Cognos Analytics 11.1.7
Planning Analytics 2.0.9
Microsoft Windows 2019 Server
How setup Windows Kerberos login for Cognos products?
Here describes what Kerberos is:

Setup Cognos Analytics with a IIS gateway and make it work for Single Sign On (SSO) to login.

You need to create a windows domain account, that is local administrator on the Cognos server where the Cognos Content Manager function is, and run the IBM Cognos service with this account.

The account must be added with domain\name format, without use of @.
The same service account must run the IIS server application pool used by CA11.

Go to Internet Information Service Manager, and expand Application pools. Mark ICAPool and click on Advanced Settings. Click on Identity and select Custom Account. Click Set and enter the domain\name account and password. Click OK.
Restart IIS.
The service account must have “Trust this user for delegation to any service (Kerberos only)” set in Active Directory. Ask the IT department to set this on the Windows Domain Controller.

Constrained delegation is not recommended.
Ensure that the cognos service account have NTFS read/write/execute rights on the cognos folders.
Right click on folder C:\Program Files\ibm\cognos\analytics and select properties.
Check the security tab that the local Administrator group have full rights.

Go to Computer Management in Control panel – Administrative Tools. Expand Local User and Groups – Groups. Check what groups and accounts are in the Administration group on the server.

Ensure that the cognos service account is part of a domain group that is included in the local administrator group. Does not need to be domain admins group, but must be the same group.

On the Windows Domain Controller you must run the SETSPN command to create the Service Principal Name.

Enter the webserver and the cognos bi server to the service account. In our case it is the same server.
You need to add all the ways the system connect to the server e.g. HOSTNAME and FQDN.
In our example we use setspn -s HTTP/win2019.lab.pacman LAB\cognosservice

setspn -s HTTP/websrv_aliasname  domain\cognosserviceaccount
setspn -s HTTP/appsrv_FQDN  domain\cognosserviceaccount
setspn -s HTTP/appsrv_HOSTNAME  domain\cognosserviceaccount

Use the servername in cognos configuration for the setspn command above.

Use setspn -L domain\cognosserviceaccount to see the current values in use.

Some common switches used with SetSPN:

-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

In IIS manager on the Cognos Gateway server; ensure that Anonymous Authentication is on IBMCOGNOS folder.

Go to \bi folder, and click on Authentication. Select Windows Authentication and click enable.
Disable Anonymous Authentication on the \bi folder.

Click on Providers for the \bi folder, and remove NTLM so you only have Negotiate.

Repeat on \sso folder, so it also only have Negotiate as Windows enabled Providers.

For \sso folder click on Configuration Editor.

Select in the drop down menu for section – system.webServer – security – authentication – windowsAuthentication.

To get this dialog up for the sso folder.

Set true to “useAppPoolCredentials” and “useKernelmode”.
Go to the \bi folder and set the same values.

Click on Configuration Editor icon – select system.webServer – security – authentication – windowsAuthentication. Set true to “useAppPoolCredentials” and “useKernelmode”.

If you use Oracle or DB2 as content store database, you are all set. But if you use Microsoft SQL server you need to add setspn for the service account that run the SQL services.

Ask the SQL DBA to ensure the service account for SQL server is using domain\account notation as above. Kerberos will not work with Local System as the service account for Microsoft SQL database.
You need to check in cognos configuration how Cognos Analytics connects to the content store database. Open Cognos Configuration on your Cognos Content Manager server.

Note down IP or HOSTNAME that is in use to connect to the SQL server. This will be used in the setspn command.  Enter in our case setspn -s MSSQLSvc/ LAB\cognosservice

setspn -s MSSQLSvc/sqlsrv_FQDN  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:instancename  domain\SQLServiceAccount
setspn -s MSSQLSvc/sqlsrv_FQDN:1433  domain\SQLServiceAccount

You need to enter all variants of the SQL server name to the setspn command.

Restart the windows server for Cognos Analytics to ensure the domain changes have taken affect.

To check that Kerberos is in use, activate AAA tracing for a short period in Cognos Analytics.

Login to CA11 as administrator and click on Manage – Configuration.

Click on Diagnostic Logging.

Click on AAA and Apply.
Logout from CA11 and close the browser.
Start the web browser again and go to http://win2019.lab.pacman/ibmcognos/
after the sso have let you in, go to the Cognos Analytics Content Manager server.
Open the C:\Program Files\ibm\cognos\analytics\logs\cognosserver.log file in notepad++

Go to the end of the file and from search menu select find and enter AUTH_TYPE.
Scroll to the right, and if kerberos is used it should say:
<value xsi:type=”xsd:string”>Negotiate</value>

Close the log file.
Go back into CA11 portal.
Go to manage – configuration – diagnostic logging.

Select Default Logging and click Apply. This is important as the logging can make the cognos system slower.

Planning Analytics (TM1) will use kerberos now too, as long they are setup to use CAM security.

More information:

Overview of Service Principal Name and Kerberos authentication in SQL Server

Cognos Analytics 11.1.3
Microsoft Windows 2016 server
Login dialog when user try to access CA11 website

Check that the server name is in local intranet sites or trusted sites in internet options.

At most company’s this is controlled by group policy in the network, ask the IT department to add the CA server name and DNS alias to the local intranet site.

The new Edge that use chromium, will only allow SSO for servers in Local Intranet zone. But Internet Explorer on the same computer will allow SSO for servers both in Local Intranet Zone and Trusted Zone.

In Windows only, if the AuthServerWhitelist setting is not specified, the permitted list consists of those servers allowed by the Windows Zones Security Manager (queried for URLACTION_CREDENTIALS_USE). By default, this includes servers in the Local Machine or Local Intranet security zones. For example, when the host in the URL includes a “.” character, by default it is outside the Local Intranet security zone). This behavior matches Internet Explorer and other Windows components.

You have to search the internet to find where you can set the Edge Zone security in the local windows.

There is also granular settings in Custom level there you should uncheck “automatic logon only in intranet zone”.

Then you can have the cognos analytics site in Trusted tab instead.

Steps for Adding Trusted Sites in old Browser

clipboard_e8a7609ba67df6fed071fd60091e07355.pngGoogle Chrome > Adding Trusted Sites

  1. Click the Chrome Menu icon on the far right of the Address bar.
  2. Click on Settings, scroll to the bottom and click the Show Advanced Settings link.
  3. Click on Change proxy settings (under Network)
  4. Click the Security tab > Trusted Sites icon, then click Sites.
  5. Enter the URL of your Trusted Site, then click Add.
  6. Click Close > OK.

clipboard_ea8e5cecec1e5dca38441c9c37134257b.pngMozilla Firefox > Adding Trusted Sites

  1. Click the menu icon in the upper right-hand corner of the browser.
  2. Click Options.
  3. Click Privacy and Security.
  4. Scroll down to the “Permissions” section, and click on Exceptions to the right of “Warn you when websites try to install add-ons.”
  5. Type the trusted sites into the “Address of website” field.
  6. Click Allow.
  7. Click Save Changes.

clipboard_eec6508771be7e2766cbef130f1739002.png Safari > Adding Trusted Sites

  1. At the top of the screen, click Bookmarks.
  2. Click “Add Bookmark…”
  3. Click “Top Sites” from the dropdown menu.
  4. Click Add.

clipboard_eaed7201dc9178b78099be4d2fd603773.png Internet Explorer 9, 10 and 11 > Adding Trusted Sites

  1. Click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the  Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

clipboard_e7cae9f0eed9e3179b0a0bb00194c503c.pngMicrosoft Edge > Adding Trusted Sites

  1. Search in the Start Menu for the Control Panel.
  2. Click or double-click the Internet Options icon.
  3. In the Internet Properties window, click the Security tab.
  4. Select the Trusted sites entry and click the Sites button.
  5. Enter the address for the trusted website in the Add this website to the zone text field.
  6. Click the Add button, then click OK to save the website addition.

More information:

Security Zones in Edge

Cognos Analytics 11.0.13
Microsoft Windows 2016 server

After change of custom certificate on IIS and in CA11 dispatcher level, in file CAMkeystore. The still show wrong certificate.
When you examine the camkeystore.jks file with ikeyman.exe you find that the root certificate is used instead of the server certificate.

Possible solution:
When using custom certificate for SSL (TLS) communication on port 9300, you need to only add this certificate to the CAMkeystore file.
First you set HTTPS in cognos configuration, then when you press save inside Cognos Configuration for CA11, the keystores files are created.
For example IBM Cognos Configuration > Security > Cryptography > Cognos > Certificate lifetime in days. This value will set the cognos server certificate (encryption) in the keystore to last this long. The internal CA certificate is created to last a year longer.
After the cognos keystore files are created, you can add the custom certificates to the file with ikeyman.exe.

You must add the certificate in correct order:
Root – first
Intermediate – second
Server Cert – last

Make a backup of the C:\Program Files\ibm\cognos\analytics\configuration\certs folder before you start.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Launch ikeyman.exe as administrator ( by right click and select run as administrator)
Open the following file C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMkeystore
Type: PKCS12
File name:CAMKeystore
Location:  C:\Program Files\ibm\cognos\analytics\configuration\certs
Password: NoPassWordSet (default)

Select Signer Certificates from the drop down list.
Click on Add.
Import your root.cer first.
Then import your intermediate.cer second.
Then go back to Personal Certificates from the drop down list.
Mark encryption, and click on Rename. Change the name to old-encryption.
Click on Import button. Select Import key.

Select you certificate file with your server certificate, that contain the DNS alias for your server.
Enter your password when you import the file.
Set the name of the server cert to encryption.
Exit/Close the ikeyman program. Any changes are saved directly to the CAMkeystore file.

Now go into Cognos Configuration and click save. Then start the Cognos service from inside Cognos Configuration. Now the file CAMkeystore.jks is created/update with the custom certificates.
Test to browse to the

You may need to also add the custom certificate to other places, depending on you system setup.

(Internal CA)
It is Cognos specific certificate authority.  You can check the content with ikeyman tool.

View ‘ca’ certificate under Personal Certificates.  Double click to see the values of the certificate.
When ‘encryption’ certificate is expired, you cannot log in to Cognos Analytics.

If you use PA, you need to add the Planning Analytics certificate to the CA11 key store.

More information:

Cognos Analytics 11.1.7
Microsoft Windows 2019 server

Error when using Event Studio in a multi server installation of CA 11.1.7 .

CAM-CRP-1655 Member coordination host in Configuration Group is not configured properly

Ensure that Server Common Name is the FQDN of the server and not the word CAMUSER, as it was in old version of Cognos.

From Cognos Analytics 11.1.7 you must use Fully Qualified Domain Names for the following Cognos Configuration fields, even when you do not use SSL.

Gateway URI
External dispatcher URI
Internal dispatcher URI
Dispatcher URI for external applications
Content Manager URIs
Environment > Configuration Group
Group contact host
Member coordination host
Security > Cryptography > Cognos
Server common name
Subject Alternative Name > DNS names
Subject Alternative Name > IP addresses

More information:

Planning Analytics 2.0.9
Microsoft Windows 2016 server

Try to add a new TM1 instance, and when click save configuration get error message. You have recently change the CA11 security setup.
[ ERROR ] CAM-CRP-1315 Current configuration points to a different Trust Domain than originally configured.

You are unable to generate Cryptographic keys after changing authentication for a TM1 server.

Inside Cognos Configuration save the configuration as text, name the file to pa_backup.xml
Stop both IBM Cognos service and IBM Cognos TM1 services.
Remove the C:\Program Files\ibm\cognos\tm1_64\temp\cam\freshness file.
Back up the existing cryptographic keys by copy the following directories to d:\temp\backup:

C:\Program Files\ibm\cognos\tm1_64\configuration\configuration\csk
C:\Program Files\ibm\cognos\tm1_64\configuration\certs

Delete the C:\Program Files\ibm\cognos\tm1_64\configuration\csk directory.
Clear the certs directory, except for the jCAPublisherKeystore file that you keep.

Rename cogstartup.xml to
Rename pa_backup.xml to cogstartup.xml in folder C:\Program Files\ibm\cognos\tm1_64\configuration

Open IBM® Cognos® Configuration for Planning Analytics, save the configuration and start the services, IBM Cognos TM1 and TM1 Admin Server.


If you have similar problem with CA11, you can save below in a text file (certclean.cmd) and then run it from a administration command. (but first you need to stop the IBM Cognos service, and after you need to open Cognos Configuration and click save.)

REM Export current configuration to an XML file
cd “C:\Program Files\ibm\cognos\analytics\bin64”
cogconfig.bat -e “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml”

REM Remove current crypographic keys/information
md “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\caSerial” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMCrypto.status” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\configuration\certs\CAMKeystore.lock” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
move “C:\Program Files\ibm\cognos\analytics\temp\cam\freshness” “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
ren “C:\Program Files\ibm\cognos\analytics\configuration\backup_to_fix_problem”
cd “C:\Program Files\ibm\cognos\analytics\configuration”
ren csk csk_backup_to_fix_problem

REM Copy new configuration
copy “C:\Program Files\ibm\cognos\analytics\configuration\backup.xml” “C:\Program Files\ibm\cognos\analytics\configuration\cogstartup.xml”

More Information:

Cognos Controller 10.4.2
Cognos Analytics 11.0.13
Microsoft Windows 2012 server

On a CA installation where the IIS web server is using HTTPS for IBMCOGNOS.
How update the certificate on the IIS server when it expire after some years.

Suggested Solution:
Get a new certificate from the company’s internal Certificate Authority.
You get a pfx file and a cer.pem file.
You also get a password to the pfx file – save it in notepad.
Save them in a separate folder on the server (c:\temp\cert)

Go to the IIS Manager
Select the server name in the tree
Click on Server Certificates icon

Click on Import link at the right
Click on … to find the pfx file.
Enter the password and press OK

Click on Default web site
Click on Bindings

Select HTTPS
Click Edit

Click on drop down and select the new cert
Click OK

Start your Cognos Controller client and check that you can login.

You may also need to update the CACERTS file in the cognos controller client installation to get the Java menus to work (like maintain – jobs – define).

Export the certificate from IIS with use of IE:
Surf to your IBMCOGNOS site with https
Click on the lock icon in IE toolbar and click “View certificates”
Click on Details tab

Click Copy to file button

Click next

Select Base-64 encoded X.509 and click next

Enter path and name and click next

Click finish
Repeat above for the Root certificate and any intermediate certificates.

You must first view the certificate before you export it from the details tab.

Import the cert with the IKEYMAN:
If you have Cognos Analytic on the same server as you have installed Cognos Controller client, you can use it to import the cer files to the cacert file.
Before change the cacerts file make a backup of the file to other folder.

Go to C:\Program Files\ibm\cognos\analytics\jre\bin
Right click ikeyman.exe and select run as administrator

click open and select your cacerts file in folder C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security

Click ok

Enter password changeit
Click ok

Click drop down list and select Signer Certificates

Click on Add button

Click on browse and select your cer file.
Click OK

Enter a name e.g. Cognos

Repeat the ADD steps for Root and other company needed certificates.

Changes are save direct, so only select exit to end the program.

The update cacerts file can be made part of any Cognos Controller client installation package the company uses (so not every user need to do this) .

Or import the cert with the command line, if you do not have CA11 on the server:
“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias CognosController -file “C:\temp\cert\CognosController.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

You should manage with only have the Company Root certificate and any intermediated in the file;

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias root1 -file “C:\temp\cert\root1.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

“C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\bin\keytool” -import -alias intermediated2 -file “C:\temp\cert\intermediated2.cer” -keystore “C:\Program Files\ibm\IBM Cognos Controller Local Client\Integration\jre\lib\security\cacerts”

More Information:
To add certificates to the Trusted Root Certification Authorities store for a local computer

Click Start, click Start Search, type mmc, and then press ENTER.

On the File menu, click Add/Remove Snap-in.

Under Available snap-ins, click Certificates,and then click Add.

Under This snap-in will always manage certificates for, click Computer account, and then click Next.

Click Local computer, and click Finish.

If you have no more snap-ins to add to the console, click OK.

In the console tree, double-click Certificates.

Right-click the Trusted Root Certification Authorities store.

Click Import to import the certificates and follow the steps in the Certificate Import Wizard.

Cognos Analytic 11.1.6
Microsoft Windows 2016 server

When you browse to http://caservername/ibmcognos you get an error;

Service Unavailable
HTTP Error 503. The service is unavailable.

This is in most cases is this that the application pool is stopped.

Go to IIS manager and start the ICApool.


More Information:

Cognos BI 10.2.2 fix pack 10
C8BISRVR_UPDATE_name=IBM Cognos Business Intelligence Server Update
Microsoft Windows 2012 R2

When you run a report as schedule, the formatting for HTML is lost. If you run the report intermediate it works fine.

Above the scheduled report who is missing formatting

Above the correct report layout, as it looks when you run it intermediate.

Inside Cognos Connection can you create a “job” to schedule the run a report at a defined time.

Change to use cognosisapi, as the default IIS gateway.

On the IBM Cognos 10 Gateway server,

  1. Open \webcontent\default.htm in a notepad. For example, D:\cognos\c10\webcontent\default.htm.
  2. Find the line that reads

    and change cognos.cgi to cognosisapi.dll.


This will make http://<webserver>/<alias> work like http://<webserver>/<alias>/isapi, redirecting to the ISAPI Gateway after showing a splash screen.

Possible the schedule report is saved in the content store database, but when you try to look at it is not showing the correct formatting, because the cognos.cgi process does not get all the data.

More information:

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

The users can not login with SSO, they have to enter name and password at the IBMCOGNOS website.
Only a few Cognos CA11 gateway servers are affected.

Suggested solution:
Go into the Cognos Configuration on gateway servers and click save.
Does it help?

Recommend is to on all Cognos Configuration installation change the “common symmetric key lifetime in days” from 365 to a higher value like 1825 (5 years).

Inside Cognos Configuration on the CA11 servers
Go to Local Configuration -> Security -> Cryptography
Modify the value for: Common symmetric key lifetime in days
Also go to Local Configuration -> Security -> Cryptography -> Cognos
Modify the value for: Certificate lifetime in days
Save the configuration and start the services.
You must start the Content Manager first, then the gateway servers last.

The issue can also be caused by changes to IIS setup for the SSO part.

More Information:
By default, the cryptographic keys are valid for 365 days.

This value is configured inside Cognos Configuration
Specifically, browse to “Local Configuration -> Security -> Cryptography” and modify the value for: Common symmetric key lifetime in days

Each time you open Cognos configuration and click the save button, it resets the clock on your 365 days. Therefore, if you installed the software and didn’t save the configuration for 365 days, they would expire and you’d need to manually regenerate them.

You must restart the services every so often to ensure the new keys are actually being used.

If you think you won’t be opening and saving your configuration at any point in the next year or two, you can change the expiration date to 8 years and re-encrypt everything.

If you miss above, you will get in a years time this error;
“The Cognos gateway is unable to connect to the Cognos BI server. The server may be unavailable, or the gateway may not be correctly configured”

Cognos Analytics 11.0.12
Microsoft Windows 2016 server

How limit the login to Cognos Connection to only to groups in the LDAP (active directory)?

Use the LDAP connector in Cognos Configuration, and limit the users to be able to login only if they belong to two CN.
The “User Lookup” is used when you do not use SSO, and you let the BI (CA11) prompt the user for the user name and password. Change this to include the groups that the person must be part of to be able to login. Below a example how it can be;

(&(|(legacyuid=${userID})(uid=${userID}))(status=ACTIVE)(|(memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

“External identity mapping” is only used when you use SSO from IIS, to login to the BI server (CA11). You should change this to cover the same groups as the other one to make it act the same if it is using SSO or not.

(&(|(legacyuid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)})(uid=${replace(${environment(“REMOTE_USER”)},”CompanyA\\”, “”)}))(status=ACTIVE)(|((memberof=cn=Cognos_TM1_Contributor,cn=Cognos Groups,cn=UserGroups,ou=Global,,cn=Cognos Groups,cn=UserGroups,ou=Global,

In above lines, the user that is part of group Cognos_TM1_Contributor or Cognos_TM1_Modeler in LDAP, can login to Cognos. Good if you have a CA11 server setup, that only authenticate users that should use TM1(Planning Analytics 2.x).

Check that the user is active in LDAP

Compare the userid with the LDAP field Legacyuid

You have to change cn= and ou= values to match your LDAP setup.

Base Distinguished Name, should be the root of the LDAP directory.

How setup LDAP  (from the web)
In every location where you installed Content Manager, open IBM Cognos Configuration.
In the Explorer window, under Security, right-click Authentication, and then click New resource > Namespace.

In the Name box, type a name for your authentication namespace. LDAP
In the Type list, click the appropriate namespace and then click OK.

The new authentication provider resource appears in the Explorer window, under the Authentication component.
In the Properties window, for the Namespace ID property, specify a unique identifier for the namespace. Should be same as namespace name.
Specify the values for all other required properties to ensure that IBM Cognos components can locate and use your existing authentication provider.
If you want the LDAP authentication provider to bind to the directory server by using a specific Bind user DN and password when you perform searches, then specify these values.

If no values are specified, the LDAP authentication provider binds as anonymous.

If external identity mapping is enabled, Bind user DN and password are used for all LDAP access. If external identity mapping is not enabled, Bind user DN and password are used only when a search filter is specified for the User lookup property. In that case, when the user DN is established, subsequent requests to the LDAP server are run under the authentication context of the user.
If you do not use external identity mapping, use bind credentials for searching the LDAP directory server by doing the following step:
Ensure that Use external identity is set to False.
Set Use bind credentials for search to True.
Specify the user ID and password for Bind user DN and password.

If you do not specify a user ID and password, and anonymous access is enabled, the search is done by using anonymous.
Check the mapping settings for the required objects and attributes.

Depending on the LDAP configuration, you may have to change some default values to ensure successful communication between IBM Cognos components and the LDAP server.

LDAP attributes that are mapped to the Name property in Folder mappings, Group mappings, and Account mappings must be accessible to all authenticated users. In addition, the Name property must not be blank.
From the File menu, click Save.
Test the connection to a new namespace. In the Explorer window, under Authentication, right-click the new authentication resource and click Test.

You are prompted to enter credentials for a user in the namespace to complete the test.

Depending on how your namespace is configured, you can enter either a valid user ID and password for a user in the namespace or the bind user DN and password.

More information:

To bind a user to the LDAP server, the LDAP authentication provider must construct the distinguished name (DN). If the Use external identity property is set to True, it uses the External identity mapping property to try to resolve the user’s DN. If it cannot find the environment variable or the DN in the LDAP server, it attempts to use the User lookup property to construct the DN.