Planning Analytics

 View Only
  • 1.  Configuring TM1 Web for Integrated Login on PAL

    IBM Champion
    Posted Fri September 13, 2019 08:28 AM
      |   view attached

    Been battling to get Integrated Login working with PA 2.0.5 on TM1 Web.
    Followed the instructions in these two articles:
    How to Configure Planning Analytics TM1 Web for KERBEROS/SPNEGO (SSO)
    Configure integrated login for TM1 Web


    I still get prompted for a username and password after accessing TM1 Web from a client machine.  All client settings to make use of SPNEgo per Configuring the client browser to use SPNEGO. and Enable web browsers for integrated login have been configured.

    The message log contains various error messages depending on how we alter the server.xml, web.xml etc. to try and ensure we have the correct FQDN, Realms, sAMAccount, User Principal accounts etc. etc.

    Some of the errors encountered (george.tonkin is a valid domain user and can access TM1 from Architect and Perspectives):

    E CWWKS4315E: Can not find a GSSCredential for the service principal name HTTP/tm1server.acme.net.
    E CWIML0515E: The user registry operation could not be completed. The CN=Users,DC=acme,DC=net entity is not in the scope of the defined realm. Specify an entity that is in the scope of the configured realm in the server.xml file.
    E CWIML4537E: The login operation could not be completed. The specified principal name george.tonkin is not found in the back-end repository.

    That only happens if you explicitly type in the user/pass in the box:
    A CWWKS1100A: Authentication did not succeed for user ID george.tonkin. An invalid user ID or password was specified.

    Please see the attachment (Configuring TM1 Web for Integrated Login on PAL.docx - may be in the discussion library)for further details on the names being used, configured files etc.  Acme has been used to mask the true domain.

    If anyone has been able to get this working, would love to hear back as to where we could be going wrong. 
    Thanks in advance for any help on this.



    ------------------------------
    George Tonkin
    ------------------------------

    #PlanningAnalyticswithWatson


  • 2.  RE: Configuring TM1 Web for Integrated Login on PAL

    Posted Mon September 16, 2019 08:11 AM
    Hi George,

    - I wanted to confirm if the integrated logon works with Architect? You have indicated that you can access the client tools but unsure if this means that you can access with integrated logon or not. This would need to work before addressing the TM1Web and just wanted to confirm this.

    - what do you have the integratedsecurity set to?
    - if you do an setspn -L, what do you see?
    Also, how many iterations of your fqdn_host do you see?

    Thanks in advance,

    ------------------------------
    Robert VAUTOUR
    ------------------------------



  • 3.  RE: Configuring TM1 Web for Integrated Login on PAL

    IBM Champion
    Posted Mon September 16, 2019 08:25 AM
    HI Robert, thanks for coming back to me.

    TM1S.cfg has:
    SecurityPackageName=Kerberos
    IntegratedSecurityMode=3
    ServicePrincipalName=HTTP/TMServer.Acme.Net@ACME.NET
    UseSSL=T

    I can log in via Architect and Perspectives with Integrated Login Ticked - Architect test on server and client machine.

    SetSPN -L acme\service.tm1 returns:
    Registered ServicePrincipalNames for CN=Service Tm1,OU=Applications Administrati
    ve Users,OU=Administrative Users,DC=Acme,DC=net:
           HTTP/tm1server.acme.net
    Looks like only one iteration of the FQDN_host.

    Please note that the sAMAccount is service.tm1 and principal is Service Tm1

    Thanks for your assistance.


    ------------------------------
    George Tonkin
    ------------------------------



  • 4.  RE: Configuring TM1 Web for Integrated Login on PAL

    Posted Mon September 16, 2019 08:57 AM
    Thanks for the additional information George.

    SPNs are always pretty sensitive to the CASE. I do see some differences from your post and from the doc which you have attached.

    From one of the kb articles from your initial post, it shows how to obtain the FQDN:
    You know the FQDN of the server you are configuring.
    This can be obtained by typing the following in Windows Command Prompt: net config workstation | findstr /C:"Full Computer name"

    and Domain name:
    You know the Domain Name of the Domain you want to use with Planning Analytics.
    This can be obtained by typing the following in Windows Command Prompt: echo %USERDOMAIN%

    Are you able to confirm that your configuration throughout has been used with the exact same CASE as you would find with these commands?
    Regards,

    ------------------------------
    Robert VAUTOUR
    ------------------------------



  • 5.  RE: Configuring TM1 Web for Integrated Login on PAL

    IBM Champion
    Posted Mon September 16, 2019 09:18 AM
    Edited by System Fri January 20, 2023 04:23 PM

    Hi Robert,
    The FQDN using the command supplied is:

    TM1SERVER.Acme.net
    We have tried various combinations of all uppercase, all lowercase etc. and regenerated the keytab each time.

    Userdomain is Acme

    Each time we change case, we have tried to change the keytab, server.xml, web.xlm etc.

    Properties on Service TM1 shows the servicePrincipalName as:

    HTTP/TM1SERVER.ACME.NET@ACME.NET  (all uppercase)

    The most recent KeyTab was generated using:

    ktpass -out pa.keytab -princ  HTTP/TM1SERVER.Acme.net@ACME.NET -mapUser Acme\Service.Tm1 -pass TM1Password -mapOp set -ptype KRB5_NT_PRINCIPAL -crypto All

    We have tried HTTP all uppercase to in order to match what the user properties is returning but no joy.

    I am obviously masking the server name, domain and realm - I could share these/the config files via email - the real domain is camel case e.g. ClientDomain, which is not apparent with my domain being used above.

    FYI - server is running on PAL 2.0.5 (11.3)

    Thank you,



    ------------------------------
    George Tonkin
    ------------------------------



  • 6.  RE: Configuring TM1 Web for Integrated Login on PAL

    IBM Champion
    Posted Tue September 17, 2019 06:48 AM

    Just found out that the domain is a bit more complex i.e. users can belong to similar but different domains e.g.

    user1@abc.acme.net

    user2@def.acme.net

    Also, the UPN is acme.com

    Not sure how the above impacts on our config files or where to update e.g. changing some of our acme.net to acme.com

    Any ideas?



    ------------------------------
    George Tonkin
    ------------------------------



  • 7.  RE: Configuring TM1 Web for Integrated Login on PAL

    IBM Champion
    Posted Tue September 17, 2019 09:09 AM
    Edited by System Fri January 20, 2023 04:44 PM

    All working now - two changes made to config files:

    Server.xml - SPNEgo section
    Updated the following:

    servicePrincipalNames="HTTP/tm1server.acme.net@ACME.NET"
    Note the lowercase after the HTTP!!  Use exact case when generating the KeyTab as this will add the SPN link to the user.

    Server.xml - LDAPRegistry section
    Changed baseDN="CN=Users,DC=acme,DC=net"
    to baseDN="DC=acme,DC=net"
    i.e. we removed the CN=Users, as we were receiving an error on Adding mech cred, CWWKS1106A: Authentication did not succeed for the user ID George.Tonkin. An invalid user ID was specified.

    We also removed the line relating to the servicePrincipalName in the TM1s.cfg - including and excluding seemed to have no impact.



    ------------------------------
    George Tonkin
    ------------------------------



  • 8.  RE: Configuring TM1 Web for Integrated Login on PAL

    Posted Tue September 17, 2019 12:26 PM
    Great to hear it's working George. SPN's have always been Case sensitive. They basically need to match everywhere what is returned from the command line discussed earlier in this thread.

    Regards,

    ------------------------------
    Robert VAUTOUR
    ------------------------------