Troubleshooting
Problem
User launches Controller client. User chooses database. User receives a 'Windows Security' message.
Symptom
Windows Security
I want to complete this action by entering my credentials on the authentic Windows logon screen
I don't want to complete this action
If the end user clicks 'I want to complete this action by entering my credentials...' then they will then receive a message similar to this:
Press 'CTRL - ALT - DEL' and enter your Windows credentials.
[TIP: If working inside a remote session, type 'CTRL - ALT - END' instead].
Cause
Both of the following are true:
(1) The Controller website has been configured to use Windows authentication (not 'anonymous')
- This means that all users are required to logon (to the IIS website) using their Windows username/password
(2) The client device is been configured to have the following Microsoft Windows policy enabled:
- Computer Configuration –> Administrative Templates –> Windows Components –> Credential User Interface –> Require trusted path for credential entry
More Information
There are several possible methods to cause the client device to have 'Require trusted path for credential entry' enabled:
- Scenario #1 (most likely): Microsoft Windows Active Directory Group Policy Object ('GPO') has been applied to the PC (or the end user) which has this option enabled
- Scenario #2: (less likely): There is a local policy (acting directly on the client device only)
The following printscreen shows Scenario #2, where the client device has a 'local' policy applied:
=> Ask your I.T. department's security policy administrator for assistance in locating the reason why this has been enabled.
Environment
At least one of the sites 'Default Web Site', 'ibmcognos' or 'cgi-bin' have 'Windows Authentication' enabled.
- For example:
Diagnosing The Problem
To prove that the message is coming from the website's authentication settings, perform the following:
1. Launch Cognos Connection (for example: https://myserver.company.com/ibmcognos)
- Notice how the same message appears:
2. Click "I want to complete this action..."
- Notice how a logon screen appears, relating to logging onto Internet Explorer (iexplore.exe) with a Windows user:
=> Clearly the root cause is that the website is prompting the user to logon (using a Windows user), and the security policy is forcing the user to press 'CTRL - ALT - DEL' before it will allow users to type in Windows usernames/passwords.
Resolving The Problem
Either:
(1) Modify your Controller IIS website to use anonymous authentication (so that users are not prompted to put their Windows username/password when they launch Controller)
or (2) Disable the setting 'Computer Configuration –> Administrative Templates –> Windows Components –> Credential User Interface –> Require trusted path for credential entry'.
- In other words, modify it from 'Enabled' to 'Not Configured'.
- TIP: Ask your I.T. department's security policy administrator for assistance in locating where to change this setting.
Steps:
(1) To modify your Controller website to use anonymous authentication:
1. Logon to the Controller application server
2. Launch 'Internet Information Services (IIS) Manager'
3. Expand 'Sites' and highlight 'Default Web Site'
4. Double-click on 'Authentication'
5. Right-click on 'Windows Authentication' and choose 'Disable'
6. Right-click on 'Anonymous Authentication' and choose 'Enable'
7. Expand 'Default web site' and highlight 'ibmcognos'
8. Repeat steps 4, 5 and 6
9. Expand 'ibmcognos' and highlight 'cgi-bin'
10. Repeat steps 4, 5 and 6
11. Test.
(2) To Disable 'Require trusted path for credential entry'.
Ask your I.T. department's security administrator to modify their security policy.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21987452