Would that effectively work as a single-sign-on mechanism? We are accustomed to ask our customers to create an AD group , add users to this and allow this group access to our BI products. This works flawlessly with IBM Cognos as we can link the cognos namespace to the required AD domain at a customer site..