Author Topic: 11.0.6 Invalid login response with SSO Login URL Rewrite rule  (Read 857 times)

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
I am having issues with the URL Rewrite rule from the optional gateway tier instructions for IIS labeled SSO Login. I need it for out MotioCAP SSO, but when that rule is enabled, all I get is an error that says Invalid login response. With it disabled I can get to the namespace selection screen and can log into other configured namespaces.

Anyone seen this error? Nothing is getting logged in cogserver.log


Offline tontonfa

  • Full Member
  • ***
  • Join Date: Nov 2008
  • Posts: 5
  • Forum Citizenship: +1/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #1 on: 12 Apr 2017 09:24:59 am »
Hi,

I am facing the same issue using Windows Server 2016 and IIS 10. Based on my discussion with IBM support, the problem could come from IIS 10 (not officially supported yet...).

I tested the same SSO configuration on IIS 8.5 and everything is ok.

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #2 on: 12 Apr 2017 09:49:40 am »
I'm on IIS 7.5

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #3 on: 12 Apr 2017 10:15:28 am »
I am using IIS 8 and get the same error. The only thing I can do for now is to disable the URL Rewrite and use the  Legacy SSO, It's so annoying i've tried fresh installs and using the classic cognosisapi.dll , no luck.  Please keep us posted. I need this too!

Offline Bluefyre

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 13
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #4 on: 24 Apr 2017 10:48:41 am »
I had to go to 11.0.5 to get things working. I too tried the classic cognosisapi.dll which I would have preferred so as to not change the URLs for our other we applications that connect to Cognos, but that just crashes the App Pool in IIS. I am really hating Cognos 11. Nothing but problems with every new update.

Offline qshanley

  • Associate
  • **
  • Join Date: Apr 2017
  • Posts: 1
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #5 on: 27 Apr 2017 03:13:00 pm »
I was able to get around the issue by disabling the SSO Login rewrite rule.

OS: Windows Server 2012R2
Cognos: v11R6
IIS: 8.5

Offline Jeff H.

  • Full Member
  • ***
  • Join Date: Jun 2014
  • Posts: 10
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #6 on: 01 May 2017 07:44:31 am »
I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.
« Last Edit: 01 May 2017 10:39:06 am by Jeff H. »

Offline gohabsgo

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 21
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #7 on: 07 May 2017 03:46:34 pm »
Anyone gotten past this?

I've checked everything in this thread and others.

Can only get 11.0.6 running with the SSO Login rewrite rule disabled, otherwise Invalid Login Response.

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #8 on: 10 May 2017 04:28:36 pm »
I noticed something that has to be configured on Windows Server 2012 and up:

At the server node in IIS you need to select Feature Delegation and check that these two values are set to read/write. On a fresh install they are not enabled by default.

Authentication - Windows: read/write
Module: read/write.

If these are not setup like this SSO will not work.

===
Another thing to check is the Handler mappings for the SSO application folder. Sometimes the Cognos SSO entry reverts back to "disabled" - I haven't figured out what triggers that behaviour.
Well I still have no luck either on this. I was able to Enable the SSO Login Rewrite rule again. I did notice that my Authentication - Windows: read/write was set to Read Only. 
Cognos SSO stays Enabled I noticed if Check the INVOKE HANDLER and select any of those options it will give me INVALID LOGIN RESPONSE. However the IBM setup says to uncheck that anyhow.  But even with all REWRITE rules running I now have to login in with my AD Name and Password. So it was kind of a step forward for me.

Offline gohabsgo

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 21
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #9 on: 15 May 2017 01:30:44 pm »
I was (finally) able to get this working.

I edited the default.htm and index.html in the ../webcontent folder with;

<meta http-equiv="refresh" content="0; URL=/ibmcognos/cgi-bin/cognos.cgi?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/">

With that set in both files I'm able to enable the SSO Login rewrite rules without this message showing up. 

My CAP SSO is working fine now as well.

I'm seeing light at the end of this dark 11.0.6 tunnel ;)

Hope this helps anyone out.

**Edit**
Also make sure that if this is an upgrade that you've updated the Gateway URI, Dispatcher URIs for gateway and Dispatcher URI for external applications to the correct 11.0.6 verbage
**
« Last Edit: 16 May 2017 07:49:14 am by gohabsgo »

Offline Vgamer

  • Full Member
  • ***
  • Join Date: Mar 2017
  • Posts: 9
  • Forum Citizenship: +0/-0
Re: 11.0.6 Invalid login response with SSO Login URL Rewrite rule
« Reply #10 on: 19 May 2017 09:17:28 am »
Well after following all the steps and even using the CA_IIS_CONFIG batch file, it seems the webserver I have been setting up to use did not have Trusted Delegation on the Domain Controller.  So now the SSO works on IE, just not on Chrome but that maybe a separate issue I'm sure.  But All is well. Thanks for everyone's input on this. IT helped.

 



           
Twittear