Focal Point Banner


As of December 1, 2020, Focal Point is retired and repurposed as a reference repository. We value the wealth of knowledge that's been shared here over the years. You'll continue to have access to this treasure trove of knowledge, for search purposes only.

Join the TIBCO Community
TIBCO Community is a collaborative space for users to share knowledge and support one another in making the best use of TIBCO products and services. There are several TIBCO WebFOCUS resources in the community.

  • From the Home page, select Predict: WebFOCUS to view articles, questions, and trending articles.
  • Select Products from the top navigation bar, scroll, and then select the TIBCO WebFOCUS product page to view product overview, articles, and discussions.
  • Request access to the private WebFOCUS User Group (login required) to network with fellow members.

Former myibi community members should have received an email on 8/3/22 to activate their user accounts to join the community. Check your Spam folder for the email. Please get in touch with us at community@tibco.com for further assistance. Reference the community FAQ to learn more about the community.


Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Setting up SQL server with IWA?

Read-Only Read-Only Topic
Go
Search
Notify
Tools
Setting up SQL server with IWA?
 Login/Join
 
Master
posted
We have a SQL server instance that uses windows authentication, and our Webfocus server uses IWA as well.

We are getting an error when trying to use this setup. It's not passing the WFRS user to the sql server...

: Microsoft OLE DB Provider for SQL Server: [42000] Login failed for user
: 'NT AUTHORITY\ANONYMOUS LOGON'.

I'm sure there has to be another webfocus user running sql server. How do you do it?


Prod: Single Windows 2008 Server running Webfocus 7.7.03 Reporting server Web server IIS6/Tomcat, AS400 DB2 database.
 
Posts: 611 | Registered: January 04, 2007Report This Post
Master
posted Hide Post
Jason

Only the obvious stuff.

1. You tried the id without wf to check they can connect through EM or other tool etc

2. Are you using Passthru with no userid coded in you connection string?

Regards

John



Server: WF 7.6.2 ( BID/Rcaster) Platform: W2003Server/IIS6/Tomcat/SQL Server repository Adapters: SQL Server 2000/Oracle 9.2
Desktop: Dev Studio 765/XP/Office 2003 Applications: IFS/Jobscope/Maximo
 
Posts: 888 | Location: Airstrip One | Registered: October 06, 2006Report This Post
Master
posted Hide Post
The problem is that it's passing anonymous logon through IWA.

It should be passing the windows username to our sql server. We're using windows authentication rather than sql authentication on the sql server.


Prod: Single Windows 2008 Server running Webfocus 7.7.03 Reporting server Web server IIS6/Tomcat, AS400 DB2 database.
 
Posts: 611 | Registered: January 04, 2007Report This Post
Virtuoso
posted Hide Post
Call the help desk and as for Tech Memo 4647 called "Configuring Single Sign-on to the WebFOCUS Reporting Server Using Kerberos". It will tell you what you need to do.

A word of advice: be patient, as it can take a while to get it right!


"There is no limit to what you can achieve ... if you don’t care who gets the credit." Roger Abbott
 
Posts: 1102 | Location: Toronto, Ontario | Registered: May 26, 2004Report This Post
Member
posted Hide Post
How is directory security for IIS configured for the site hosting WebFOCUS? If anonymous authentication is OK, then it's passed.

Also, when you refer to your IIS HTTP server, do you use the shortname (e.g. mywebserver) or the full DNS (e.g. mywebserver.mycompany.com)? The reason I ask the second question is that if you disable anonymous authentication in IIS and use the long name, Internet Explorer will assume you want to go outside the firewall and typically is configured to prompt you for your credentials.

Also, is TomcatAuthentication (in the server.xml file) configured? This setting allows you to configure MR to pick up the REMOTE_USER information from the IIS Header. I'd have to check if it's in the TM4647, but I know it's in the WebFOCUS Security and Administration manual.


WebFOCUS 53, 71, 76 - All Platforms
 
Posts: 15 | Location: Information Builders - Chicago | Registered: May 08, 2003Report This Post
Expert
posted Hide Post
When I search for "TomcatAuthentication" on Tech Support, this thread is the only result, so, even though TomcatAuthentication is discussed in the WebFOCUS Security and Administration manual, it does not show up in a search.

quote:
Reference: Enabling REMOTE_USER in an IIS/Tomcat Configuration
You can configure IIS to authenticate users (such as with Basic authentication or IWA) and
propagate the authenticated user ID to Tomcat so that it can be used by WebFOCUS. However,
you need to customize the Tomcat server.xml file. Add the attribute
tomcatAuthentication="false" anywhere inside the connector element that defines your
Jakarta AJP13 listener. This is typically the connector element that contains the port="8009"
attribute.


Francis


Give me code, or give me retirement. In FOCUS since 1991

Production: WF 7.7.05M, Dev Studio, BID, MRE, WebSphere, DB2 / Test: WF 8.1.05M, App Studio, BI Portal, Report Caster, jQuery, HighCharts, Apache Tomcat, MS SQL Server
 
Posts: 10577 | Location: Toronto, Ontario, Canada | Registered: April 27, 2005Report This Post
Platinum Member
posted Hide Post
The only way to have single-sign-on (without any prompt for credentials), and pass the credentials all the way to SQL server is with Kerberos, as is outlined in TM4647 using the WebFOCUS Kerberos Java Servlet filter.

It is not possible to simply use IWA on IIS and have those credentials passed all the way to SQL Server.

In order to use "integrated authentication" in SQL Server from the Reporting Server requires that the actual Reporting Server agent is running as a user that has access to SQL Server.

If you want each individual user to have the Reporting Server agent run as himself/herself, then the Reporting Server needs to be running in OPSYS security mode.

Since Windows always requires some form of complete credentials (userid/password or equivalent), in order to assume the context of the user this means that the Reporting Server must be given either a userid/password for the user (aka no SSO), or must be given the equivalent of a userid/password (aka a Kerberos token).

From what I understand the way that IIS/Jakarta ISAPI filter process the request even if Kerberos is used on IIS, the Kerberos token is not usable to the WebFOCUS Client to forward on to the Reporting Server.

As a result Kerberos authentication needs to be implemented according to TM4647 in order to both have SSO, and be able to hit the SQL Server as individual end users.

Thanks,
Doug Logan


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
Platinum Member
posted Hide Post
As far as the "Tomcat Authentication" is concerned, I believe Jim is referencing this document:
http://techsupport.information...om/sps/51802023.html

While this will help you successfully setup IWA to be able to use "Trusted" MR Security within WebFOCUS, it will not help with your ANONYMOUS user question in accessing SQL Server.

If you are in fact going to setup Kerberos according to TM4647, it is recommended that you use Tomcat standalone anyway. As a result these steps will not be needed since IIS will not be in the picture.

Thanks,
Doug Logan


WF 71.x, 76.x, 7701, 8.0 Beta OS: Linux, Win2k3, Win2k, Win2k8, WinXP


 
Posts: 203 | Registered: November 19, 2007Report This Post
  Powered by Social Strata  

Read-Only Read-Only Topic

Focal Point    Focal Point Forums  Hop To Forum Categories  WebFOCUS/FOCUS Forum on Focal Point     Setting up SQL server with IWA?

Copyright © 1996-2020 Information Builders