Planning Analytics 2.0.3
Cognos Analytics 11.0.9 kit_version=
kit_name=IBM Cognos Analytics
Planning Analytics Workspace version 29
Microsoft Windows 2012 R2 Server

How make SSO with Planning Analytics for Excel work?

Contact IBM Cognos Support to get the latest instructions on how to setup PAX.

Setup of Content Store database in SQL server
See here how:

Setup of Cognos Analytics 11
See here how:
Ensure that all servernames in Cognos Configuration uses FQDN, dvs, this is a must for PAW setup.

The manual for CA11

Setup of IIS and Cognos Analytics 11 Gateway
See here how:

Check that SSO is working, to the Windows Active Directory, by surf to

Check the .\webcontent\default.htm and .\webcontent\index.html files. Update the last line starting with <meta http-equiv=”refresh” as shown below, (where <alias name> is the alias used in the CA_IIS_config.bat script file). Add /ibmcognos/ in most cases.


Important that Windows Authentication is on the /ibmcognos/sso folder in IIS manager and that you may need to add Advance properties singleSignOnOption: IdentityMapping in Cognos Configuration for CA11 at security – authentication – namespace – active directory.

If Cognos Application Firewall is used, then you need to add the TM1 servers here also with port 9510.
Open Cognos Configuration for CA11. Go to Local Configuration – IBM Cognos Application Firewall. Click on Valid domains or hosts to add the PAservername to the list of approved domains.
Click OK, save the new Configuration and restart the Cognos Analytics services. If above is not done, you get error DPR-ERR-2079 when you logout of TM1WEB.

Download of Planning Analytics 2.0.3
List of files

Parts and Platforms Installation category Part number
IBM Planning Analytics 2.0.3 Microsoft Windows Multilingual Required CNN7AML
IBM Planning Analytics Client 32-bit 2.0.3 Microsoft Windows Multilingual Optional CNN7BML
IBM Planning Analytics Client 64-bit 2.0.3 Microsoft Windows Multilingual Optional CNN7CML
IBM Planning Analytics Workspace 2.0.3 Multiplatform Multilingual Optional CNN7DML
IBM Planning Analytics Workspace 2.0.3 Microsoft Windows Server 2016 Multilingual Optional CNN7EML
IBM Cognos TM1 Package Connector for Business Intelligence 10.2.2 Microsoft Windows Multilingual Optional CN1Z7ML
IBM Cognos Analytics Server 11.0.7 Microsoft Windows Multilingual Optional CNK1EML
IBM Cognos Analytics Samples 11.0.7 Microsoft Windows Multilingual Optional CNK1XML
IBM Cognos Framework Manager 11.0.7 Microsoft Windows Multilingual Optional CNK1MML

Download from here

Setup of PA 2.0.3

Check that Print Spooler Service is running in your Windows 2012 server.
Install NET Framework 4.6.1 (NDP461-KB3102436-x86-x64-AllOS-ENU.exe) in the Windows server, from here:–net-framework-4-6-1-offline-installer-for-windows
Install C++ 2010 x64 redistribution (vcredist_x64.exe).

Run the installation from the unziped file in D:\install\pa 2.0.3\tm1_winx64h_2.0.3.119_ml.tar\winx64h\issetup.exe

Go into Cognos Configuration for TM1 (PA2.0.3)
Under Environment point to the CA11 server.
Set gateway URI to be to the CA11 gateway like this
Set External Dispatcher URI to
Set Content Manager URI to

At IBM Cognos TM1 you can tune your WebSphere Liberty Profile;
Set Ping timeout in seconds to a value like 480 seconds.
Set Maximum memory for Websphere Liberty Profile in MB to 4096, if TM1 Web or TM1 Application Web are getting unresponsive and Planning Analytics logs contain some errors java.lang.OutOfMemoryError.

At TM1 Applications leave the Maximum memory in MB at default 768.
Enter TM1 Application Server Gateway URI to and External server URI to
Consider to change Session timeout to a higher value.
Set TM1 Application Server Dispatcher URI to

At TM1 Clients change the Cognos Insight ping frequency (seconds) to a higher value like 90. See separate page about timeout values
Skip the Logging, Security, IBM Cognos Application Firewall – they have limited function in this version of PA2.

Start the SDATA and Proven_Techniques example TM1 instances.
We use Proven_Techniques to test SSO, because it have a short TM1S.CFG file, so it is easy to add fields.

Setup of SSO

Open C:\Program Files\ibm\cognos\tm1_64\samples\tm1\Proven_Techniques\tm1s.cfg in notepad++.
Add the lines;
Save the file and restart the TM1 instance Proven_Techniques.

Exit TM1 Architect.
Erase the tm1p.ini file from here C:\Users\%username%\AppData\Roaming\Applix\tm1 to allow it to get the new values.
Open C:\ProgramData\Applix\TM1\tm1p.ini in notepad and add the values AllowImportCAMClients = T
CognosGatewayURI =
Save the file.

Add users
Start Tm1 Architect, double click on Proven_Techniques to login.
Enter ADMIN as user to login. Right click and select Security – Client/Groups. From menu Clients select Add New Client.
Click on your namespace name, in out example AD.
Click on TYPE in top right corner to enter the name of the user.
Enter the domainnamespace/username. Namespace name is the name you gave it in CA11 cognos configuration. Username most be the users name correct spelled as it is entered in Active Directory.
Click on yellow arrow to add the user, and click on OK.
Mark the user to be ADMIN, so he can then add other users later.
Click OK and exit TM1 Architect. Now you turn TM1 application to security mode 5,and then this user can login and add additional users in TM1 architect.

Open C:\Program Files\ibm\cognos\tm1_64\samples\tm1\Proven_Techniques\tm1s.cfg in notepad++.
Change the line to 5
Save the file and restart the TM1 instance.

Unzip the file C:\Program Files\ibm\cognos\tm1_64\bi_interop\ to a separate folder like c:\install
There should be two folders
Go and update this files with the PA server name and PAW server name;
Update the following to point to the location of the planning service(s)
var planningServices = [“″,””];
Update the following to point to the location of the pmhub service(s)
var pmhubURLs = [“http://paservername:9510″,”″,””];
// Update the following to point to the location of the TM1Web service(s)
var tm1webServices = [“”, “”];
Save the files.

The files in C:\install\templates\ps\portal should not be changed.
If variables_TM1.xml is not referenced in TM1S.CFG file, then it is most likely not used.

Copy the files and folders in C:\install\webcontent ontop the C:\Program Files\ibm\cognos\analytics\webcontent folder.
Go into C:\Program Files\ibm\cognos\analytics\webcontent\tm1\web\tm1web.html and see that it is the updated file.
Copy the files and folders in C:\install\templates to the C:\Program Files\ibm\cognos\analytics\templates folder.
Replace files as needed.

Copy the C:\Program Files\ibm\cognos\analytics\webcontent\tm1 folder to C:\Program Files\ibm\cognos\analytics\webcontent\bi folder. So you also got a TM1 folder under /webcontent/bi.

Copy the updated files planning.html, pmhub.html, default.htm and index.html from C:\Program Files\ibm\cognos\analytics\webcontent to folder C:\Program Files\ibm\cognos\analytics\webcontent\bi.

Restart IIS with iisreset from a CMD prompt.
Surf to to check that it works.

The first time you start TM1 Application portal, then it will connect to the PA and BI setup. You must surf to to set it up.
Enter the host name and the list of TM1 server names should be filled out. Select the proven_techniques from the list.
If it looks like above – please try a different version of web browser.
Above is the correct look, you get in FireFox.
Press F12 inside Internet Explorer to find the Emulation in use.
Above you see it is using Document Mode 7. The blue text “via intranet compatibility settings” tell us that it is the compatibility settings in internet options on your computer that give the issue. Open it and clear all values out. pax36Test again.
Change the mode to Edge and it may work for you.
Press OK to save the values to TM1 Application Portal.
When it is working it should look like above, if you are ADMIN in the Proven_Techniques application you should see all the icons to the right.
This configuration is stored in C:\Program Files\ibm\cognos\tm1_64\webapps\pmpsvc\WEB-INF\configuration\fpmsvc_config.xml.

TM1 Operations Console is configured in a web interface. This UI presents multiple options of configuration, including the references to the Cognos Analytics environment.
Surf to
Expand configurations and select PMHub Security.
At CAMGatewayURL enter
The values should save automatically in a few minutes.
Surf to
to check that it works.

TM1 PMPSVC and PMHUB must be setup before you can get PAW to work.

You must setup PAW before PAX are setup.

Download of PAX from here
Installation of PAX
Install NET Framework 4.6.1 (NDP461-KB3102436-x86-x64-AllOS-ENU.exe) from here:–net-framework-4-6-1-offline-installer-for-windows

Check that Microsoft Office have the primary interop assemblies (PIAs) for Excel installed.
You can download the PIAredist.exe for Office 2010 from here
In Office setup it is named NET Programmable support.
PIA – Primary Interop Assemblies (PIA) redistributable package for your version of Microsoft Outlook. The PIA is only needed if you have Outlook 2007 or 2010. PIA is not needed for Office 2013 or Office 365, it is part of the Office installation package as .NET Programmability Support for Office. In all version of Office you also need to make sure the .NET Programmability Support is installed (Control Panel – Program and Features – locate Microsoft Office installation, click on Change and Add/Remove features and expand Outlook, it is the first option you can check the box and install it)

Run the file D:\install\pa 2.0.3\pax\cor_win32_2.0.29.10_ml.tar\win32\issetup.exe
If your excel is 32 bit then you get this error if you select the wrong file. File cor_winx64h_2.0.29.10_ml.tar is for 64 bit excel.
Click Next
Select I Agree and click Next
Click Next
Click Next
Click Next
Click Next
Click Finish.

Configure PAX
Start Microsoft Excel to configure IBM Planning Analytics
Select tab IBM Planning Analytics and click on Options
Click on IBM
Select IBM Planning Analytics and click on ADD button
Enter your servername   (this will make the SSO to work)

PAX should connect to the PAW (Planning Analytics Workspace) URL, like to get the “set editor” to work.

Enter a friendly name, like PMPSVC Connect.
Click on Test Connection
Click Save
If the test fails, check that servername is correct spelled, and check that Windows Firewall on the server does not block port 9510.
Click OK
Now you can in Excel click on Connect – Your Friendly name – proven_techniques to start working with that.
Now you can drag views from PA2 (TM1) into the spreadsheet.

How to use it
To get “Replace members” to work you need to install PAW.

If you use a TM1 instance that use securitymode=1 (like example SData) then “set editor” will work.
Above when you point PAX to the PA server and use a PA (TM1 instance) that uses SSO.

If you in PAX connect to PA (Tm1) server at address or then the settings inside pmhub security will tell pax where to go to authenticate.


if you in PAX connect to PAW like then the setting in paw administration ( will point to the authentic provider.

Then the value in C:\Program Files\ibm\cognos\analytics\webcontent\pmhub.html and C:\Program Files\ibm\cognos\analytics\webcontent\tm1\web\tm1web.html, can also be important to make it work.  Note that this files are also in folder C:\Program Files\ibm\cognos\analytics\webcontent\bi.


Setup of PAW
Ensure you use only FQDN to the servers.

First time you start PAW, you point it to a Native TM1 instance with security mode 2. Then you add your CAM users with TM1 Architect. Set this CAM users to be ADMIN in that instance, and they will be the first ADMIN in PAW. Switch that TM1 instance over to security mode 5. Change in IBM Planning Analytics Workspace Administration Tool from TM1 to CAM authentication mode. You must use security mode 1 first, before you can use PAW with security mode 5.

In IBM Planning Analytics Workspace Administration Tool, you should have this settings:

TM1 Admin Server URI:

TM1 Application Server Gateway URI:

Authentication Mode: CAM

IBM Cognos BI Gateway URI:

IBM Cognos BI Dispatcher URI:

IBM Cognos BI Authentication Namespace ID: AD (the same namespace id you have entered in Cognos Configuration for CA(BI)).

Click Validate and Update.

If above is correct set, then PAX should work pointing to

Please note that above setup is for PAW version 29. Other versions of PAW may require other configuration.

See here how to set PAW up

More Information:

#Cognos Analytics and #Planning Analytics Integration – Walkthrough – Part 2

Cognos BI 10.2.2 fix pack 7
Microsoft Windows 2012 R2 Server

When user in IE surf to Cognos Connection to login they get a AAA-SYS-0001 error.

Error Message:
AAA-SYS-0001 : An internal error occurred.
java.lang.RuntimeException: A visa already exists for this A visa already exists for this namespace.

Suggested Solution:
Inside Internet Explorer, clear the cache and try again.
Press CTRL+SHIFT+DELETE to bring up the “delete browsing history” dialog.
Press Delete.
Restart Internet Explorer and try again.

Cognos BI 10.2.2 fix pack 7
Microsoft Windows 2012 R2 Server

Slow or no login at all to a new namespace in Cognos Connection. The user surf to http://servername/cognos8 and then waits.
The other namespace setup in Cognos BI works fine.

Instead of set the domain name in Cognos Configuration Namespace Host and port, try with the IP to the closest Microsoft Windows Domain Controller in that domain. Change to if your Domain Controller uses that IP address.

You can test a change in namespace host without saving Cognos Configuration, if you right click the namespace name (under authentication in left panel) and select test, Cognos will do a authentication test to that DC on the lower IP layer and not use the Cognos dispatcher or Cognos Gateway.
When the dialog comes up for username and password, enter the user name as DOMAIN\username.
The details will show that Cognos first checks that the user exist, and there after ask for a list of all AD groups that user belongs to.
If this test take long time, the login for the Cognos user at the Cognos Gateway (iis) will take at least the same time or more.

Close Cognos Configuration without save, and your test values is gone, and your are back to the previous setup in Cognos.

The result from a test in Cognos Configuration;
User account properties:
defaultName: roger
userName: roger
givenName: roger

Group membership:
Domain Users

Tenant ID:
No associated tenant ID.

Tenant bounding set:
No associated tenant bounding set.

To see if you have network contact with your DC, start a PowerShell prompt on your Content Manager server.
Enter this command: tnc  -computername  -port  389

The result should be like this:
ComputerName : domaincontrollerservername
RemoteAddress :
RemotePort : 389
InterfaceAlias : Ethernet0
SourceAddress :
PingSucceeded : True
PingReplyDetails (RTT) : 4 ms
TcpTestSucceeded : True

If you get a PingSucceeded : False
then you should ask your NETWORK team to check routers and firewalls and ACL tables between the networks.

You can download a network monitor to get more information on what goes on;
Network Monitor

Active Directory Explorer (AD Explorer)

Cognos Content Manager will bind to the DC schema to obtain the list of all “known” DC’s based on the AD Structure.

More information:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Cognos Tm1 10.2.2 Fix pack 7 (10.2.5270.108)
Microsoft Windows 2008 R2 server

When click save in TM1 Cognos Configuration you get a error message that you can not save, but can save in plain text.
The Cognos TM1 Application Web is using the value Environment – group properties – Gateway uri as default values in http://localhost:9510/pmpsvc setup.
If localhost is used in Cognos Configuration, the BI services (if it exist) on the local server is used as key for the creation of the crypto files.

Error details:
[ ERROR ] CAM-CRP-1132 An error occurred while attempting to request a certificate from the Certificate Authority service. Unable to connect to the Certificate Authority service. Ensure that the Content Manager computer is configured and that the IBM Cognos services on it are currently running. The HTTP result code ‘500’ was returned from the server.

but first you may get
when you try to save Cognos Configuration.

Possible workaround:
In Cognos Configuration, select Local Configuration, click the and then click Add.

Type StandaloneCertificateAuthority in the Name box.
Type True in the Value box.
Click OK.

This will make the TM1 cognos configuration not use the BI values to create the crypto keys.

Check also that you have not installed a fix pack over a TM1 installation that uses custom key certs.
Check that you have access to the Cognos BI server by in IE surf to http://cognosbiservername:80/ibmcognos/cgi-bin/cognosisapi.dll
Check that the Cognos Controller FAP or Cognos TM1 admin services is stopped when you update Cognos Configuration.
Check that you do not have doublets of the Cognos TM1 admin services.

More information:

Cognos Analytics 11.0.8
Microsoft Windows 2012 R2 Server
New installation of Cognos Analytics 11, but when you surf to the http://servername/ibmcognos you get a error like “Error Message: 403.6 – Forbidden” or “This page can’t be displayed”.
You have tried to reinstall Cognos Analytics gateway server parts, that did not help.
If you surf direct to the dispatcher at http://IBM_Cognos_Analytics_server_host_name:9300/bi/v1/disp it works fine.

The IIS setup have somehow become corrupt. Redo the IIS setup.
Inside IIS manager – mark cgi-bin and select delete.
Mark SSO under IBMCOGNOS and select delete.
Mark IBMCOGNOS (and COGNOS8 if it exist) and select delete.
Exit IIS manager

If you run more than one IBM® Cognos® Analytics instances of the same product, on one computer, you must create a separate application pool for each instance and then associate the aliases for that gateway instance to each application pool.

Go into control panel – administrative tools – server manager. Select the local server.
In the Add Roles and Features Wizard, click Role-based or feature-based installation, and click Next.
Select Web Server (IIS), ensure that Common HTTP Features is selected including WebDAV Publishing, Performance Static Content Compression, Under Security select Request Filtering and Windows Authentication, and click Next until you get to the Role Services section of the wizard.
Expand Application Development.
Select CGI and ISAPI Extensions, ISAPI filters and click Next.
Select IIS Management Console, IIS Management Scripts and Tools, Management Service.
Features as NET framework 4.6 and ASP.NET 4.6 should be selected.
Click Install.

Download the IIS add ons needed for Cognos Reverse proxy. Install them in below order;
1. Stop IIS first by typing net stop was /y and net stop wmsvc /y on an elevated command-line window

2. Download and install the Web Farm Framework module. It is currently available in version 1.1

3. Download and install the External cache module. It is currently available in version 1.0

4. Download and install the URL Rewrite module. It is currently available in version 2.0

5. Download and install ARR itself. It is currently available in version 3.0

6. Start the IIS services back by enter IISRESET (or, simply reboot your server).

Download the Cognos script to configure IIS. (CA_IIS_Config_v1.09(11.02.17).zip)
1. Download the file to your Cognos Analytics Gateway Server.
2. Extract the CA_IIS_config.bat file to a folder.
3. Open CA_IIS_config.bat in a text editor like Notepad++.
4. The variables, that are to be modified, are located at the top of the file. Edit the BAT file in Notepad++ before you run it.
Run the BAT file as a local administrator.

Then you need to Adjust request size limits.  Go into IIS Manager.

Select the bi directory under the ibmcognos application created earlier.
Double-click Request Filtering.
Click Edit Feature Settings… from the right-hand panel.
Set Maximum URL length (bytes) to 8192.
Set Maximum query string (bytes) to 8192.
Click OK.  (The Cognos Script have already change the values for /bi/ folder)

Configure IIS to allow to pass through the custom 441 errors that are used for recoverable exceptions from CAM. Otherwise, IIS can block these errors, and the customer sees the “Invalid Logon Response” error when trying to log on.

Click the ibmcognos virtual directory.
In the Home view, Management section, double-click Configuration Editor.
In the Section drop-down list, expand system.webServer, and select httpErrors.
Set the existingResponse property to PassThrough. It may already be set correct by the Cognos script.
Apply the configuration change.

If you configured the SSO application in previous steps, enable Windows Authentication.

Select the SSO application folder in IIS manager. For Microsoft Edge browser, select the ibmcognos application folder.
Double-click Authentication. Disable Anonymous Authentication, and enable Windows Authentication.

If you do not want to use Kerberos, at the namespace, add Advance properties singleSignOnOption: IdentityMapping

Cognos Analytics should now be available at: http://iis-host/ibmcognos.

WebDav setup

Note: webdav is not working in 11.0.8 – update to a later version of CA 11.

Under Connections, expand your web server, Sites, and select your website. For example, select Default Web Site.
Double-click WebDAV Authoring.
Click Enable WebDAV.
Click WebDAV Settings.
If you have anonymous access enabled, select True for Allow Anonymous Property Queries, and click Apply.
Select the directory or virtual directory /ibmcognos/bi/samples/images/ to which you want to allow WebDAV access.
Double-click WebDAV Authoring.
Click Add Authoring Rule, and add the appropriate rules for your environment. Like Allow access to: All Content, User: All users, Access: Read.

For example, if you installed the samples and you want to use the default path, under the ibmcognos virtual directory, expand bi/samples, and select images, and add an authoring rule for the image files in that folder.
In Windows Explorer right-click the directory or virtual directory you added authoring rules to, in above it can be /cognos/analytics/webcontent/bi/samples/images, and click Properties.
Click Security tab, and add the appropriate permissions. For example,  add permissions for the anonymous user access.
You may need to setup webdav for other images folders on the IIS gateway server if they are used in the reports.

Best is to keep all pictures in the same folder /ibmcognos/bi/samples/images/ on all the Cognos BI servers.

Change the Gateway URI in IBM Cognos Configuration to match the new IIS configuration, i.e. http(s)://web-host:80/ibmcognos/bi/v1/disp
Access the Gateway through http(s)://web-host:80/ibmcognos/bi/

Create a redirect file and place in the C:\inetpub\wwwroot as default.htm
<title>Cognos Connection</title>
<meta http-equiv=”refresh” content=”0 ;url=”>


More information:

Samples Landing Page

Cognos Analytics 11.0.7
Microsoft Windows 2012 R2

When you inside Cognos Administration on Dynamic Cubes click on “properties” for a specific cube you get a error.
If you surf direct to the dispatcher on port 9300, and do the same thing inside Cognos Connection you do not get a error. Therefor the error is with IIS. Check the windows event log for more details:

Error message:
An unhandled exception has occurred.
C:\Program Files\ibm\cognos\analytics\webcontent\
The length of the query string for this request exceeds the configured maxQueryStringLength value. at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Withing IIS Default Web Site > ibmcognos > bi

Click on ‘Configuration Editor’

Select Section ‘system.web/httpRuntime’
set the following attribute setting –

maxQueryStringLength = 2048 -> 8192
maxRequestLength = 4096 -> 8192

Restart IIS

More information:

Adjust request size limits. (Sometimes this settings does not work and you need to edit as above).
Select the bi directory under the ibmcognos application created earlier.
Double-click Request Filtering.
Click Edit Feature Settings… from the right-hand panel.
Set Maximum URL length (bytes) to 8192.
Set Maximum query string (bytes) to 8192.
Click OK.

Cognos BI 10.2.2
Microsoft Windows 2012 R2 Server
In a Active Directory Domain and Forrest, when we try to add AD groups to the internal Cognos groups in Cognos Connection – Administration – Security, we can not see all groups.
AD Domain Local Groups can only be seen if they are in the same sub-domain as the Cognos Content Manager server. If the Cognos CM server is in a different domain than the DLGroup, it is not visible.

You should create a Cognos security group for your function, then to that Cognos group add AD groups from the different namespace you have created to allow users of different forest have access to the Cognos solution.

When you configure an authentication namespace for IBM® Cognos®, users from only one domain can log in. By using the Advanced properties for Active Directory Server, users from related (parent-child) domains and unrelated domain trees within the same forest can also log in. There is no cross-forest support; there must be a namespace for each forest.
If you set a parameter named chaseReferrals to true, users in the original authenticated domain and all child domains of the domain tree can log in to IBM Cognos. Users from a parent domain of the original authenticated domain or in a different domain tree cannot log in.
If you set a parameter named MultiDomainTrees to true, users in all domain trees in the forest can log in to IBM Cognos.

If you specify Binding Credentials (i.e. if you fill in this section), then:
• (in some environments) it can lead to performance problems. This is because it causes Cognos to ‘unbind’ its original user and re-bind as the ‘specified’ user
• You must ensure that the password (of the user that you choose) does not change/expire

=> Therefore, only fill in the ‘Binding credentials’ section if your “test” (see later) fails. If authentication fails, specify a Windows user ID and password for the Binding credentials property.
• Use the credentials of a Windows user who has at least ‘search’ and ‘read’ privileges for that server.
• This should be a domain user who can ‘see’ the folders inside the AD where the users are located.

In order to setup SSO in a multi-domain Active Directory environment, follow these steps:

1. Launch “Cognos Configuration”
2, Create a new namespace
3. Make sure that this is set to “Active Directory” (not LDAP)
4. Use the root domain as the hostname
5. Locate “Advanced properties” and click edit/modify button
6. Enable either ‘ChaseReferrals’ or ‘MultiDomainTrees’.


  • ChaseReferrals – This will allow users from ‘child’ domains (i.e. domains below the domain that your namespace is connected to) to logon
    • This is often the best choice (for performance reasons).
  • MultiDomainTrees – Allows users from ALL domains (inside the forest) to logon
    • If you are unsure where your users will be located, ‘MultiDomainTrees’ can be the best option (to ensure that all users are able to logon, wherever they are located).
    • However, this means that searches will traverse the entire forest, leading to performance slowdowns.

Once you have chosen, add one of the following entries:

  • chaseReferrals: True
  • multiDomainTrees: True

6. Decide on whether to use NTLM (“REMOTE_USER”) or KERBEROS authentication.
If you want to use NTLM/REMOTE_USER, then also add the following entry:

  • singleSignOnOption: IdentityMapping

Do not use this entry if you want to use Kerberos (which is the preferred option for many environments).
7. Perform a test on this namespace to make sure a connection can be made
8. Restart the service


From the web:
– universal group membership is replicated to all Global Catalogs (i.e. it has forest-wide replication scope). This can be beneficial (since it provides efficient way to retrieve group members) – but has its drawbacks (it increases volume of replication traffic).
– domain local groups do not have any limitations regarding their membership – i.e. they can contain accounts the same domain/forest or any trusted domain/forest. This does not apply to  domain global groups (they can contain only accounts from the same domain) or universal groups (they can contain only accounts from the same forest).
– universal group is a security or distribution group that contains users, groups, and computers from any domain in its forest as members. You can give universal security groups rights and permissions on resources in any domain in the forest.
– global group is a group that can be used in its own domain, in member servers and in workstations of the domain, and in trusting domains. In all those locations, you can give a global group rights and permissions and the global group can become a member of local groups. However, a global group can contain user accounts that are only from its own domain.
– domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest. You can give domain local security groups rights and permissions on resources that reside only in the same domain where the domain local group is located.

More information:

Cognos BI 10.2.2
Microsoft Windows 2012 R2 Server
What files should I save in a backup folder, before I apply a fix pack or do a upgrade of a Cognos BI 10.2.x installation?
If you have done advance tuning to the Cognos functions then this files are maybe updated;

You should keep a copy of the original file you change with the ending .org like Then you should copy your updated file with a ending like .ibm – then if the fix pack overwrites your system.xml file you have a copy of the file in, that you can copy back after the updated.

If you have done report customization then there is this files you need to make a copy off;

GlobalReportStyles.css 8.x styles Classes that were used in IBM Cognos 8 BI
GlobalReportStyles_none.css Simplified styles Classes that have minimal styling defined, useful for financial reports
GlobalReportStyles_1.css 1.x styles Classes that were used in IBM Cognos ReportNet
GlobalReportStyles_10.css 10.x styles Classes in the default style sheet for IBM Cognos 10 BI

They are in this folders

<c10_install>\bin\ The file in this location is used by Report Server for PDF and Microsoft Excel spreadsheet software outputs.
<c10_install>\webcontent\schemas\ The file in this location is used by IBM Cognos Viewer for HTML output.
<c10_install>\reportstyles\ The file in this location is not currently used.
<c10_install>\webcontent\reportstyles\ The file in this location is used by Report Studio.

Then you also may backup this files if you made changes there:

You should also export a unencrypted cogstartup.xml file from each servers Cognos Configuration. Save this file in a separate folder like d:\temp\cogstartup backup 20171124.xml

Include the date, when you saved the file, in the filename.

More information:

Cognos BI 10.2.2
Microsoft Windows 2012 R2 Server
How update the toolbar with links?
Solution: (copied from ibm website)

You need to update the system.xml file. This is found in folder C:\Program Files\ibm\cognos\c10_64\templates\ps\portal\system.xml on the Cognos BI report (dispatcher) server and on the Content manager server. It is the Cognos Presentation service that create the web-page, so where this is running (true) there the files will be read. Best  is to update it on all Cognos instances.

You can add user interface elements to IBM Cognos Connection to connect to external applications or to modify the functionality of IBM Cognos Connection. You can restrict access to these new user interface elements based on different user groups and roles.

To add a user interface element in IBM Cognos Connection, you must modify the portal system.xml file.

The xml:lang attribute of the label and tooltip elements in the system .xml file corresponds to the product locale in use at the time of the portal page generation. If a new product locale is added for IBM Cognos software, you must add a translation for the label and tooltip fields. When no label or tooltip is found that matches the product locale, nothing is displayed. The graphic that is referenced by the icon element must exist in the c10_location/webcontent/ps/portal/images directory.

1. Stop the IBM Cognos service.
2. Open the c10_location/templates/ps/portal/system.xml file in an XML or text editor.
3. For the <system> element, add the <param name=”ui_add”> element:

      <param name=”ui_add”>
      <!–list of user interface elements–>

4. Within the <param name=”ui_add”> element, define all the custom elements that you want to add.

For example, you can add a link to the IBM website in the main header in IBM Cognos Connection:

        <param name=”ui_add”>




              <label xml:lang=”en”>IBM</label>
              <tooltip xml:lang=”en”>IBM</tooltip>
              <label xml:lang=”fr”>IBM</label>
              <tooltip xml:lang=”fr”>IBM</tooltip>
              <label xml:lang=”de”>IBM</label>
              <tooltip xml:lang=”de”IBM</tooltip>
              <label xml:lang=”ja”>IBM</label>
                <tooltip xml:lang=”ja”>IBM</tooltip>




        Using the following example, the IBM link and the associated icon are added to the


        menu in IBM Cognos Connection:
        <param name=”ui_add”>




              <label xml:lang=”en”>IBM</label>
              <tooltip xml:lang=”en”>IBM</tooltip>
              <label xml:lang=”fr”>IBM</label>
              <tooltip xml:lang=”fr”>IBM</tooltip>
              <label xml:lang=”de”>IBM</label>
              <tooltip xml:lang=”de”>IBM</tooltip>
              <label xml:lang=”ja”>IBM</label>
              <tooltip xml:lang=”ja”>IBM</tooltip>




5. For information about all the user interface elements that you can add, see the topic ““Elements You Can Add”. Ensure that you match the case of each user interface element that you want to add.

6. Specify one or more groups or roles that you want to access the new interface element by adding their IDs as values of the show attribute. Use the IDs as documented in the topic “Referencing the required groups or roles in the system.xml file”. Separate the IDs using spaces.

Here is an example:

<param name=”ui_add”>


        <item show=”Administrators RSUsers g1 g2″>

          <label xml:lang=”en”>

My_label in English

          <label xml:lang=”fr”>

My_label in French

          <label xml:lang=”de”>

My_label in German

          <label xml:lang=”ja”>

My_label in Japanese





7. Save the system.xml file.
8. Restart the IBM Cognos service.
Tip: You can have only one <param name=”ui_add”> element in the system.xml. Therefore, all items that you want to add must be placed inside this element.


More information on customization of reports from here


As shown in picture, the style of a Cognos report or report object can be affected by many sources such as:

Global Cognos style sheet such as GlobalReportStyles_10.xml
Local Classes
Layout Component References
RAVE visualizations

If we want to create and modify classes that apply to all reports, we can modify the global Cognos style sheet. This is a useful strategy if we only have one corporate style for all reports.

There are four versions of the global Cognos style sheet as shown in Table below.

 Four versions of the global Cognos style sheet
CSS Version Report Style Description
GlobalReportStyles.css 8.x styles Classes that were used in IBM Cognos 8 BI
GlobalReportStyles_none.css Simplified styles Classes that have minimal styling defined, useful for financial reports
GlobalReportStyles_1.css 1.x styles Classes that were used in IBM Cognos ReportNet
GlobalReportStyles_10.css 10.x styles Classes in the default style sheet for IBM Cognos 10 BI

The exact CSS file used will be chosen based on how the report style is set for a given report. The default setting for IBM Cognos BI 10 is 10.x styles, as shown in Figure 8. You can open this dialog by selecting Report Properties from the File menu in IBM Cognos Report Studio.


Report Properties dialog above.

Each of the four CSS files identified above is installed by Cognos in four different locations, as shown in Table below.

Files are on both gateway and dispatcher (app) servers.
Directory Description
<c10_install>\bin\ The file in this location is used by Report Server for PDF and Microsoft Excel spreadsheet software outputs.
<c10_install>\webcontent\schemas\ The file in this location is used by IBM Cognos Viewer for HTML output.
<c10_install>\reportstyles\ The file in this location is not currently used.
<c10_install>\webcontent\reportstyles\ The file in this location is used by Report Studio.

Update the file GlobalReportStyles_10.css in all above folders.

In the following example we will modify the IBM Cognos 10 BI global style sheet GlobalReportStyles_10.css. This style sheet is used by Cognos Viewer for HTML output.

The following steps are a simple modification where we will modify GlobalReportStyles_10.css to increase the font size.

  1. On your IBM Cognos BI 10 server, find the file named <c10_install>\webcontent\schemas\GlobalReportStyles_10.css.
  2. Copy this file and save it as GlobalReportStyles_10_BU.css.
  3. Open the original GlobalReportStyles_10.css in a text editor.
  4. Find the text .ls /* list */.
  5. Scroll down to font-size: 8pt; and change it to font-size: 28pt;.
  6. Save the file and close it.
  7. Clear your browser’s cache and restart Report Studio.
  8. Create a new List report with any data source.Select the List object and view its properties. You will notice that the Font property is empty.
  9. Click the Run Report toolbar button to preview the HTML output in Cognos Viewer. It will pick up the new 28pt font size at runtime.

More information:

Cognos BI 10.2.2 fix pack 7
Microsoft Windows 2012 R2 Server
When a user from a different domain than the servers are in, try to login to Cognos Connection, they get this error message.
The function ‘bindToBestGCServer’ failed.
There are two Microsoft Windows domains, Domain A and Domain B, that have a forest trust. In Cognos Configuration you have setup two namespace – one for Domain A and one for Domain B. The Cognos servers are in Domain A.
On the Microsoft Windows server IIS manager you have set Windows authentication on the CGI-BIN folder for the Cognos Gateway.
The user selects the namespace he want to login to first when he reach the cognos connection webpage.
Inside Cognos Configuration you only need:
+ In the Value – Advanced properties window, click Add.
+ In the Name column, type singleSignonOption (Case sensitive)
+ In the Value column, type IdentityMapping (Case sensitive)
+ Click OK.
+ Save configuration and restart Service for the setting to take effect

…to make the login work.
If you have also enter multiDomainTree=true you get above error.
If you only have ONE namespace setup in Cognos, then if all domains are the same Active Directory Forest, you need to add this values
chaseReferrals = True
MultiDomainTrees = True

Solution is very depending one your network infrastructure setup, you need to test different configurations.

Authentication in One Domain Tree
If you set a parameter named chaseReferrals to true, users in the original authenticated domain and all child domains of the domain tree can log in to Cognos. Users above the original authenticated domain or in a different domain tree cannot log in.

Authentication in All Domain Trees in the ‘Forest’
If you set a parameter named MultiDomainTrees to true, users in all domain trees in the forest can log in to Cognos.

More information