Cannot connect to TM1 with Intgreated mode=5 with SSO

[aagrawal12]

I am trying to connect to TM1. It works when i have integrated mode=1.

But when I am trying with mode 5it says " line 15, in init self._tm1_rest = RestService(**kwargs) line 185, in init self._start_session( ", line 335, in _start_session token = self._build_authorization_token( , line 447, in _build_authorization_token return RestService._build_authorization_token_cam(user, password, namespace, gateway, verify) , line 468, in _build_authorization_token_cam raise RuntimeError( RuntimeError: Failed to authenticate through CAM. HTTP response does not contain 'cam_passport' cookie

[MariusWirtz]

Are you trying to use TM1py with CAM SSO?

If yes, does SSO work in your environment for other TM1 clients like TM1web or Architect/Perspectives?

[aagrawal12]

Thanks for responding. Yes SSO works in TM1 web and Architect/Perspective

[scrumthing]

Some sample code would help.

[aagrawal12]

from TM1py.Services import TM1Service

tm1 = TM1Service(address='AdminHost', port=12354, namespace='OKTA', gateway=ClientCAMURI', ssl='False')

server_name = tm1.server.get_server_name()

print("Connection to TM1 established!! your Servername is: {}".format(server_name))

[harveyca307]

Look at: https://code.cubewise.com/tm1py-help-content/category/Configuration

It gives examples for how to connect. Your TM1Service call does not look right

[MariusWirtz]

@aagrawal12 be careful, the namespace is case sensitive.

[aagrawal12]

@MariusWirtz Yes i am aware and have inexact format how it is defined. Still no luck

[MariusWirtz]

@aagrawal12, We have an open discussion about (potential) issues with CAM SSO.

Can you please try to follow the steps discussed here: https://github.com/cubewise-code/tm1py/issues/399#issuecomment-729668567

The MR has been merged in the meantime, so you just need to upgrade to the current master on GitHub pip install https://github.com/brandond/requests-negotiate-sspi/archive/master.zip --upgrade

[aagrawal12]

Still no luck..still getting error RuntimeError: Failed to authenticate through CAM. HTTP response does not contain 'cam_passport' cookie

[MariusWirtz]

Hi @aagrawal12,

could you please try if the below workaround proposed by @ChristianThieme works for you? https://github.com/cubewise-code/tm1py/issues/124#issuecomment-491852908

[aagrawal12]

Hi @MariusWirtz i tried the workaround but i am still getting same error.

Thanks and appreciate you replying back. I will keep exploring and look forward any other workaround you have to offer

[rkvinoth]

@aagrawal12

1. Does it automatically log you in when you look up the CLIENTCAMURI in your browser?
2. Should SSL be False in your case?
3. What all cookies do you get when you run the following code?

from requests_negotiate_sspi import HttpNegotiateAuth
import requests

gateway="CLIENTCAMURI"
response = requests.get(gateway, auth=HttpNegotiateAuth(), verify=False, params={"CAMNamespace": "NAMESPACE"})

print([cookie.name for cookie in response.cookies])

[aagrawal12]

@rkvinoth

My answers below:

Does it automatically log you in when you look up the CLIENTCAMURI in your browser? Yes Should SSL be False in your case? Yes SSL is false. I checked in Configurations and we dont have it enabled What all cookies do you get when you run the following code? This are cookies i got ['XSRF-TOKEN', 'CRN']

Thanks for looking into it this and any help would be appreciated. I am out of ideas and cant get it to resolve

[rkvinoth]

This is what I get: ['XSRF-TOKEN', 'cam_passport', 'usersessionid', 'CRN', 'cc_session', 'cea-ssa', 'userCapabilities', 'userCapabilitiesEx']

You should talk to your Admin team and setup Cognos Analytics properly (not an expert here). If they don't know about it or if you don't have an Admin team, setup some time with IBM.

[meyersrl]

This is what I get: ['XSRF-TOKEN', 'cam_passport', 'usersessionid', 'CRN', 'cc_session', 'cea-ssa', 'userCapabilities', 'userCapabilitiesEx']

You should talk to your Admin team and setup Cognos Analytics properly (not an expert here). If they don't know about it or if you don't have an Admin team, setup some time with IBM.

While I eventually get this response when hitting the CA portal....... during my testing the first response only includes the XRF-Token. There are many other calls back to the Cognos dispatcher before I get a response that includes all of the cookies including the necessary cam_passport cookie.

It seems like due to having SSO enabled the first call is rejected and the response comes back with 3 authentication headers.

WWW-Authenticate Header is present: Negotiate

WWW-Authenticate Header is present: NTLM

WWW-Authenticate Header is present: Basic realm="CA Server"

A new call is generated with the first header "Negotiate" and a new response is generated with the correct cookies.

As for TM1Py

The first request shows it doesn't contain a WWW-Authenticate header. So it then receives a response from CA with the 3 WWW-Authenticate headers that are possible.

Another request is made with the WWW-Authenticate: Negotiate header which shows a 200 response. However it does not contain the cam_passport and therefore TM1Py is showing no cam_passport cookie error.

Im not sure why there seems to be another call and response when hitting the CA Portal which does contain the cam_passport vs TM1Py which seems to stop after the first response that only contains the XSRF-Token.

[meyersrl]

Ryan Clapp has a post on the IBM Community site that I think represents the problem for TM1Py trying to use SSO with CAM for login.

In short, CA is responding with a redirect rather than the cam_passport in the first request.

https://community.ibm.com/community/user/businessanalytics/communities/community-home/digestviewer/viewthread?GroupId=3061&MessageKey=83050261-51fe-459e-b771-7884ede80804&CommunityKey=6b10df83-0b3c-4f92-8b1f-1fd80d0e7e58&tab=digestviewer

[meyersrl]

I have been working a bit more at this and for some reason our PROD environment/network will allow for CAM Mode 5 Authentication with TM1Py. However our DEV environment/network won't. Whats strange is that all components are the same version, both environments use the same connection to our PROD Active Directory through the same version of Cognos Analytics. On top of that SSO seems to work just fine in our DEV environment as we don't get prompted for login. At this point it looks more like a network or settings issue on our side vs TM1py

[paulsimongb]

Hi,

I think we have the same issue. I used the vanilla tm1py check.py and I am also getting the error:

Failed to authenticate through CAM. HTTP response does not contain 'campassport' cookie

We recently upgraded to CA 11.1.7 FP2 IF005 (Ryan Clapp seemed to be getting this on 11.1.5)

Curiously some JavaScript code I have is connecting OK. This is just using an ODATA Query of ActiveSession with Authorization Headers of

` headers: { 'Content-Type':'application/json; odata.streaming=true; charset=utf-8', 'Accept': 'application/json;charset=utf-8;odata.metadata=none,text/plain', 'Authorization': body.LoginDetails

                }`

The login details are just CAMNamespace User:Pwd:OurCAM

The URL is https://OurHost:OurHTTPPort/api/v1

This is working without the need to provide the ClientCAMURI, and it is returning a Session Id and Cookie.

It seems that the issue may be something to do with CAM redirection?

Regards

Paul Simon

[rclapp]

Yes, this had to do something with our gateway configuration, but I don’t recall what we changed.

[meyersrl]

Im noticing a slight difference in Fiddler between logging in to TM1Web in our DEV vs PROD environment. In DEV there is an extra call with the negotiate authentication header. In PROD it seems as if it attempts NTLM first and doesn't use negotiate. I checked IIS and negotiate is disabled for both. Ill keep looking to see if the gateway's somehow are different.

[MariusWirtz]

@meyersrl can you confirm that the issue persists after you made the following change to the Cognos configuration:

• Security -> Authentication -> Cognos -> Allow Anonymous Access? to True.
• and verified that you are using the right CAM namespace ID

[RobbyMeyers]

Hi Marius, I can confirm that setting Allow Anonymous Access to True and restarting the dispatcher worked. Is there any fix for this? Unfortunately setting Anonymous to True in some cases allows users to login to TM1 as Anonymous which is not what we want.

[RobbyMeyers]

Is there any way to make this work without having to allow anonymous on the gateway?