IBM Support

** Troubleshooting ** "Not authorized" when logon to Controller Web

Troubleshooting


Problem

User launches Controller Web website. User chooses database, and types in username/password.
An error appears.

Symptom

image 2239
Not authorized
Close

Cause

There are several known causes for this error:
   
Scenario #1 - Limitation of some older versions of Controller, when using some unsupported characters in the password
  • For example this has been seen with Controller 10.4.1
  • TIP: The log file (com.ibm.cognos.fcm.log) will typically contain the entry ''BadCredentialsException"
    
Scenario #2 - The Controller Web system is in an invalid state, and needs restarting
  • TIP: For more details, see separate IBM Technote #885182
Scenario #3 - All of the following are true:
(a) The Microsoft SQL server has been configured so that the 'SQL Server Network Configuration' setting 'Force Encryption' is set to 'Yes'
(b) The Microsoft SQL client (installed on the Controller application server) has been configured so that the 'SQL Native Client Configuration' (64-bit, not 32-bit) setting 'Force Encryption' is set to 'Yes'
(c) The Controller application server does not trust the certificate that the Microsoft SQL server is using for encryption.
TIP: For more details, see separate IBM Technote #6115828.
  
Scenario #4 - both of the following are true:
(a) The database server has been configured to reject all communication unless it is TLS 1.2
(b) Controller Web is not configured to use TLS 1.2, because of missing encryption/TLS/SSL configuration options in the file:  jvm.options 
  • TIP: For more details, see separate IBM Technote #6117838
  
Scenario #5 - The Controller application server's settings (for example database connections) have recently changed, so that they need to be updated by running 'SyncDBConf.bat'
  • TIP: For more details, see separate IBM Technote #6155529
Scenario #6 - Corrupt username (inside table XUSER)
  • TIP: For more details, see separate IBM Technote #6262335
Scenario #7 - User has typed in the wrong password
  • For example, when using Native security the end user has accidentally typed in their Windows password instead
  • TIP: The log file (com.ibm.cognos.fcm.log) will typically contain the entry ''BadCredentialsException"

Diagnosing The Problem

Open the log file "com.ibm.cognos.fcm.log".
  • TIP: By default, this is located here: C:\Program Files\IBM\cognos\ccr_64\fcmweb\wlp\usr\servers\fcm.web\logs
  
Scenario #1
In this scenario, the log file contained the following:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-02-03 15:01:03 | <?>@<?> | INFO | [com.ibm.cognos.fcm.wmc.ccrws.DefaultCcrClient] [CCR-WS] Called CCR endpoint: LoginEndpoint [Security_LogInWeb]: 59 055 ms
2020-02-03 15:01:03 | <?>@<?> | INFO | [com.ibm.cognos.fcm.wmc.ccrws.DefaultCcrClient] [CCR-WS] Successfully logged in ADM@localhost\Blank (session id: C45620CB0FB64D1BB20F903349BA44EF).
2020-02-03 15:01:03 | <?>@<?> | INFO | [com.ibm.cognos.fcm.web.ui.infrastructure.auth.ccrnative.CustomAuthenticationProvider] Authenticated adm@Blank (session id: pP22oy1QYOLVsTqmG2lqShE): 72 595 ms
2020-02-03 15:01:11 | ADM@Blank | INFO | [com.ibm.cognos.fcm.web.ui.secure.WorkspaceController] /fcm.web/api/commonworkspace/entities: 2 186 ms
2020-02-03 15:01:11 | ADM@Blank | INFO | [com.ibm.cognos.fcm.web.ui.secure.WorkspaceController] /fcm.web/api/commonworkspace/entities: 2 221 ms
2020-02-03 15:03:17 | <?>@<?> | INFO | [com.ibm.cognos.fcm.web.ui.LoginController] Set session environment: prod (3 settings)
2020-02-03 15:03:18 | <?>@<?> | INFO | [com.ibm.cognos.fcm.wmc.repository.CacheValidator] Blank: validateSharedCache (2 entity versions updated): 345 ms
2020-02-03 15:03:18 | <?>@<?> | INFO | [com.ibm.cognos.fcm.web.ui.infrastructure.auth.ccrnative.CustomAuthenticationProvider] Authentication rejected: 'adm' (org.springframework.security.authentication.BadCredentialsException: Invalid authentication credentials.)
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Resolving The Problem

Scenario #1
  
  • Fix: Upgrade to Controller 10.4.2 (or later)
   
  • Workaround: Modify the end user's password so that it does not contain any unsupported character.
    • Example: Remove any of the following characters:     £
Scenario #2
Reboot the Controller application server.
  • TIP: For more details, see separate IBM Technote #885182
Scenario #3
Install the relevant TLS (or SSL) certificate (used by the SQL server) on the Controller application server.
  • TIP: For more information, see separate IBM Technote #6113944.
Scenario #4
Force Controller to connect to the database using TLS 1.2, by adding some parameters to the configuration file:  jvm.options 
  • TIP: For more information, see separate IBM Technote #6117838.
Scenario #5
Run the command:   SyncDBConf.bat
  • TIP: For more information, see separate IBM Technote #6155529.
Scenario #6
Remove the corruption (for example extra spaces) from the 'bad' user's 'userid' (inside table XUSER)
  • TIP: For more information, see separate IBM Technote #6262335.
     
Scenario #7
Ensure user has typed in the correct password.
  • For example, if using Controller 'native' authentication, then type in a 'native' username/password (not Windows username/password)

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"10.4.1;10.4.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
10 September 2020

UID

ibm11288582

Page Feedback