We have a SQL server instance that uses windows authentication, and our Webfocus server uses IWA as well.

We are getting an error when trying to use this setup. It's not passing the WFRS user to the sql server...

: Microsoft OLE DB Provider for SQL Server: [42000] Login failed for user
: 'NT AUTHORITY\ANONYMOUS LOGON'.

I'm sure there has to be another webfocus user running sql server. How do you do it?

Jason

Only the obvious stuff.

1. You tried the id without wf to check they can connect through EM or other tool etc

2. Are you using Passthru with no userid coded in you connection string?

Regards

John

The problem is that it's passing anonymous logon through IWA.

It should be passing the windows username to our sql server. We're using windows authentication rather than sql authentication on the sql server.

Call the help desk and as for Tech Memo 4647 called "Configuring Single Sign-on to the WebFOCUS Reporting Server Using Kerberos". It will tell you what you need to do.

A word of advice: be patient, as it can take a while to get it right!

How is directory security for IIS configured for the site hosting WebFOCUS? If anonymous authentication is OK, then it's passed.

Also, when you refer to your IIS HTTP server, do you use the shortname (e.g. mywebserver) or the full DNS (e.g. mywebserver.mycompany.com)? The reason I ask the second question is that if you disable anonymous authentication in IIS and use the long name, Internet Explorer will assume you want to go outside the firewall and typically is configured to prompt you for your credentials.

Also, is TomcatAuthentication (in the server.xml file) configured? This setting allows you to configure MR to pick up the REMOTE_USER information from the IIS Header. I'd have to check if it's in the TM4647, but I know it's in the WebFOCUS Security and Administration manual.

When I search for "TomcatAuthentication" on Tech Support, this thread is the only result, so, even though TomcatAuthentication is discussed in the WebFOCUS Security and Administration manual, it does not show up in a search.

quote:

Reference: Enabling REMOTE_USER in an IIS/Tomcat Configuration
You can configure IIS to authenticate users (such as with Basic authentication or IWA) and
propagate the authenticated user ID to Tomcat so that it can be used by WebFOCUS. However,
you need to customize the Tomcat server.xml file. Add the attribute
tomcatAuthentication="false" anywhere inside the connector element that defines your
Jakarta AJP13 listener. This is typically the connector element that contains the port="8009"
attribute.

The only way to have single-sign-on (without any prompt for credentials), and pass the credentials all the way to SQL server is with Kerberos, as is outlined in TM4647 using the WebFOCUS Kerberos Java Servlet filter.

It is not possible to simply use IWA on IIS and have those credentials passed all the way to SQL Server.

In order to use "integrated authentication" in SQL Server from the Reporting Server requires that the actual Reporting Server agent is running as a user that has access to SQL Server.

If you want each individual user to have the Reporting Server agent run as himself/herself, then the Reporting Server needs to be running in OPSYS security mode.

Since Windows always requires some form of complete credentials (userid/password or equivalent), in order to assume the context of the user this means that the Reporting Server must be given either a userid/password for the user (aka no SSO), or must be given the equivalent of a userid/password (aka a Kerberos token).

From what I understand the way that IIS/Jakarta ISAPI filter process the request even if Kerberos is used on IIS, the Kerberos token is not usable to the WebFOCUS Client to forward on to the Reporting Server.

As a result Kerberos authentication needs to be implemented according to TM4647 in order to both have SSO, and be able to hit the SQL Server as individual end users.

Thanks,
Doug Logan

As far as the "Tomcat Authentication" is concerned, I believe Jim is referencing this document:
http://techsupport.information...om/sps/51802023.html

While this will help you successfully setup IWA to be able to use "Trusted" MR Security within WebFOCUS, it will not help with your ANONYMOUS user question in accessing SQL Server.

If you are in fact going to setup Kerberos according to TM4647, it is recommended that you use Tomcat standalone anyway. As a result these steps will not be needed since IIS will not be in the picture.

Thanks,
Doug Logan