Cognos Analytics

 View Only
Expand all | Collapse all

CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

  • 1.  CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    IBM Champion
    Posted Fri August 04, 2023 04:09 AM
    Edited by Patrick Neveu Wed August 09, 2023 04:06 AM

    Hi,

    (Edited to add OIDC before AzureAD)

    This is a Cognos Analytics v11.1.7 server with OIDC / AzureAD. In Cognos Configuration, there is no advanced parameters used.

    Users can access to the reports and run non-scheduled reports.

    They can't renew credentials (Authentication is not possible). They cannot run scheduled reports/jobs (it is also true with samples reports, same issue).

    In the log files (cognosserver.log and cognosserver-session-<number>.log, I have the following error messages:

    An error occurred with the client
    CNC-BAL-0506: Credentials not found in Content Manager.
    CM-REQ-4342 An error occurred with the client.
    CM-REQ-4159 Content Manager returned an error in the response header. The error "cmAuthenticateFailed CM-CAM-4005 Unable to authenticate. Check your security directory server connection and confirm the credentials entered at login" can be found in the response SOAP header.
    There was no credential. We attempted to generate one but this failed.
    CNC-BAL-0503 The Server has failed.
    CNC-BAL-0502 Error Number 0506
    CNC-BAL-0506 Credentials not found in Content Manager.
    [ContentManagerServiceClientPortImpl] Error when authenticating.
    Any idea would be appreciated.
    Best regards,



    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    IBM Champion
    ------------------------------



  • 2.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Mon August 07, 2023 10:11 AM

    Patrick, my guess is it is missing password grant type. I don't see that mentioned in the documentation for setting it up so not quite sure how to allow it in Azure. This is required where applications expect to interact with the OpenID endpoint on behalf of the user for such things as SDK authentication, which I believe schedules do. I know that OKTA refers to it as resource owner password credentials (aka. ROPC). A bit ago, while helping a customer set up their OKTA integration, they couldn't test the name space properly in configuration either without this grant type allowed.



    ------------------------------
    Robert Hofstetter
    ------------------------------



  • 3.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    IBM Champion
    Posted Mon August 07, 2023 11:07 AM

    Hi Robert,

    Thank you for this useful answer. I will share this information with my customer.

    Best regards,



    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    IBM Champion
    ------------------------------



  • 4.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Wed August 09, 2023 03:19 PM

    I've seen similar issues which were resolved by moving to 11.2.4 which has an AzureAD v2 type namespace available in configuration. It has a property for Scheduling credentials strategy, but I believe even if left at default, it worked properly. 



    ------------------------------
    Tomáš Polakovič
    ------------------------------



  • 5.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Tue August 08, 2023 11:12 AM

    Try changing the Strategy setting under Scheduling credentials in Cognos Configuration to ID Token Only



    ------------------------------
    Amy Rivito
    ------------------------------



  • 6.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    IBM Champion
    Posted Tue August 08, 2023 11:33 AM

    Hi Amy,

    I am using OIDC with AzureAD as provider type. In this case, I believe there is no such Scheduling credentials option.

    Please correct me if I am wrong.

    Best regards,



    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    IBM Champion
    ------------------------------



  • 7.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Tue August 08, 2023 12:46 PM

    We are also using OIDC with AzureAD and MFA.  It took us forever to get the settings correct.  I'm unable to upload our settings here so I will try to email you a word doc.



    ------------------------------
    Amy Rivito
    ------------------------------



  • 8.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    IBM Champion
    Posted Wed August 09, 2023 04:05 AM

    Hi Amy,

    Thank you for your nice message. I would love to receive your documentation.

    Best regards,



    ------------------------------
    Patrick Neveu
    Positive Thinking Company
    IBM Champion
    ------------------------------



  • 9.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Thu August 10, 2023 10:10 AM

    Re: Using AzureAD and MFA with Cognos.

     

    I would really appreciate also receiving your work document on Cognos settings.  Would you please email them to me?

     

    Thank-you

     

     

    Penny Flower

    Application Specialist | Information Technology Services

    Red Deer Polytechnic | 100 College Blvd. | Box 5005 | Red Deer | Alberta | T4N 5H5

    work 403.318.0652 | fax 403.343.4034

    https://www.rdpolytech.ca | when you get here you understand

     






  • 10.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Wed November 29, 2023 05:04 PM

    Thanks so much for sharing everyone.  I can't tell you how helpful this post has been.  We're facing a similar issue in our production environment.  Is there any way of leveraging the custom fields with the Azure AD 1.0 settings, to pass the credentials for Scheduling?  We're trying to avoid deleting the current NAMESAPCE and adding Azure AD 2.0 to our Cognos 11.2.4 install.  



    ------------------------------
    Leo Pace
    ------------------------------



  • 11.  RE: CA v11.1.7 with AzureAD : unable to renew credentials and unable to run scheduled reports

    Posted Tue August 08, 2023 01:00 PM