As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.
Join the TIBCO Community TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.
From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
Request access to the private WebFOCUS User Group (login required) to network with fellow members.
Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at firstname.lastname@example.org for further assistance. Reference the community FAQ to learn more about the community.
How is directory security for IIS configured for the site hosting WebFOCUS? If anonymous authentication is OK, then it's passed.
Also, when you refer to your IIS HTTP server, do you use the shortname (e.g. mywebserver) or the full DNS (e.g. mywebserver.mycompany.com)? The reason I ask the second question is that if you disable anonymous authentication in IIS and use the long name, Internet Explorer will assume you want to go outside the firewall and typically is configured to prompt you for your credentials.
Also, is TomcatAuthentication (in the server.xml file) configured? This setting allows you to configure MR to pick up the REMOTE_USER information from the IIS Header. I'd have to check if it's in the TM4647, but I know it's in the WebFOCUS Security and Administration manual.
WebFOCUS 53, 71, 76 - All Platforms
Posts: 15 | Location: Information Builders - Chicago | Registered: May 08, 2003
When I search for "TomcatAuthentication" on Tech Support, this thread is the only result, so, even though TomcatAuthentication is discussed in the WebFOCUS Security and Administration manual, it does not show up in a search.
Reference: Enabling REMOTE_USER in an IIS/Tomcat Configuration You can configure IIS to authenticate users (such as with Basic authentication or IWA) and propagate the authenticated user ID to Tomcat so that it can be used by WebFOCUS. However, you need to customize the Tomcat server.xml file. Add the attribute tomcatAuthentication="false" anywhere inside the connector element that defines your Jakarta AJP13 listener. This is typically the connector element that contains the port="8009" attribute.
Give me code, or give me retirement. In FOCUS since 1991
Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
The only way to have single-sign-on (without any prompt for credentials), and pass the credentials all the way to SQL server is with Kerberos, as is outlined in TM4647 using the WebFOCUS Kerberos Java Servlet filter.
It is not possible to simply use IWA on IIS and have those credentials passed all the way to SQL Server.
In order to use "integrated authentication" in SQL Server from the Reporting Server requires that the actual Reporting Server agent is running as a user that has access to SQL Server.
If you want each individual user to have the Reporting Server agent run as himself/herself, then the Reporting Server needs to be running in OPSYS security mode.
Since Windows always requires some form of complete credentials (userid/password or equivalent), in order to assume the context of the user this means that the Reporting Server must be given either a userid/password for the user (aka no SSO), or must be given the equivalent of a userid/password (aka a Kerberos token).
From what I understand the way that IIS/Jakarta ISAPI filter process the request even if Kerberos is used on IIS, the Kerberos token is not usable to the WebFOCUS Client to forward on to the Reporting Server.
As a result Kerberos authentication needs to be implemented according to TM4647 in order to both have SSO, and be able to hit the SQL Server as individual end users.
While this will help you successfully setup IWA to be able to use "Trusted" MR Security within WebFOCUS, it will not help with your ANONYMOUS user question in accessing SQL Server.
If you are in fact going to setup Kerberos according to TM4647, it is recommended that you use Tomcat standalone anyway. As a result these steps will not be needed since IIS will not be in the picture.