FAP program cannot login to TM1 cube with a Windows account

Product:
Cognos Controller 10.2.1
Cognos TM1 10.2.2
Cognos BI 10.2.1

Symptom:
When publish from FAP program to TM1 cube with a Windows account you cannot login. But same account work when you access the TM1 cube from TM1 Architect.

Background:
TM1 and Controller are using CAM authentication against a BI server that is connected to the Company’s Active Directory.
The windows user account is in a different sub domain, than the TM1 and Controller servers, that are in an other sub domain in the Company Active Directory.
The FAP program cannot add sub domain information at login, as you can when you login to TM1 Architect.
If you use a Windows account that is in the same sub domain as the TM1 server, then the login works.

Solution:
Check the name space connection string at the Cognos Configuration on the BI server. It should point to the top of the AD domain. If it point to a single AD server in the domain, that server cannot have access of the whole AD, and therefor miss the account. This because the sub domain info is not passed on from the FAP program.
Ensure that the AD connection point to the top of the domain, or to a load balancer in front of the AD servers.