Author Topic: 11.0.6 Invalid login response with SSO Login URL Rewrite rule  (Read 3358 times)

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
I am having issues with the URL Rewrite rule from the optional gateway tier instructions for IIS labeled SSO Login. I need it for out MotioCAP SSO, but when that rule is enabled, all I get is an error that says Invalid login response. With it disabled I can get to the namespace selection screen and can log into other configured namespaces.

Anyone seen this error? Nothing is getting logged in cogserver.log


Offline tontonfa

  • Full Member
  • ***
  • Join Date: Nov 2008
  • Posts: 5
  • Forum Citizenship: +1/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #1 on: 12 Apr 2017 09:24:59 am »
Hi,

I am facing the same issue using Windows Server 2016 and IIS 10. Based on my discussion with IBM support, the problem could come from IIS 10 (not officially supported yet...).

I tested the same SSO configuration on IIS 8.5 and everything is ok.

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #2 on: 12 Apr 2017 09:49:40 am »
I'm on IIS 7.5

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #3 on: 12 Apr 2017 10:15:28 am »
I am using IIS 8 and get the same error. The only thing I can do for now is to disable the URL Rewrite and use the  Legacy SSO, It's so annoying i've tried fresh installs and using the classic cognosisapi.dll , no luck.  Please keep us posted. I need this too!

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #4 on: 24 Apr 2017 10:48:41 am »
I had to go to 11.0.5 to get things working. I too tried the classic cognosisapi.dll which I would have preferred so as to not change the URLs for our other we applications that connect to Cognos, but that just crashes the App Pool in IIS. I am really hating Cognos 11. Nothing but problems with every new update.

Offline qshanley

  • Associate
  • **
  • Join Date: Apr 2017
  • Posts: 1
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #5 on: 27 Apr 2017 03:13:00 pm »
I was able to get around the issue by disabling the SSO Login rewrite rule.

OS: Windows Server 2012R2
Cognos: v11R6
IIS: 8.5

Offline Jeff H.

  • Full Member
  • ***
  • Join Date: Jun 2014
  • Posts: 17
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #6 on: 01 May 2017 07:44:31 am »
I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.
« Last Edit: 01 May 2017 10:39:06 am by Jeff H. »

Offline gohabsgo

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 34
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #7 on: 07 May 2017 03:46:34 pm »
Anyone gotten past this?

I've checked everything in this thread and others.

Can only get 11.0.6 running with the SSO Login rewrite rule disabled, otherwise Invalid Login Response.

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #8 on: 10 May 2017 04:28:36 pm »
I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.
Well I still have no luck either on this. I was able to Enable the SSO Login Rewrite rule again. I did notice that my Authentication - Windows: read/write was set to Read Only. 
Cognos SSO stays Enabled I noticed if Check the INVOKE HANDLER and select any of those options it will give me INVALID LOGIN RESPONSE. However the IBM setup says to uncheck that anyhow.  But even with all REWRITE rules running I now have to login in with my AD Name and Password. So it was kind of a step forward for me.

Offline gohabsgo

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 34
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #9 on: 15 May 2017 01:30:44 pm »
I was (finally) able to get this working.

I edited the default.htm and index.html in the ../webcontent folder with;

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">

With that set in both files I'm able to enable the SSO Login rewrite rules without this message showing up. 

My CAP SSO is working fine now as well.

I'm seeing light at the end of this dark 11.0.6 tunnel ;)

Hope this helps anyone out.

**Edit**
Also make sure that if this is an upgrade that you've updated the Gateway URI, Dispatcher URIs for gateway and Dispatcher URI for external applications to the correct 11.0.6 verbage
**
« Last Edit: 16 May 2017 07:49:14 am by gohabsgo »

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #10 on: 19 May 2017 09:17:28 am »
Well after following all the steps and even using the CA_IIS_CONFIG batch file, it seems the webserver I have been setting up to use did not have Trusted Delegation on the Domain Controller.  So now the SSO works on IE, just not on Chrome but that maybe a separate issue I'm sure.  But All is well. Thanks for everyone's input on this. IT helped.

Offline thomassikic

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 6
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #11 on: 31 May 2017 02:07:18 am »
Hi,

I'm also facing issue with SSO since install of R6 (truth to be said, install of R6 went so wrong we had to uninstall and reinstall..).

My issue looks a bit different to your, as I don't face a invalid login response but error "403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."

I tried to enable Read/Write in feature delegations, to update default.htm and index.html using "<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">" but still it doesn't work.

I worked with IBM support two hours ago and their idea was to look around security on Analytics installation folder which I can understand even through it was working fine before on R5 and is also working fine on our testing R6 environment without granting any specific permission... Still even granting full permission to everyone doesn't fix the issue.
Any suggestion / feedback on this would be much appreciated,

Thomas.

Offline srinisundar_1967

  • Associate
  • **
  • Join Date: May 2017
  • Posts: 2
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #12 on: 15 Jun 2017 03:26:12 am »
I was (finally) able to get this working.

I edited the default.htm and index.html in the ../webcontent folder with;

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">

With that set in both files I'm able to enable the SSO Login rewrite rules without this message showing up. 

My CAP SSO is working fine now as well.

I'm seeing light at the end of this dark 11.0.6 tunnel ;)

Hope this helps anyone out.

**Edit**
Also make sure that if this is an upgrade that you've updated the Gateway URI, Dispatcher URIs for gateway and Dispatcher URI for external applications to the correct 11.0.6 verbage
**

Could you please elaborate on the modification you have done in index.html and Default.htm under <Cognos Install>/Webcontent folder?
Cognos SSO handler mapping is configured for <Cognos Install>/cgi-bin/cognosisapi.dll .  Also the name of the mapping is cisapi and the description Cognos SSO. So should the entry be

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cisapi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">
.

Also we have the distributed environment content manager server, application dispatcher server and the optional gateway server. I understand we need to change only at Gateway tier.

It would be great if you could clarify on this.

Offline nmcdermaid

  • Senior Consultant
  • Community Leader
  • *****
  • Join Date: Apr 2010
  • Posts: 76
  • Forum Citizenship: +1/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #13 on: 19 Jun 2017 10:42:10 pm »
Did you ever sort out your 403 error? I have the same issue.

I'm suspicious that I'm missing files and that the install failed.

403 means "does not have permission to view the web page". This is a frequently misleading error. It usually actually means that it can't find a useful file in the folder to run (rather than being related to security in any way).

For example, my url eventually redirects to

http://server/ibmcognos/bi

and gets a 403 error.

But if you type:

http://server/ibmcognos/bi/propertiesSample.html

It will actually run this html file no worries (no 403 error!)

The 403 happens because it can't find a file so it tries to directory browse, but it's not allowed to, so it fails with a 403.


So I suspect it's an installation failure in this case. I'm going to try my third reinstall now

Offline nmcdermaid

  • Senior Consultant
  • Community Leader
  • *****
  • Join Date: Apr 2010
  • Posts: 76
  • Forum Citizenship: +1/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #14 on: 21 Jun 2017 12:46:00 am »
An update on the 403 error: IT looks like my 'Reverse Proxy' rule was incorrect. After a great deal of fiddling about I got past this error. If I disable the Reverse proxy rule, the 403 error comes back.

The reverse proxy rule is the one that actually shifts the URL from the IIS gateway on port 80, to the native cognos URL on port 9300

My latest issue is that the web page just stays blank for a few minutes then finally show a C11 error that says:

       Account information Error
       Cannot get users account information!



Looking at the network tab in F12 tools, there's a lot of page download activity, downloading the same pages over and over.

I can see I am now getting a 441 error on page http://server:90/IBMCognos/bi/v1/identity

Cognos KB indicates 441 is a Kerberos type issue. But I do have singleSignOnOption set so I don't know why this is an issue.

(Note I had to run this on a different port as Cognos 10 is using IBMCognos)

 


       
Twittear