IBM Support

** Troubleshooting ** "Invalid login response" error when launching Cognos Analytics (bundled with Cognos Controller)

Troubleshooting


Problem

Cognos Controller 10.3.1 (and later) comes bundled with Cognos Analytics (CA). CA can be used to provide Cognos (CAM) authentication. Customer has decided to deploy Controller via CAM authentication. In addition, they would like to configure CAM to use Single Sign On (SSO). - In other words, the user does not have to type their username and password (instead, their Windows user/password gets automatically passed onto the Cognos CAM authentication mechanism). They have therefore tried to configure SSO as described inside separate Technote #2002465. - In other words, they have created a Windows IIS website (called 'ibmcognos') and configured many settings (inside IIS) to convert it into an SSO mechanism for CA. Afterwards, user launches the Cognos Connection website (for CA). - Specifically they launch http:///ibmcognos/bi An error appears.

Symptom


Invalid login response

Cause

Incorrect configuration of either:

  • IIS (web server) configuration
  • Cognos Configuration

Scenarios
There are many different potential misconfigurations that can cause the problem. Below are a list of scenarios that have been seen.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMPORTANT: SSO is highly customisable. Not all environments will be identical. Therefore, take care before making any changes listed below. It may be that the specified change is not applicable to your environment.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • Scenario #1 - The SSO Rules "SSO Login" and "Legacy SSO" are enabled (inside IIS configuration here: Default Website-->Alias-->bi-->URL Rewrite)
    • This is not correct if the Content Manager has "Use External Identity" set to False
    • TIP: For more details, see separate IBM Technote #2015402.
  • Scenario #2 - The settings “Anonymous Authentication” and "Windows Authentication" are incorrect for the IIS websites 'bi' and 'sso'
    • TIP: For more details, see separate IBM Technote #2014747.
  • Scenario #3 - The rewrite rules were configured for an incorrect application name
    • TIP: For more details, see separate IBM Technote #2012485.
  • Scenario #4 - 'web.config' file is overriding the correct IIS settings
    • TIP: For more details, see separate IBM Technote #2013573 (plus also 2009885).
  • Scenario #5 - Incorrect settings inside 'Cognos Configuration'
    • TIP: For more details, see separate IBM Technote #2013566
  • Scenario #6 - Incorrect value for 'Response' (inside "system.webServer" - "httpErrors")
    • TIP: For more details, see separate IBM Technote #2004766
  • Scenario #7 - Miscellaneous incorrect settings
    • TIP: For more details, see separate IBM Technote #2008522

Resolving The Problem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
IMPORTANT: SSO is highly customisable. Not all environments will be identical. Therefore, take care before making any changes listed below.

  • It may be that the specified change (listed below) is not applicable to your environment.

Also, as a precaution, please take appropriate steps before making any changes.
  • For example, take a complete VMWare/ESX image backup of your virtual server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scenario #1
In one real-life case, the solution was to disable the rules "SSO Login" and "Legacy SSO".
  • TIP: For more details, see separate IBM Technote #2015402.

Scenario #2
Modify the authentication settings for the IIS websites 'bi' and 'sso'.
  • TIP: For more details, see separate IBM Technote #2014747.

In one real-life case, the correct settings were:
    *bi*
    • Anonymous Authentication = “Enabled”.
    • Windows Authentication = “Disabled”.

    *sso*
    • Anonymous Authentication = “Disabled”.
    • Windows Authentication = “Enabled”.

Scenario #3
Modify the URL rewrite rules, so that they refer to the correct application name..
  • TIP: For more details, see separate IBM Technote #2012485.

Scenario #4
Delete the relevant 'web.config' files (for example from "webcontent", "webcontent\bi" and "cgi-bin" directories). Afterwards, re-run the SSO configuration changes.
  • TIP: For more details, see separate IBM Technote #2013573 (plus also 2009885).

Scenario #5
Modify the settings inside 'Cognos Configuration' to be correct.
  • TIP: For more details, see separate IBM Technote #2013566

Scenario #6
Modify the value for 'Response' (inside "system.webServer" - "httpErrors") to be 'Pass Through'
  • TIP: For more details, see separate IBM Technote #2004766

Scenario #7
Check/change various miscellaneous settings.
  • TIP: For more details, see separate IBM Technote #2008522


Workaround
Launch the CA website via the dispatcher URL (instead of IIS).

[{"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Controller","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.3.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
15 June 2018

UID

swg22015991

Page Feedback