First of all we should enable the Negotiate provider for IIS. This is literally applicable only to IIS7, but the basic idea is the same throughout other versions too.
Backup and edit file
systemroot\System32\inetsrv\config\applicationHost.config
Find section related to the Windows authentication of
your Cognos cgi-bin folder and replace whole windowsAuthentication tag with the following:
<windowsAuthentication
enabled="true" useKernelMode="true"
useAppPoolCredentials="true">
<providers>
<add
value="Negotiate" />
<add value="NTLM" />
</providers>
</windowsAuthentication>
Save and close.
Remember, earlier we made the Cognos service run on a domain user mydomain\cognos_process? The same needs to be done for the web application so that it is running on same trusted account. This is achieved by changing the user which is used to run the appication pool for Cognos cgi-bin.
What you need to do is find the AppPool running cgi-bin
folder in the IIS Manager. Right-click, select advanced settings. Set identity to mydomain\cognos_process and click OK. We need to make sure that all the policies and settings for this account are synchronised to the web server and the method that gives most confidence is to just log on with mydomain\cognos_process to the server via Remote Desktop Connection.
Finally, in Cognos configuration, change all server references to FQDNs so that they are the same as on the Application servers.
Now the web server is configured and ready to use Kerberos as the authentication mechanism. Actually at this stage Cognos will already authenticate using Kerberos. Very little left now! Next time we will look into the remaining details and make sure that all the servers are trusted to delegate the end-user credentials, that way passing them through from the web server to application servers and finally to SSAS server.
M.
No comments:
Post a Comment