Planning Analytics

 View Only
  • 1.  Planning Analytics Workspace change of host name/ log in issue

    Posted Thu September 10, 2020 07:07 AM
    Hi,

    We have configured PAW for SSO using the PAW server full name which works well. Users can login fine using windows authentication.

    However, our client says the business won't be using domain names with server names in them so they have created a FQDN/ Host name for the PAW server.  When using this new workspace address users can no longer log in to workspace due to a "Authentication error".  This error is the same for both windows authentication and native authentication.  The error logs indicate that there is a Kerberos failure

    "TM1.SSPISecurity Server is configured to only accept Kerberos package but the client is using NTLM when attempting to Authenticate".

    This error message is true of when logging in via windows authentication or native authentication.

    The TM1 config is set to Kerberos and the client is using Kerberos.

    Both full PAW server name and the new FQDN/ Host names are registered with local intranet policy.

    Are there Workspace parameters that I have need to change.  PAW.ps1 has be changed to have $env:ServerName=  new FQDN/ Host name

    does the server name need https://? i.e. $env:ServerName="https://hostname.domain.com" or  $env:ServerName="hostname.domain.com"  

    Thanks,

    Regards,

    Paul

    ------------------------------
    Paul Brann
    ------------------------------

    #PlanningAnalyticswithWatson


  • 2.  RE: Planning Analytics Workspace change of host name/ log in issue

    Posted Thu September 10, 2020 08:06 PM
    Hi,

    Do they have SSL configured for the SSO?  If so and they change the name they are trying to reach the server via, then the error you are getting may be related to the name they entered not matching the name in the SSL Certificate.

    Good luck!!

    ------------------------------
    Scott Brown
    ------------------------------



  • 3.  RE: Planning Analytics Workspace change of host name/ log in issue

    Posted Fri September 11, 2020 02:30 AM
    Hello

    There is clear documentation somewhere on how certificates work in PAW ?. As far as I understand, some images have an appache server that does not start correctly if the certificate chain is not valid (Gateway in particular). This string is based on the hostname declared in paw.env under linux. But if the process_certifiat scripts seem to be updating the config directory, the sequence and storage of the information is not very clear. Although I tested the validity of the chain by creating a test base under Ikeyman, and following the documentation, impossible to launch pa-gateway. My certificate does however include the hostname used in the alternate dns.
    cordially

    ------------------------------
    Frederic Arevian
    ------------------------------



  • 4.  RE: Planning Analytics Workspace change of host name/ log in issue

    Posted Fri September 11, 2020 05:47 AM

    Here is the config guide for type 3 security, with Kerberos sso.
    https://www.ibm.com/support/knowledgecenter/en/SSD29G_2.0.0/com.ibm.swg.ba.cognos.tm1_inst.2.0.0.doc/c_tm1_ug_configuring_sso_with_spnego.html

    As you can see, quite a few locations that include the original fqdn, that require updating.
    The new dns alias for paw also means you need to check your ssl certificate, as I would guess the SAN entry list does not include the new alias.
    If your PA data server is separate from paw, also runs ssl and also has a new dns alias assigned, it means checking that certificate also.
    Then import the updated PA data server ssl certificate in PAW if needed.

    All in all, this simple name change is a little project in itself. 



    ------------------------------
    STEFAN VERMEULEN
    ------------------------------



  • 5.  RE: Planning Analytics Workspace change of host name/ log in issue

    Posted Tue September 15, 2020 03:14 AM
    Hi,

    As an update to this thread.  The fix that resolved this issue was to run setspn -U -F -S HTTP/Hostname Domain/service account

    The TM1 services are running off a windows service account

    Thanks for everyone's help,

    Regards,

    Paul

    ------------------------------
    Paul Brann
    ------------------------------