Windows 10 access to Cognos

Summary

In testing with the Windows 10 “[2016] Anniversary Update”,  QueryVision has  found that direct access to IBM Cognos (including IBM Cognos Analytics 11) or access via QueryVisions Web Parts for Cognos may be blocked for IE 11 without updating the new Group Policies for IE 11 introduced by the Windows 10 “Anniversary Update”

See:  Windows 10 Anniversary Update will improve interoperability between Microsoft Edge and IE 11

Windows 10 Browsers

Windows 10 provides both IE 11 and the new Microsoft Edge.

A critical factor for both IE 11 and Edge are the ability to pass domain credentials to IBM Cognos and  – for QueryVision’s SharePoint Web Parts for Cognos – through SharePoint to Cognos.

Edge, by design, does not support Integrated Windows Authentication in the same way as IE, relying on prompting users and saving credentials for sites that require authentication using the Win 10 Credential Manager. As this is questionable to many Corporate users, it is generally recommended to continue to use IE 11 for access to Cognos for Windows 10. This is underlined by IBM Cognos not offering support for MS Edge.

Why is this important?

Standard practice for IIS for Cognos is to protect access to the Virtual Directories (e.g. http://<cognos server>/ibmcognos/) via disabling anonymous access and enabling Windows Authentication (Windows Integrated Authentication) for the ibmcognos virtual directory and any sub-directories.

If the user’s “domain”/Windows credentials are not passed, when accessing ibmcognos/* via a URL, the user will be challenged by the browser for their windows credentials – otherwise access is denied.

For IE (including IE 11) on Windows 7/8/8.1 and 10 before the Windows 10 “Anniversary Update”, Integrated Windows Authentication (IWA) worked without issue. Chrome and Firefox will challenge for credentials, but they can be configured to support IWA. And they work fine on Windows 10 pre and post “Anniversary Update”. But after application of the Win 10 “[2016] Anniversary Update”, IE 11 effectively stops passing credentials, even with identical “user” settings to IE 11 on Win 7/8/8.1 and even Win 2012 R2. We also note that additional Internet Options appear in IE 11 on Windows 10 post “Anniversary Update” that do not appear on other Windows platforms. Effectively IE 11 on Windows 10 is now a specialized version.

What has Changed?

Microsoft is increasing taking steps to promote Edge, encouraging customers to use a combination of IE 11 and Edge with use of IE 11 only when absolutely required.

With the Windows 10 “Anniversary Update” they have further integrated IE 11 and Edge including new Group Policies which impact IE access to Windows Authentication protected sites. Microsoft says:

Starting with the Windows 10 Anniversary Update, we are introducing a new Internet Explorer group policy to restrict IE11 usage to only sites on the Enterprise Mode Site List: “Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.” Enabling this setting automatically opens all sites that are not included in the Enterprise Mode Site List in Microsoft Edge. We recommend setting Microsoft Edge as the default browser when enabling this policy.

This feature works with both the v.1 and v.2 XML schemas. If you also have the “Send all intranet sites to Internet Explorer 11” Microsoft Edge group policy enabled at the same time, then all intranet sites will continue to open in IE11.

Symptoms

The symptoms of the problem are that when accessing IBM Cognos Analytics 11 using the SSO URL

http://w12r2ca111/ibmcognos/cgi-bin/cognosisapi.dll?b_action=xts.run&m=portal/main.xts&m_redirect=/ibmcognos/bi/

The page gets a “can’t display page” error, even with “Enable Integrated Windows Authentication” IE 11 Internet option.