cubewise-code
PowerBI CAM SSO Connectivity Issue
Just pulled in the latest TM1py and Python 3.8
We have CAM and SSO setup with our own internal SSL certificates. I have run check.py and no matter what I do it comes back with "Failed to authenticate through CAM. Expected status_code 200, received status_code: 401"
I can't see the request in Fiddler so its a bit hard to trace down whats going on. To validate I ran PlanningSample and used check.py and it was able to authenticate.
Is there a step that Im missing here? Do I need to copy certs over to python on my machine somewhere?
ClientCAMURI format is " https://serverfqdn:443/ibmcognos/bi/v1/disp"
Hi @meyersrl,
does the Planning Sample model also use CAM with SSO?
Before looking into SSL, let me ask a question about your CAM setup. When using architect or TM1Web with your TM1 instance, can you login without providing credentials?
Yes we don’t have to enter credentials for any of the clients. We are running the IIS gateway for CA 11 to allow SSO for PA.
On Sun, Oct 25, 2020 at 2:41 PM Marius Wirtz [email protected] wrote:
Hi @meyersrl https://github.com/meyersrl,
does the Planning Sample model also use CAM with SSO?
Before looking into SSL, let me ask a question about your CAM setup. When using architect or TM1Web with your TM1 instance, can you login without providing credentials?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-716216602, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33IY4SYSGQOGJPU34WTSMSLP3ANCNFSM4S4XQWLA .
I ran Planning Sample in Mode 1 as a test to make sure python was working.
From: Marius Wirtz [email protected] Reply-To: cubewise-code/tm1py [email protected] Date: Sunday, October 25, 2020 at 2:41 PM To: cubewise-code/tm1py [email protected] Cc: meyersrl [email protected], Mention [email protected] Subject: Re: [cubewise-code/tm1py] PowerBI CAM SSO Connectivity Issue (#399)
Hi @meyersrl,
does the Planning Sample model also use CAM with SSO?
Before looking into SSL, let me ask a question about your CAM setup. When using architect or TM1Web with your TM1 instance, can you login without providing credentials?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
Hi @meyersrl,
sorry for the late reply, I had a short holiday.
Can you execute this piece of code please:
import requests
from requests_negotiate_sspi import HttpNegotiateAuth
response = requests.get(
url=gateway,
auth=HttpNegotiateAuth(),
verify=verify,
params={"CAMNamespace": namespace})
print(response.status_code)
print(response.cookies)
gateway is the ClientCAMURI
verify is either False or a path to the cert.pem
namespace is the CAM namespace
Now 'cam_passport' should be in response.cookies
When
verify=False The error is
401 <RequestsCookieJar[]>
For the location of the certificate, which cert is it looking for? Does it only need the .pem cert for our internal CA? Or is it looking for the actual server cert from one of the machines? I tried our internal CA Cert and the error is
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: C:\Temp\ca.pem https://uscdcctm19.us.cbre.net/ibmcognos/bi/v1/disp'%3C/span%3E%3Cspan
On Sun, Nov 1, 2020 at 8:13 AM Marius Wirtz [email protected] wrote:
Hi @meyersrl https://github.com/meyersrl,
sorry for the late reply, I had a short holiday.
Can you execute this piece of code please:
import requestsfrom requests_negotiate_sspi import HttpNegotiateAuth response = requests.get( url=gateway, auth=HttpNegotiateAuth(), verify=verify, params={"CAMNamespace": namespace}) print(response.status_code)print(response.cookies)
gateway is the ClientCAMURI verify is either False or a path to the cert.pem namespace is the CAM namespace
Now 'cam_passport' should be in response.cookies
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-720112175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33OVIT6Y5XJYDNLOV7TSNWCIXANCNFSM4S4XQWLA .
Sorry just tried a different .pem which I believe has the full chain.
I got this
401 <RequestsCookieJar[]>
On Sun, Nov 1, 2020 at 8:13 AM Marius Wirtz [email protected] wrote:
Hi @meyersrl https://github.com/meyersrl,
sorry for the late reply, I had a short holiday.
Can you execute this piece of code please:
import requestsfrom requests_negotiate_sspi import HttpNegotiateAuth response = requests.get( url=gateway, auth=HttpNegotiateAuth(), verify=verify, params={"CAMNamespace": namespace}) print(response.status_code)print(response.cookies)
gateway is the ClientCAMURI verify is either False or a path to the cert.pem namespace is the CAM namespace
Now 'cam_passport' should be in response.cookies
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-720112175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33OVIT6Y5XJYDNLOV7TSNWCIXANCNFSM4S4XQWLA .
And just tried using the cert for the TM1 database server and got
SSLError: HTTPSConnectionPool(host='uscdcctm19.us.cbre.net', port=443): Max retries exceeded with url: /ibmcognos/bi/v1/disp?CAMNamespace=AD (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1124)'))) https://uscdcctm19.us.cbre.net/ibmcognos/bi/v1/disp'%3C/span%3E%3Cspan
On Mon, Nov 2, 2020 at 7:30 AM Robby Meyers [email protected] wrote:
When
verify=False The error is
401 <RequestsCookieJar[]>
For the location of the certificate, which cert is it looking for? Does it only need the .pem cert for our internal CA? Or is it looking for the actual server cert from one of the machines? I tried our internal CA Cert and the error is
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: C:\Temp\ca.pem https://uscdcctm19.us.cbre.net/ibmcognos/bi/v1/disp'%3C/span%3E%3Cspan
On Sun, Nov 1, 2020 at 8:13 AM Marius Wirtz [email protected] wrote:
Hi @meyersrl https://github.com/meyersrl,
sorry for the late reply, I had a short holiday.
Can you execute this piece of code please:
import requestsfrom requests_negotiate_sspi import HttpNegotiateAuth response = requests.get( url=gateway, auth=HttpNegotiateAuth(), verify=verify, params={"CAMNamespace": namespace}) print(response.status_code)print(response.cookies)
gateway is the ClientCAMURI verify is either False or a path to the cert.pem namespace is the CAM namespace
Now 'cam_passport' should be in response.cookies
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-720112175, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33OVIT6Y5XJYDNLOV7TSNWCIXANCNFSM4S4XQWLA .
Perhaps this is the same issue as https://github.com/cubewise-code/tm1py-samples/issues/80
Please try to use the approach the @Edouarl suggested.
I notice in Fiddler that when we make a connection to our server there are 2 attempts. The first one fails as it attempts to use NTLM authentication, then it tries the same thing again but it uses Negotiated and is successful. Its like the Python call is receiving the 401 from the NTLM attempt and then unlike the browser connection it stops and doesn't attempt negotiate.
On Fri, Nov 6, 2020 at 1:27 PM Marius Wirtz [email protected] wrote:
Perhaps this is the same issue as cubewise-code/tm1py-samples#80 https://github.com/cubewise-code/tm1py-samples/issues/80
Please try to use the approach the @EdouarL https://github.com/EdouarL suggested.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-723307431, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33P4N7JQFUA42Y5EO73SORS37ANCNFSM4S4XQWLA .
Can you change the behaviour of the requests_negotiate_sspi code to do a retry instead of failing?
I tried implementing a retry but it fails on the retry as well.
Whats really strange is that when I use Fiddler to trace my login to TM1Web there are 3 attempts. The first 2 respond 401 and have the authorization types in the response. The last attempt has the NTLM Authorization Header and responds with a 200. Then when I look at the response in Python it has the exact same header but the response is 401.
I can modify the code to use HttpNtlmAuth('userid', 'password') and the request is successful but this isn't SSO.
On Sun, Nov 15, 2020 at 4:15 AM Marius Wirtz [email protected] wrote:
Can you change the behaviour of the requests_negotiate_sspi code to do a retry instead of failing?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cubewise-code/tm1py/issues/399#issuecomment-727560587, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIZI33MBU446N2BHM3YXCQTSP7A6NANCNFSM4S4XQWLA .
Hi @meyersrl,
I noticed that there is a pending MR on the requests_negotiate_sspi library.
https://github.com/brandond/requests-negotiate-sspi/pull/21/files
It may be related. Can you apply the change to your local version of the package and see if it helps?
Just getting back to this, but I have modified requests_negotiate_sspi and no luck. I am able to connect using CAM without SSO however when I try to use SSO it fails with 401. We use our own certificates however I added the Root and Intermediate CA certs to the cacerts.pem file after adding certifi. Has anyone else been able to get CAM with SSO working on custom certifcates?
FYI I have tried the script again after updating Python and TM1Py and I do now get a 200 Response from
import requests
from requests_negotiate_sspi import HttpNegotiateAuth
response = requests.get(
url=gateway,
auth=HttpNegotiateAuth(),
verify=verify,
params={"CAMNamespace": namespace})
print(response.status_code)
print(response.cookies)
However when I use TM1Py I get
Failed to authenticate through CAM. HTTP response does not contain 'cam_passport' cookie
My response from the get.Request script is
200 <RequestsCookieJar[<Cookie XSRF-TOKEN=TOKENHERE for cognosserver/ibmcognos/bi>, <Cookie CRN=showWelcomePage%3Dtrue%26displayMode%3Dlist%26format%3DHTML%26contentLocale%3Den%26http%3A%2F%2Fdeveloper.cognos.com%2Fceba%2Fconstants%2FsystemOptionEnum%23accessibilityFeatures%3Dfalse%26showHiddenObjects%3Dfalse%26productLocale%3Den%26columnsPerPage%3D3%26showOptionSummary%3Dtrue%26backgroundSessionLogging%3D1970-01-01%2B00%253A00%253A00%26http%3A%2F%2Fdeveloper.cognos.com%2Fceba%2Fconstants%2FbiDirectionalOptionEnum%23biDirectionalFeaturesEnabled%3Dfalse%26linesPerPage%3D15%26listViewSeparator%3Dnone%26isToolbarDocked%3Dtrue%26automaticPageRefresh%3D30%26showHints%3DshowAll%26skin%3Dcorporate%26timeZoneID%3DAmerica%252FChicago%26 for cognosserver/ibmcognos/bi/v1>]>
Hi @meyersrl,
sorry for the late reply. scanning through the response of the custom auth code, it looks like it didn't return the expected CAM Passport. Is that correct?
Yes it seems as if there is some back and forthing during a normal login (At least when I use fiddler to trace the responses for a login to TM1Web). But ultimately the responses in TM1Py/Python don't come back with a cam_passport cookie.
FYI, I had a similar issue going here
#509