Author Topic: URGENT!Cognos 10.2.2 Authentication issue after domain migration of server  (Read 695 times)

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi All,

We recently changed the domain(migration of server from domain1 to domain2) of the Cognos server. In cognos configuration, i changed the domain name where ever there was old domain name.
 After saving and restarting the services, I am unable to login into the namespace. I get the error message "The provided credentials are invalid. Please type your credentials for authentication." even when valid credentials are entered.

i am guessing the cookies are being rejected by the domain.
in global config i have edited the domain and path as well as shown below:
domain:.<domain2>
path:/ibmcognos

Before:<servername><domain1>/ibmcognos
After:<servername><domain2>/ibmcognos

i am using the url with changed domain details as well.

need inputs quickly.

thanks,
WL

Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi All,

We recently changed the domain(migration of server from domain1 to domain2) of the Cognos server. In cognos configuration, i changed the domain name where ever there was old domain name.
 After saving and restarting the services, I am unable to login into the namespace. I get the error message "The provided credentials are invalid. Please type your credentials for authentication." even when valid credentials are entered.

i am guessing the cookies are being rejected by the domain.
in global config i have edited the domain and path as well as shown below:
domain:.<domain2>
path:/ibmcognos

Before:<servername><domain1>/ibmcognos
After:<servername><domain2>/ibmcognos

i am using the url with changed domain details as well.

need inputs quickly.

thanks,
WL

Hi,

You didn't explicitly mention whether you updated the list of valid domains in the properties of the CAF to add your new domain name? As a sanity check, what happens if you temporarily disable the CAF? Do your logins then work? If so, this pinpoints the CAF configuration as being the issue and you can focus on the domains list there to make sure it's valid and correct so you can re-enable CAF.

Cheers!

MF.
Meep!

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi MF,

Thanks for the reply.
I have added the new domain name in CAF in the format *.<new domain name>.
I'll try disabling the CAF temporarily to test the logins and report back.

thanks,
WL

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi MF,

Just wanted to give a small update.
I was able to login just now. But the issue is I'm getting the prompt for entering credentials repeatedly.
I enter the credentials(domain\username) once at the first prompt and then it takes me to page where I choose the AD. After that it prompts for credentials again.If i enter the valid credentials here it says invalid credentials and fails to login.
So this time without entering anything here, i just refreshed the page twice here resubmitting the credentials and then it logs in.
i have enabled SSO as well.

Could this be an issue with IIS configuration?
Will check login with CAF disabled once.

Thanks
WL


Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi MF,

Just wanted to give a small update.
I was able to login just now. But the issue is I'm getting the prompt for entering credentials repeatedly.
I enter the credentials(domain\username) once at the first prompt and then it takes me to page where I choose the AD. After that it prompts for credentials again.If i enter the valid credentials here it says invalid credentials and fails to login.
So this time without entering anything here, i just refreshed the page twice here resubmitting the credentials and then it logs in.
i have enabled SSO as well.

Could this be an issue with IIS configuration?
Will check login with CAF disabled once.

Thanks
WL

Hi,

This could certainly be your web server messing with things. Again, the best course of action is to try to pinpoint where the issue lies. In this case I'd recommend you try connecting via the servlet gateway (hostname.domain:port/bi) to see if you have the same issue. If not, this is a good pointer to the web server being the issue.

Cheers!

MF.
Meep!

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi,

Thanks for your reply. I tried with http://servername:9300/p2pd/servlet/dispatch . I get the screen to choose between 2 namespaces. i am unable to login to both of them.
But i am able to open/run cubes and open FM models using same credentials.
any advise?

thanks
WL

Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi,

Thanks for your reply. I tried with http://servername:9300/p2pd/servlet/dispatch . I get the screen to choose between 2 namespaces. i am unable to login to both of them.
But i am able to open/run cubes and open FM models using same credentials.
any advise?

thanks
WL

Hi,

Sorry - I just realised this is Cognos 10, so I got the servlet gateway format wrong (I gave you the one for C11). The address you tried should be fine for C10 though.
You got a prompt to pick a namespace? Do you have two authentication providers configured?

MF.
Meep!

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi,

Sorry my bad for not mentioning at the start. it is cognos 10.2.2.
Yes that is correct, i have two namespaces configured. and I am unable to login to both when opened through servlet gateway.
I dont have direct access to the AD. Is there any setting that needs to be changed on AD side?

Thanks,
WL

Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi,

Sorry my bad for not mentioning at the start. it is cognos 10.2.2.
Yes that is correct, i have two namespaces configured. and I am unable to login to both when opened through servlet gateway.
I dont have direct access to the AD. Is there any setting that needs to be changed on AD side?

Thanks,
WL

Is there anything else going on with security here? Do you have single signon configured, for example?

MF.
Meep!

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi MF,

I have defined these parameters in configured ADs.

singleSignonOption
trustedCredentialType
chaseReferrals
MultiDomainTrees

thanks,
WL

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi,

Any inputs on this would be helpful.

Thanks,
WL

Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi,

Any inputs on this would be helpful.

Thanks,
WL

I would try setting up your IIS virtual directories again as a next step. Given you are doing single signon, things may have got messed up with the domain change.

MF.
Meep!

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi MF,

Thanks a lot for the reply.
Currently I have asked the AD admin team to check "trust computer for delegation" attribute.

Got this from below article.
https://www.cognoise.com/index.php?topic=9957.0

Out of the 2 namespaces that have been setup, i can login to one namespace without any issues. But cant login into other one post domain migration. So I have asked to check above setting on AD side.

If it doesnt work, i'll try recreating the Virtual directories in IIS.

Thanks ,
WL

Offline White light

  • Full Member
  • ***
  • Join Date: Apr 2020
  • Posts: 33
  • Forum Citizenship: +0/-0
Hi All,

The issue was with the dispatcher. After un-registering and re-registering it, the login works fine.
Here are the steps i followed:

Stop Cognos services.
>Change port numbers in Environment and Portal services from 80 to 81 and 9300 to 9301.
>save the changes and start the services(unregisters old one with 9300 and registers with 9301)
>then stop the services again(it may throw some errors while stopping)
>change back the ports to original numbers and start the services.
>then in cognos administration in portal under "System" you can remove the dispatcher registered with 9301

Here is the link that explains above idea.

https://www.ibm.com/support/pages/unable-log-valid-user-id-and-password-provider-credentials-are-invalid


Thanks MF for the support.

Offline MFGF

  • Never knowingly correct
  • Super Moderator
  • Statesman
  • ******
  • Join Date: Jul 2005
  • Posts: 11,202
  • Forum Citizenship: +662/-10
  • Cognos Software Muppet
Hi All,

The issue was with the dispatcher. After un-registering and re-registering it, the login works fine.
Here are the steps i followed:

Stop Cognos services.
>Change port numbers in Environment and Portal services from 80 to 81 and 9300 to 9301.
>save the changes and start the services(unregisters old one with 9300 and registers with 9301)
>then stop the services again(it may throw some errors while stopping)
>change back the ports to original numbers and start the services.
>then in cognos administration in portal under "System" you can remove the dispatcher registered with 9301

Here is the link that explains above idea.

https://www.ibm.com/support/pages/unable-log-valid-user-id-and-password-provider-credentials-are-invalid


Thanks MF for the support.

Wow! Good find!! Glad you managed to get it working. Thanks for posting up the solution too - very helpful!

Cheers!

MF.
Meep!