Today I had to deal with some strange single-sign-on problems between Websphere Application Server 6.1 (underneath of Lotus Connections) and Quickr (Domino) and Sametime together with a Domino LDAP directory.

Although SSO between the Domino servers worked without a problem, I was logged out as soon as I switched between the Websphere and Domino world.

[More:]

We already experienced some problems while configuring the federated repositories in WAS 6.1. as we were unable to enter “O=Acme” in the field “Distinguished name of a base entry in this repository” at the repository reference page although this was our base certifier.

The certifier was copied into the Domino directory of the LDAP server; we could see the organization and all underlying users in a LDAP browser and we were able to login with these users into Lots Connections. Only SSO to Domino was not working.

Enabling SSO debugging on the Domino server (adding “debug_sso_trace_level=2” and “websess_verbose_trace=1” to NOTES.INI) showed that the token generated by the WAS server has two times the organization in the user name (e.g. “CN=First Name/O=Acme/O=Acme”). In the LDAP browser you also could see that the entry “O=Acme” was listed below all other LDAP entries and not near the other organizational entries in the directory which also was very strange.

Looking at the certifier attributes in the LDAP browser then revealed that NO attributes existed (including the “O” attribute). So this was the explanation why you could not add “O=Acme” in the repository configuration.

Looking then at the (rather old, from 1995) certifier document in the Domino directory I realized that in the field “Issued to:” there was an entry like “/O=Acme”. Other (newer) certifiers showed something like “O=Test” in this field. I then re-saved the certifier document with a Notes 8 client without changing anything else.

And voila … the field “Issued to:” then showed the correct value “O=Acme”; in WAS you were able to set the parameter correctly and single-sign-on worked as it should.

So be aware if you are using Domino LDAP servers with old certifier documents (which you might have at most of our long-term Domino customers).

Tagged with:  

Leave a Reply

© 2000-2015 Michael Urspringer