigate to the 'Value' column for 'Content Manager sAMAccountName,' and input the 'sAMAccountName' for the user 'cmuser,' as configured in the preceding steps with the SPN and service type 'ibmcognosba.
  4. Start the Cognos Services

F.Configure the Cognos Gateway setup on the Internet Information Services (IIS) webserver to initiate the Application Pool using the service principal name.

When configuring the Cognos Gateway on your Internet Information Services (IIS) webserver, it is essential to use the user principal name (UPN) to start the Application Pool.

The user account responsible for starting the Application Pool in IIS must be registered for Constrained Delegation under the 'ibmcognosba*' Service Type to effectively run the Cognos Gateway application. Failure to do so may result in the generation of a Kerberos ticket for the wrong target, hindering successful communication between the Gateway and Content Manager.

 In this specific scenario, where a single account performs constrained delegation for starting Cognos Services and the IIS application pool, the account is already configured with the delegation setup to use the 'ibmcognosba' service type.

Furthermore, it is imperative to confirm the following:

  1. Ensure that the rewrite rules configured for the Cognos IIS gateway are enabled as provided below
  2. Verify that Windows Authentication is enabled on the Single Sign-On (SSO) application
  3. Set the provider to use Negotiate instead of NTLM for seamless and secure authentication as provided below

SSO Rewrite rules enabled
G.Verifying Kerberos Single-Sign-On Authentication in Cognos Analytics
The system initiating the authentication is logged in with the user account 'Administrator'.
0 comments
56 views

Permalink