working on laptop

Ironside Tech Tip: Unique 403 Error in Cognos Analytics Via IIS

When dealing with a Cognos environment there are a lot of moving parts, especially in a multi-server environment. For instance, there is the Application server, the Dispatcher, the Gateway, the Database server, and so on. This isn’t even including the general IT infrastructure components like the network, VPN and firewall. One component that tends to get overlooked is the Web Server.

In Cognos Analytics, the Web server is not always necessary to have a fully functioning environment. However, there are a couple of exceptions to this rule:

  • In order to correctly set up and implement SSO for your Cognos environment, a web server is required.
  • A web server is required for segregation of security.
  • If you have multiple applications that require access control through port management or policy differentiation, you will need a separate web server. 

Assuming you don’t want to setup SSO or segregated security, the web server isn’t necessary. However, it does make some things easier in the implementation. For example, a web server can simplify:

  • Pointing the dispatch server port to a standard port like http/80 or https/443 so it can run off of them.
  • Setting up SSL Certificates more conveniently due to how IIS is set up to import and export them.

Setting Up

If you are using or have decided to move forward with setting up IIS for Cognos Analytics, you will notice the setup is rather simple. IBM has released scripts that you can run to set up the rules and configurations that are needed for Cognos to run correctly. As these scripts streamline the process to set up IIS, there might still be some tweaks that need to be made. One that I will specifically address is the Feature Permissions in the Handler Mapping sections.

An error that has come up a few times with our clients is a “403 Access Denied” error when attempting to connect to the Cognos Analytics portal page. It is not something we see often and because of that, it took our team a while to resolve when it was first brought to our attention. After tracking down the issue to inside the IIS web server, we noticed that Parent Feature permissions had been set at the “Default Web Site” level for the Handler Mapping to not allow for “Execute” and “Script” permission. Since this setting was set at the top parent level, it was inherited when the scripts created the virtual applications for Cognos. We don’t recommend setting up a Cognos server on another server while running other applications that may also be utilizing IIS. There may be some specific changes to be made that are not standard to a Cognos setup.

Our solution to this issue was to go into the Cognos IIS virtual application and set the Feature Permissions inside Handler Mapping

 

 

to allow for “Execute” and “Script” permission. Once we did that, we quickly restarted the IIS server and flushed out the browser cache.

 

 

We were then able to successfully connect to the Cognos Analytics portal page.

The take away from this experience is that everyone can set up Cognos in a slightly different way.   If you’re running into issues with setting up Cognos Analytics, let us know and we can help you review your specific environment and provide the best solution to keep everything running smoothly.  While new technologies can require some tweaks, that shouldn’t deter us from using them to gain valuable insights for the business.

 

 

cognos analytics information

 

 

 

About Ironside

Ironside was founded in 1999 as an enterprise data and analytics solution provider and system integrator. Our clients hire us to acquire, enrich and measure their data so they can make smarter, better decisions about their business. No matter your industry or specific business challenges, Ironside has the experience, perspective and agility to help transform your analytic environment.