Troubleshooting
Problem
User launches Controller classic client. User launches any JAVA-based menu item, for example:
- "Group - Command Center"
- "Maintain - Sytem Audit Log - Configuration"
An error appears.
Symptom
The exact error will vary, for example:
However it will include the following phrase:
Caused by: com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 401: Unauthorized
Cause
There are several known causes for similar errors.
- TIP: See separate IBM Technote #1107495 for more examples.
This Technote specifically relates to the scenario where the cause is a limitation (reference APAR PH19793) in some later versions of Controller.
More Information:
The limitation was introduced as part of the security updates (reference APAR IJ13344) to the JAVA run-time inside the Controller client. Specifically:
- The security updates introduced in October 2019 (to fix CVE-2019-2426) meant that IBM JAVA was upgraded (to a version 8.0.5.30, or later)
- This contained a third-party (Oracle) change to fix a security problem with NTLM authentication.
Environment
The Controller website has been customised (non-default settings) to use Windows authentication.
- Specifically, the website is using NTLM authentication. [This is typically only done to enable Single Sign On (SSO)].
The problem affects the following versions of Controller:
- Controller 10.3.0 FP1 IF13 (and later patches)
- Controller 10.3.1 IF12(and later patches)
- Controller 10.4.0 IF4 (and later patches)
- Controller 10.4.1 IF1 (and later patches)
- Controller 10.4.2 (and later versions)
For example, in one real-life case the problem occurred immediately after the customer upgraded from Controller 10.3.1 IF8 to IF12.
Resolving The Problem
Fix:
Reconfigure the relevant JAVA (JRE) portion of the Controller client, so that it trusts Internet Explorer 'trusted zone' servers.
- Then make sure that the Controller application server is in the IE trusted zone.
Steps:
Perform the following on each-and-every client device:
1. Browse to the following folder: ...\jre\lib
- TIP: By default this is here: C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\jre\lib
2. As a precaution, create a backup copy of the file: net.properties
3. Edit the following file (for example in Notepad): net.properties
4. Scroll down to the very end, where you should see the default settings: jdk.http.ntlm.transparentAuth=disabled
For example:
5. Modify its value to be: jdk.http.ntlm.transparentAuth=trustedHosts
6. Save changes
7. Browse to the following folder: ...\Integration\configuration
- TIP: By default this is here: C:\Program Files\IBM\IBM Cognos Controller Local Client\Integration\configuration
8. As a precaution, create a backup copy of the file: config.ini
9. Edit the following file (for example in Notepad): config.ini
10. Add the following line: jdk.http.ntlm.transparentAuth=trustedHosts
- TIP: This should go near the top, in the following place:
11. Save changes
12. Make sure that the Controller application server is added to Internet Explorer's 'Trusted' zone.
- TIP: For instructions, see separate IBM Technote #280411.
13. Test.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Workaround:
There are several possible workarounds:
Method #1 (easiest):
Reconfigure the Controller-related IIS portion to use anonymous authentication.
- However, leave the Cognos Analytics (CA) IIS portion to still use Windows authentication.
Steps:
1. Logon to the Controller application server
2. Launch Internet Information Services (IIS) Manager
3. Expand 'Default Website' until (eventually) you can highlight: controllerserver
4. On the right-hand side, double-click on 'Authentication':
5. Enable "Anonymous Authentication"
6. Disable "Windows Authentication":
7. Test.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Method #2:
Reconfigure the relevant JAVA (JRE) portion of the Controller client, so that it trusts ALL servers (for NTLM).
Steps:
Perform similar steps to those described inside 'Fix' section (above), but:
(a) Inside 'net.properties' change 'jdk.http.ntlm.transparentAuth' to be: allHosts
(b) Inside 'config.ini' change 'jdk.http.ntlm.transparentAuth' to be: allHosts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.3.1;10.4.0;10.4.1;10.4.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
07 February 2020
UID
ibm11119885