Connecting Arc to a TM1 Instance with Security Mode 3
Arc v4.1.1 introduces support for TM1 security mode 3 (Windows SSO using NTLM and Kerberos). No configuration changes are required on the Arc side — Arc automatically uses the browser's Windows authentication.
Steps to test connectivity
When setting up Arc with security mode 3, there are several moving parts, so it’s important to verify that each component is working as expected.
Verify that authentication with the TM1 REST API is working directly on the server.
Verify that authentication to Arc works when accessed from the server.
Test whether authentication to Arc works from a browser outside the server.
Check whether the user can connect to Arc from Slice using the same URL.
How to Verify Connectivity
Before connecting Arc, verify that Windows SSO authentication is working by testing the TM1 REST API directly in your browser:
Open a browser and navigate to the following URL (replace the port and SSL settings as applicable):
https://localhost:8782/api/v1/ActiveUserIf the browser authenticates you automatically and returns a valid response, Arc will work with this instance using security mode 3.
Note: Some browsers such as Firefox require additional configuration for Windows SSO (NTLM/Kerberos) to work. If the browser test fails, check your browser's authentication settings before troubleshooting Arc.
Example Configuration
Setting | Value |
|---|---|
REST API Port | 8782 |
Security Mode | 3 |
UseSSL | true |
Once the browser test succeeds, open Arc and connect to the TM1 instance as normal — authentication will be handled automatically via Windows SSO.
Known Limitations
Kerberos issues: There have been reported cases where Kerberos doesn't work but NTLM does. If you encounter session timeouts with Kerberos, try switching to NTLM.
Impersonation: Impersonation is currently not supported with Security Mode 3.
Security Mode 2 (running TM1 with NTLM only, without CAM) is not supported by the browser, and therefore not supported by Arc.