Planning Analytics 2.0.8
Microsoft Windows 2016 server
What is the requirements for the windows service account to run TM1 servers?
Solution (from IBM web):
User accounts for running TM1 services on Windows
The account must have the following privileges on the local computer:
Act as part of the operating system
Bypass traverse checking
Increase quotas (Adjust memory quotas for a process)
Replace a process level token
Log on as a service
Have read and write privileges on the Windows Registry item
If you use “local system” you will not be able to use Kerberos, or have access to read csv files from external file shares.
In integrated login mode (security mode 3), TM1 authentication compares the user’s domain-qualified Microsoft Windows login name to the contents of the
UniqueID element of the
If there is a match, the user is authenticated to TM1. If Active Directory groups have been imported into the TM1 Server, Active Directory group memberships are honored.
If no match is found, TM1 displays an error message stating that the client name does not exist. TM1 Server does not prompt for login information.
Users who want to access TM1 data in a server that is configured for integrated login must authenticate to Microsoft Windows first and then use TM1 clients to access the TM1 Server.
- Run ETLDAP and import the user and group information from your LDAP server, as described in Running ETLDAP. Or update the
}ClientPropertiescube with other TI scripts.
- Shut down the TM1 Server.
- Edit the following parameters in the tm1s.cfg file located in your TM1 Server data directory:
- Set the
IntegratedSecurityModeparameter to 3.
- Set the
SecurityPackageNameparameter to the security protocol you use for integrated login.
In the following example, the server is configured to use Kerberos.
[TM1S] SecurityPackagename=Kerberos IntegratedSecurityMode=3 Servername=myserver DatabaseDirectory=datafiles
- Set the
- Save and close the tm1s.cfg file.
- Restart the TM1 Server.
- Optional: Configure the TM1 clients to use integrated login by setting the Use Integrated Login option in the associated user interface.
Follow the directions from IBM knowledge articles for most accurate information.
Enabling Cognos single signon to use Kerberos authentication with constrained delegation
You must configure the constrained delegation in the Active Directory Users and Computers administration tool. On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation. Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.