The topics in this section document problems you may encounter when using an authentication provider.
When you try to log on in IBM Cognos 8 using a user account that is deleted from all user classes in Access Manager, you receive the following error message:
CAM-AAA-0096 Unable to authenticate because the account can not be accessed.
The scenario is as follows:
You create a new user in IBM Cognos Series 7 Access Manager and assign them to a user class.
You log on to IBM Cognos 8 as Administrator and assign the same Series7 user to an IBM Cognos 8 role, such as authors.
You log off IBM Cognos 8 and log on again as the new Series7 user.
In Access Manager, you remove that user from the user class so that the user is not in any user classes.
In IBM Cognos 8, when you try to log on as the user, you get the error message.
If you configured an IBM Cognos Series 7 namespace for use with IBM Cognos 8, but a user in that namespace is not a member of at least one Access Manager user class, you cannot log on as that user in IBM Cognos 8.
To correct the problem, add the user to at least one user class in Access Manager.
You use Active Directory Server as an authentication provider. When you log on to IBM Cognos 8, you see the following error message:
Your password has expired. Please change it. Please type your credentials for authentication.
Ensure that you set up the authority for delegated administration for IBM Cognos 8. The server name or named account for starting the IBM Cognos 8 service must be set up in the Active Directory Server as an authority for delegated administration. IBM Cognos 8 can then read all user properties from the Active Directory server. For more information, see the Active Directory Server documentation.
You use Active Directory Server as an authentication provider and single signon is not working.
To ensure that users are not prompted to log on to IBM Cognos 8, the following must be true:
Active Directory is running in native mode.
The user does not have the Account is sensitive and cannot be delegated attribute selected.
For each IIS Web server
This computer is part of the Active Directory domain.
If the process is running as a Local System Account, the Trust computer for delegation attribute is selected.
If the process is running as a Domain User Account, the Account is trusted for delegation attribute is selected.
For each ReportNet Content Manager server
This computer is part of the Active Directory domain
If the process is running as a Local System Account, the Trust computer for delegation attribute is selected
If the process is running as a domain User Account, the Account is trusted for delegation attribute is selected.
Kerberos authentication must be the active WWW-authentication header.
Note: Kerberos will not work in an Internet zone.
When you attempt to access Cognos portlets through your portal, you may see the following error message:
Failed to process the request.
CPS-CCM-1200 The WSRP operation "getMarkup" failed.
CPS-WSF-2000 Authentication failed.
CAM-AAA-0055 User input is required. CAM-AAA-0036 Unable to authenticate because the credentials are invalid.
A more detailed description of the error that occurred can be found in the log.
This message indicates that Portal Services is unable to authenticate the current portal user with IBM Cognos 8. For information about how to configure single signon between IBM Cognos 8, Portal Services, and your portal, see the IBM Cognos 8 Installation and Configuration Guide.
You may encounter errors using SAP BW because your SAP user signon does not have sufficient permissions. To identify the permissions needed, use the ST01 transaction.
In SAP R/3, type /ST01 in the command window.
Under Trace components, select Authorization check.
Select Change trace.
In the Options for Trace Analysis Field, under General Restrictions, enter the user name of the IBM Cognos account you are tracing.
When you are logged into IBM Cognos 8 using an NTLM namespace and single signon is enabled for your system, an IBM Cognos Application Firewall (CAF) error may occur when you try to access IBM Cognos Administration.
To avoid this problem, resolve any possible issues related to the gateway host name. You can either ensure that the gateway host name matches the gateway host or you can add the name of the gateway server to the list of valid domains and hosts.
Open IBM Cognos Configuration.
In the Explorer window, click Environment.
In the Properties window, under Gateway Settings, ensure that Gateway URI specifies the correct server name or IP address and not ’localhost’.
Tip: We recommend that all URI properties specify a server name or IP address and not ’localhost’.
Save the configuration.
Open IBM Cognos Configuration.
In the Explorer window, under Security, click IBM Cognos Application Firewall.
In the Properties window, click the Value column for Valid domains or hosts and then click the edit button.
Click Add.
Type the name of the gateway server in the blank row and then click OK.
For more information about valid domains, see the Installation and Configuration Guide.
Save the configuration.
Restart the IBM Cognos 8 service.