Configuring IBM Cognos 8 Components to Use Active Directory Server

If you install Content Manager on a Windows computer, you can configure Active Directory as your authentication source using an Active Directory namespace.

If you install Content Manager on a UNIX computer, you must instead use an LDAP namespace to configure Active Directory as your authentication source. If you install Content Manager on Windows and UNIX computers, you must use an LDAP namespace to configure Active Directory on all Content Manager computers. When you use an LDAP namespace to authenticate against Active Directory Server, you are limited to LDAP features only. You do not have access to Active Directory features such as advanced properties for domains and single signon using Kerberos delegation .

If you install Content Manager on a Linux computer, the same restrictions apply as for UNIX. You must use an LDAP namespace to configure Active Directory as your authentication source.

For more information, see Configure an LDAP Namespace for Active Directory Server.

If you want to use Microsoft SQL Server or Microsoft Analysis Server as a data source and use single signon for authentication, you must use Active Directory as your authentication source.

You cannot connect to the Active Directory Global Catalog, which is a caching server for Active Directory Server. If the connection uses port 3268, you must change it. By default, Active Directory Server uses port 389.

To use an Active Directory Server namespace and to set up single signon, do the following:

	Configure IBM Cognos 8 components to use an Active Directory Server namespace
	Enable secure communication to the Active Directory Server, if required
	Enable single signon between Active Directory Server and IBM Cognos 8 components

Configure an Active Directory Namespace

You can use Active Directory Server as your authentication provider.

You also have the option of making custom user properties from the Active Directory Server available to IBM Cognos 8 components.

For IBM Cognos 8 to work properly with Active Directory Server, ensure that the Authenticated users group has Read privileges for the Active Directory folder where users are stored.

If you are configuring an Active Directory namespace to support single signon with a Microsoft SQL Server or Microsoft Analysis Server data source, ensure the following configuration:

• The IBM Cognos 8 gateway is installed on an IIS Web server that is configured for Windows Integrated Authentication.

• The gateway is assigned to the local intranet Web site in your Web browser.

• Content Manager is installed on a Windows 2000 or Windows 2003 server.

• Content Manager, Application Tier Components, IIS Web server, and the data source server (Microsoft SQL Server or Microsoft Analysis Server) belong to the Active Directory domain.

• The data source connection for Microsoft SQL Server or Microsoft Analysis Server is configured for External Namespace and that namespace must be the Active Directory namespace.

For more information about data sources, see the Administration and Security Guide.

Steps

1. On every computer where you installed Content Manager, open IBM Cognos Configuration.

2. In the Explorer window, under Security, right-click Authentication, and then click New resource, Namespace.

3. In the Name box, type a name for your authentication namespace.

4. In the Type list, click the appropriate namespace and then click OK.

   The new authentication provider resource appears in the Explorer window, under the Authentication component.

5. In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace.

6. Specify the values for all other required properties to ensure that IBM Cognos 8 components can locate and use your existing authentication provider.

7. Specify the values for the Host and port property.

   To support Active Directory Server failover, you can specify the domain name instead of a specific domain controller. For example, use mydomain.com:389 instead of dc1.mydomain.com:389.

8. If you want to search for details when authentication fails, specify the user ID and password for the Binding credentials property.

   Use the credentials of an Active Directory Server user who has search and read privileges for that server.

9. From the File menu, click Save.

10. Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

IBM Cognos 8 loads, initializes, and configures the provider libraries for the namespace.

Make Custom User Properties for Active Directory Available to IBM Cognos 8 Components

You can use arbitrary user attributes from your Active Directory Server in IBM Cognos 8 components. To configure this, you must add these attributes as custom properties for the Active Directory namespace.

The custom properties are available as session parameters through Framework Manager. For more information about session parameters, see the Framework Manager User Guide

You can also use the custom properties inside command blocks to configure Oracle sessions and connections. You can use the command blocks can be used with Oracle light-weight connections and virtual private databases. For more information, see the Administration and Security Guide.

Steps

1. On every computer where you installed Content Manager, open IBM Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click the Active Directory namespace.

3. In the Properties window, click in the Value column for Custom properties and click the edit button.

4. In the Value - Custom properties window, click Add.

5. Click the Name column and type the name you want IBM Cognos 8 components to use for the session parameter.

6. Click the Value column and type the name of the account parameter in your Active Directory Server.

7. Repeat steps 4 to 6 for each custom parameter.

8. Click OK.

9. From the File menu, click Save.

Enabling Secure Communication to the Active Directory Server

If you are using an SSL connection to the Active Directory Server, you must copy the certificate from the Active Directory Server to the Content Manager computer.

Steps

1. On every Content Manager computer, use your Web browser to connect to the Active Directory Server and copy the CA root certificate to a location on the Content Manager computer.

2. Add the CA root certificate to the certificate store of the account that you are using for the current IBM Cognos session:

   • If you are running the IBM Cognos session under a user account, use the same Web browser as in step 1 to import the CA root certificate to the certificate store for your user account.

     For information, see the documentation for your Web browser.

   • If you are running the IBM Cognos session under the local computer account, use Microsoft Management Console (MMC) to import the CA root certificate to the certificate store for the local computer.

     For information, see the documentation for MMC.

3. In IBM Cognos Configuration, restart the service:

   • In the Explorer window, click IBM Cognos 8 service, IBM Cognos 8.

   • From the Actions menu, click Restart.

Include or Exclude Domains Using Advanced Properties

When you configure an authentication namespace for IBM Cognos 8, users from only one domain can log in. By using the Advanced properties for Active Directory Server, users from related (parent-child) domains and unrelated domain trees within the same forest can also log in.

Authentication in One Domain Tree

If you set a parameter named chaseReferrals to true, users in the original authenticated domain and all child domains of the domain tree can log in to IBM Cognos 8. Users above the original authenticated domain or in a different domain tree cannot log in.

Authentication in All Domain Trees in the Forest

If you set a parameter named MultiDomainTrees to true, users in all domain trees in the forest can log in to IBM Cognos 8.

Steps

1. On every computer where you installed Content Manager, open IBM Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click the Active Directory namespace.

3. In the Properties window, specify the Host and port property:

   • For users in one domain, specify the host and port of a domain controller for the single domain.

   • For users in one domain tree, specify the host and port of the top-level controller for the domain tree.

   • For users in all domain trees in the forest, specify the host and port of any domain controller in the forest.

4. Click in the Value column for Advanced properties and click the edit button.

5. In the Value - Advanced properties window, click Add.

6. Specify two new properties, chaseReferrals and MultiDomainTrees, with the following values:

   Authentication for	chaseReferrals	MultiDomainTrees
   One domain	False	False
   One domain tree	True	False
   All domain trees in the forest	True	True

7. Click OK.

8. From the File menu, click Save.

Enabling Single Signon Between Active Directory Server and IBM Cognos 8 Components

By default, the Active Directory provider uses Kerberos delegation and integrates with the IIS Web server for single signon if Windows integrated authentication (formerly named NT Challenge Response) is enabled on the IIS Web server.

If Windows integrated authentication is enabled, you are not prompted to reenter authentication information when accessing IBM Cognos content that is secured by the Active Directory namespace.

If you do not want Kerberos delegation, you can configure the provider to access the environment variable REMOTE_USER to achieve single signon. You must set the advanced property singleSignOnOption to the value IdentityMapping. You must also specify bind credentials for the Active Directory namespace. Microsoft sets REMOTE_USER by default when you enable Windows integrated authentication. If Kerberos authentication is bypassed, single signon to Microsoft OLAP (MSAS) data sources will not be possible.

Steps for Single Signon Using Kerberos Delegation

1. Set up Windows integrated authentication on the IIS Web server.

2. Install Content Manager on a computer that is part of the domain, for the active and standby Content Manager computers.

3. Set up the computers, or the user account under which Content Manager runs, to be trusted for delegation.

   When setting up the computers using the Active Directory user tool, do not select the Account attribute, which is sensitive and cannot be delegated.

Steps for Single Signon Using REMOTE_USER

1. On every computer where you installed Content Manager, open IBM Cognos Configuration.

2. In the Explorer window, under Security, Authentication, click the Active Directory namespace.

3. Click in the Value column for Advanced properties and then click the edit button.

4. In the Value - Advanced properties dialog box, click Add.

5. In the Name column, type singleSignOnOption

6. In the Value column, type IdentityMapping.

7. Click OK.

8. Click in the Value column for Binding credentials, and then click the edit button.

9. In the Value - Binding credentials dialog box, specify a user ID and password and then click OK.

The Active Directory provider now uses REMOTE_USER for single signon.

Tip: To switch back to Kerberos delegation, edit Advanced properties and, in the Value column, type KerberosAuthentication.