Kerberos and other things you need for fully functional authentication of SSAS through Cognos (Part 1)

In previous post I gave a little overview of what needs to be done in order to get Kerberos authentication working between your Cognos and Microsoft SSAS environments. Now we will look into the Windows related bits and pieces of the process.



The other week I have bravely stated, that there is nothing to install while setting up Kerberos for Cognos/SSAS. Well... Maybe there is afterall. Depends on where you are with your patches and fixes and operating systems. In case you are working in environment that is running all win 2008 / win 7 machines, you will need to make sure that HotFix 969083 has been applied to all of the interacting servers. Without this HotFix you might experience very strange behaviour (i.e. SQL server profiler might show that the correct user ID is authenticating, but no further comunication is done).


Now we got all of the OS bug related details out of the way. Not much left to do on this level really. We just need to make sure that the user which we will use to run the Cognos process is allowed to do a bit more than the standard ones. For simplicity sake, I will use one domain user for running all processes between a user and SSAS. Lets say that will be mydomain\cognos_process. Again- this is a domain account we are talking about, not a local user on every one of the servers.


Go to Administrative Tools -> Local Security Policy, expand Local Policies and select User Rights Assignment. Add mydomain\cognos_process to the following policies:
  • Act as part of the operating system
  • Create a token object
  • Replace process level token
This should do it. As long as you are on the server already, might as well make sure that cognos process is using mydomain\cognos_process domain account. In Services locate the IBM Cognos 8 service, double click, go to Log On tab and make sure the required account is used by the service. No need to restart at the moment. We will do a complete rebood in the end of this game; just for the peace of mind...


Finally, in cognos configuration, replace all references to other cognos servers to Fully Qualified Domain Names (FQDNs). This is not necessary but using FQDNs everywhere possible might surely save you some headache in the future. Also in Cognos configuration/Security/Active Directory remove the advanced option ‘SingleSignonOption’ (if it is there). Removing it will default Cognos to use Kerberos. Again, hold on with rebooting/restarting services. We are just preparing everything at this stage.


Ok, we have just set up our application servers! A few more things left to get Kerberos rolling, but we are well on our way setting up your Cognos and SSAS relationship!


Stay tuned!
M

2 comments:

Anonymous said...

So if I understand correctly... mydomain\cognos_process will be the profile that is authenticated to the MSAS cube. Therefore it is not possible to restrict data based on the Cognos User Profile as MSAS just sees the 1 user. Is this correct please?

Anonymous said...

mydomain\cognos_process is the account that will be passing the end-user credentials from the web server all the way to SSAS, hence this account needs extras from Local Security Policy on the servers.

The whole point of using Kerberos authentication is to be able to make SSAS aware which end-user is actually running a query. That said, you will not be able to pass a native cognos group to the SSAS server and will have to use AD groups to manage user rights assignment.

Post a Comment