Cognos BI Login take over 30 min

Product:
Cognos BI 10.2.2 fix pack 7
Microsoft Windows 2012 R2 Server

Problem:
Slow or no login at all to a new namespace in Cognos Connection. The user surf to http://servername/cognos8 and then waits.
The other namespace setup in Cognos BI works fine.

Troubleshoot:
Instead of set the domain name in Cognos Configuration Namespace Host and port, try with the IP to the closest Microsoft Windows Domain Controller in that domain. Change to 10.0.0.78:389 if your Domain Controller uses that IP address.

You can test a change in namespace host without saving Cognos Configuration, if you right click the namespace name (under authentication in left panel) and select test, Cognos will do a authentication test to that DC on the lower IP layer and not use the Cognos dispatcher or Cognos Gateway.
When the dialog comes up for username and password, enter the user name as DOMAIN\username.
The details will show that Cognos first checks that the user exist, and there after ask for a list of all AD groups that user belongs to.
If this test take long time, the login for the Cognos user at the Cognos Gateway (iis) will take at least the same time or more.

Close Cognos Configuration without save, and your test values is gone, and your are back to the previous setup in Cognos.

The result from a test in Cognos Configuration;
[‘AD’]
User account properties:
defaultName: roger
userName: roger
givenName: roger
surname:
email:
businessPhone:
mobilePhone:
homePhone:
faxPhone:
pagerPhone:
postalAddress:

Group membership:
Domain Users

Tenant ID:
No associated tenant ID.

Tenant bounding set:
No associated tenant bounding set.

To see if you have network contact with your DC, start a PowerShell prompt on your Content Manager server.
Enter this command: tnc  -computername  domaincontrollerservername.domain.com  -port  389

The result should be like this:
ComputerName : domaincontrollerservername
RemoteAddress : 10.0.0.78
RemotePort : 389
InterfaceAlias : Ethernet0
SourceAddress : 192.168.254.11
PingSucceeded : True
PingReplyDetails (RTT) : 4 ms
TcpTestSucceeded : True

If you get a PingSucceeded : False
then you should ask your NETWORK team to check routers and firewalls and ACL tables between the networks.

You can download a network monitor to get more information on what goes on;
Network Monitor
https://technet.microsoft.com/en-us/library/cc938655.aspx

Active Directory Explorer (AD Explorer)
https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer

Cognos Content Manager will bind to the DC schema to obtain the list of all “known” DC’s based on the AD Structure.

More information:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
http://support.microsoft.com/kb/832017#4

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)