Great to hear it's working George. SPN's have always been Case sensitive. They basically need to match everywhere what is returned from the command line discussed earlier in this thread.
Original Message:
Sent: Tue September 17, 2019 09:08 AM
From: George Tonkin
Subject: Configuring TM1 Web for Integrated Login on PAL
All working now - two changes made to config files:
Server.xml - SPNEgo section
Updated the following:
servicePrincipalNames="HTTP/tm1server.acme.net@ACME.NET"
Note the lowercase after the HTTP!!
Server.xml - LDAPRegistry section
Changed baseDN="CN=Users,DC=acme,DC=net"
to baseDN="DC=acme,DC=net"
i.e. we removed the CN=Users, as we were receiving an error on Adding mech cred, CWWKS1106A: Authentication did not succeed for the user ID George.Tonkin. An invalid user ID was specified.
We also removed the line relating to the servicePrincipalName in the TM1s.cfg - including and excluding seemed to have no impact.
------------------------------
George Tonkin
Original Message:
Sent: Tue September 17, 2019 06:48 AM
From: George Tonkin
Subject: Configuring TM1 Web for Integrated Login on PAL
Just found out that the domain is a bit more complex i.e. users can belong to similar but different domains e.g.
user1@abc.acme.net
user2@def.acme.net
Also, the UPN is acme.com
Not sure how the above impacts on our config files or where to update e.g. changing some of our acme.net to acme.com
Any ideas?
------------------------------
George Tonkin
Original Message:
Sent: Mon September 16, 2019 09:17 AM
From: George Tonkin
Subject: Configuring TM1 Web for Integrated Login on PAL
Hi Robert,
The FQDN using the command supplied is:
TM1SERVER.Acme.net
We have tried various combinations of all uppercase, all lowercase etc. and regenerated the keytab each time.
Userdomain is Acme
Each time we change case, we have tried to change the keytab, server.xml, web.xlm etc.
Properties on Service TM1 shows the servicePrincipalName as:
HTTP/TM1SERVER.ACME.NET@ACME.NET (all uppercase)
The most recent KeyTab was generated using:
ktpass -out pa.keytab -princ HTTP/TM1SERVER.Acme.net@ACME.NET -mapUser Acme\Service.Tm1 -pass TM1Password -mapOp set -ptype KRB5_NT_PRINCIPAL -crypto All
We have tried HTTP all uppercase to in order to match what the user properties is returning but no joy.
I am obviously masking the server name, domain and realm - I could share these/the config files via email - the real domain is camel case e.g. ClientDomain, which is not apparent with my domain being used above.
FYI - server is running on PAL 2.0.5 (11.3)
Thank you,
------------------------------
George Tonkin
Original Message:
Sent: Mon September 16, 2019 08:56 AM
From: Robert VAUTOUR
Subject: Configuring TM1 Web for Integrated Login on PAL
Thanks for the additional information George.
SPNs are always pretty sensitive to the CASE. I do see some differences from your post and from the doc which you have attached.
From one of the kb articles from your initial post, it shows how to obtain the FQDN:
You know the FQDN of the server you are configuring.
This can be obtained by typing the following in Windows Command Prompt: net config workstation | findstr /C:"Full Computer name"
and Domain name:
You know the Domain Name of the Domain you want to use with Planning Analytics.
This can be obtained by typing the following in Windows Command Prompt: echo %USERDOMAIN%
Are you able to confirm that your configuration throughout has been used with the exact same CASE as you would find with these commands?
Regards,
------------------------------
Robert VAUTOUR
Original Message:
Sent: Mon September 16, 2019 08:25 AM
From: George Tonkin
Subject: Configuring TM1 Web for Integrated Login on PAL
HI Robert, thanks for coming back to me.
TM1S.cfg has:
SecurityPackageName=Kerberos
IntegratedSecurityMode=3
ServicePrincipalName=HTTP/TMServer.Acme.Net@ACME.NET
UseSSL=T
I can log in via Architect and Perspectives with Integrated Login Ticked - Architect test on server and client machine.
SetSPN -L acme\service.tm1 returns:
Registered ServicePrincipalNames for CN=Service Tm1,OU=Applications Administrati
ve Users,OU=Administrative Users,DC=Acme,DC=net:
HTTP/tm1server.acme.net
Looks like only one iteration of the FQDN_host.
Please note that the sAMAccount is service.tm1 and principal is Service Tm1
Thanks for your assistance.
------------------------------
George Tonkin
Original Message:
Sent: Mon September 16, 2019 08:10 AM
From: Robert VAUTOUR
Subject: Configuring TM1 Web for Integrated Login on PAL
Hi George,
- I wanted to confirm if the integrated logon works with Architect? You have indicated that you can access the client tools but unsure if this means that you can access with integrated logon or not. This would need to work before addressing the TM1Web and just wanted to confirm this.
- what do you have the integratedsecurity set to?
- if you do an setspn -L, what do you see?
Also, how many iterations of your fqdn_host do you see?
Thanks in advance,
------------------------------
Robert VAUTOUR
Original Message:
Sent: Fri September 13, 2019 08:28 AM
From: George Tonkin
Subject: Configuring TM1 Web for Integrated Login on PAL
Been battling to get Integrated Login working with PA 2.0.5 on TM1 Web.
Followed the instructions in these two articles:
How to Configure Planning Analytics TM1 Web for KERBEROS/SPNEGO (SSO)
Configure integrated login for TM1 Web
I still get prompted for a username and password after accessing TM1 Web from a client machine. All client settings to make use of SPNEgo per Configuring the client browser to use SPNEGO. and Enable web browsers for integrated login have been configured.
The message log contains various error messages depending on how we alter the server.xml, web.xml etc. to try and ensure we have the correct FQDN, Realms, sAMAccount, User Principal accounts etc. etc.
Some of the errors encountered (george.tonkin is a valid domain user and can access TM1 from Architect and Perspectives):
E CWWKS4315E: Can not find a GSSCredential for the service principal name HTTP/tm1server.acme.net.
E CWIML0515E: The user registry operation could not be completed. The CN=Users,DC=acme,DC=net entity is not in the scope of the defined realm. Specify an entity that is in the scope of the configured realm in the server.xml file.
E CWIML4537E: The login operation could not be completed. The specified principal name george.tonkin is not found in the back-end repository.
That only happens if you explicitly type in the user/pass in the box:
A CWWKS1100A: Authentication did not succeed for user ID george.tonkin. An invalid user ID or password was specified.
Please see the attachment (Configuring TM1 Web for Integrated Login on PAL.docx - may be in the discussion library)for further details on the names being used, configured files etc. Acme has been used to mask the true domain.
If anyone has been able to get this working, would love to hear back as to where we could be going wrong.
Thanks in advance for any help on this.
------------------------------
George Tonkin
------------------------------
#PlanningAnalyticswithWatson