Enabling single signon to use Kerberos authentication with constrained delegation

To be able to use constrained delegation, you must define the service principal names (SPN) for the users that are configured to run the IBM®Cognos® components and your Microsoft Internet Information Services (IIS) web server's application pool in your Active Directory domain.

If you use Kerberos with constrained delegation, you must add an sAMAccountName user for Content Manager when you configure your gateway. All active and stand by Content Managers must be configured to run under the same account.

If you are configuring single signon to your database servers, you must configure the sAMAccountName for the user who runs the Application Tier Components when you add the Active Directory namespace. All Application Tier Components must be configured to run under the same account.

The SPNs are the users that you enter in the sAMAccountName fields in IBM Cognos Configuration.

For example, assume that you have one user who runs the Content Manager component, another who runs the Application Tier Components, and another who runs your web server's application pool. The Content Manager user is CognosCMUser. The Application Tier Components user is CognosATCUser. The application pool user is IISUser. Each user is in the MyDomain domain.

  1. You must set up IIS so that your MyDomain\IISUser is the application pool identity

  2. Run the setspn command for the computer where IIS is running.

    For example:

    setspn -A http/IISServerName MyDomain\IISUser
setspn -A http/IISServerName.MyDomain.com MyDomain\IISUser

  3. Run the setspn command for your IBM Cognos users.

    For example:

    setspn -A ibmcognosba/CognosCMUser MyDomain\CognosCMUser
setspn -A ibmcognosba/CognosATCUser MyDomain\CognosATCUser

    In these commands, you must use ibmcognosba as shown in the examples. The user names and domains must match your environment.

    Note: In this example, the sAMAccountName users you must enter are CognosCMUser and CognosATCUser.

  4. If you are configuring single signon to your Microsoft SQL Server or Microsoft SQL Server Analysis Services database server, you must set up the SPN for the database server. For more information, see you database server documentation.

  5. Finally, you must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.

    And then you must add the required SPNs. For example, add ibmcognosba as a service type. And add DomainController1 and DomainController2 as service type ldap.

    If you are configuring single signon for the datasource, add the MSQLSVC service.

Procedure

  1. On the computer where you installed Content Manager, open IBM Cognos Configuration.
  2. In the Explorer window, under Security > Authentication, and select the Active Directory namespace.
  3. Click in the Value column for Advanced properties and then click the edit icon.
  4. In the Value - Advanced properties dialog box, click Add.
  5. In the Name column, type singleSignonOption.
  6. In the Value column, enter one of the following values:
    • Enter KerberosS4UAuthentication if you want to use Kerberos authentication first. If Kerberos fails, Service For User (S4U) authentication is attempted. If S4U fails, the user is prompted for credentials.
    • Enter S4UAuthentication if you want to use S4U authentication first. If S4U fails, the user is prompted for credentials.
  7. In the Value - Advanced properties dialog box, click Add.
  8. In the Name column, type trustedCredentialType.
  9. In the Value column, enter one of the following values:
    • Enter CredentialForTC if you want to save the user's credentials as a trusted credential. For example, if you want to use the credentials to run scheduled jobs.
    • Enter S4UForTC if you want to save only the authenticated user name as a trusted credential. The user name is saved in UPN format, and scheduled jobs can be run with the UPN without requiring the user's password.
  10. Click OK.
  11. Click in the Value column for Application Tier Components sAMAccountName, and enter the sAMAccountName of the user who runs the Application Tier Components.
    Important: This value is required only if you are configuring single signon to your Microsoft SQL Server. If you are not configuring single signon to the database server, do not change this value.
  12. Click File > Save.
  13. Restart the IBM Cognos service.
  14. On the computer where you installed the Gateway components, open IBM Cognos Configuration.
  15. In the Explorer window, click Environment.
  16. Click in the Value column for Content Manager sAMAccountName, and enter the sAMAccountName of the user who runs Content Manager.
  17. Click File > Save.