Need help with Sametime authentication
by Volker Weber
I am having some difficulties with single sign-on between WebSphere and Sametime. The Sametime Links toolkit advises to take the LTPA token and pass this on to Sametime. However that does not seem to work. The "links" never show anybody as being present.
The SSO configuration itself seems to be working just fine. I can log into a WebSphere application and then open the Sametime Conference Center and I find myself already logged in there.
If you look at WebSphere Portal you will see that this seems to ignore the LTPA token and instead passes an ST token to the Sametime server and that actually does work very well. I could use the same mechanism if I would only know how to generate this token for a user that has already logged into WebSphere.
What do we have? WebSphere Application Server 4.02 with WebSphere Portal 4.2, Domino 5.0.11 as an LDAP source, Sametime 3.0 SP1 on Domino 5.0.10.
Any help is appreciated.
Comments
1. You don't need the ST Toolkit with ST 3.0
2. Did you add the field "Sametime Server" to your Domino LDAP configuration?
3. Did you add the following lines to the sametime.ini on your ST server?
VPS_BYPASS_TRUSTED_IPS=1
VPS_TRUSTED_IPS=trusted IP address, trusted IP address
Enter the IP address of your Domino LDAP server into the 2nd line
4. Create the LTPA tokens in WAS Security Center, export them and import them into the Domino SSO web document.
5. The "DNS Domain" in your SSO document must reflect exactly the domain part of all servers involved and this must be the same on all servers. We had a problem that Sametime did not work with WPS, because one servers name was somename.muc.edcom.de and the second one anothername.edcom.de
I forgot 6: make sure that the person docs in Domino directory contain an correct entry in the field "Sametime server". If this field is empty you have no problem with the standalone ST client, because there is another "Sametime server" field in the location document, but WPS just looks into the persondoc ...
Thanks for your advise Otto, but the SSO configuration is correct and works. Unfortunatly the sametime functionality still works on WPS also.
The problem still lies on another Server (WebSphere Application Server) also present in the SSO configuration. The Domino Box where Sametime is hosted, recognizes the user via the provided LTPA Token, but Sametime seems to ignore this.
oh, a typo in my website address ;-)
Have you tried passing in a user name and password instead of LTPA token to see if the connection can be made at all?
The first login (writeSTLinksApplet) requires the user name, in fully distinguished name format. Is Sametime configured to use a Domino directory or LDAP?
We can login via Username/Password submitted by writeSTLinksApplet().
WebSphere standalone and WebSphere Portal authenticates against a Domino LDAP Server, Sametime on a different Box authenticates against Domino Directory.
Footnote: Notes/Domino 6.02CF has finally been posted on IBM's ldd website.
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument
Otto, we were missing the second INI parameter and fixed that. Still no dice. Next thing will be to add the Sametime server to the person document.
However, I am wondering about the ST token, that WSP uses. Why is not using the LTPA token, and more importantly, WHERE is it getting the ST token from?
My first posting contains an error: you need only one of the two INI parameters. The first one means that every server is trusted and the second one that this particular servers are trustet. Those two parameters belong to different sections in Sametime.Ini - please check documentation in InfoCenter, I have it not with me right now.
Please let me know whether the adding of the Sametime server to the person document helps. As far as I know this is a MUST. And don't forget to add the field "Sametime server" to the list of LDAP fileds in your server configuration field.
We have Sametime awareness working with every view in any Notes database that contains a names column in the order firstname lastname. But it´s not working in the People finder portlet of the Collaboration Center - I don't know why. Today I found an hint in InfoCenter that the Domino domain names of the Domino LDAP server and the Sametime server must be different. Crazy.
I've configured Sametime 3.0 Directory Assistance to point to an LDAP server for authentication. It seems to work correctly for Sametime Meeting components (e.g. I can "log on" to "schedule a meeting") but not for Sametime Connect components (i.e. the "login" times out after a minute when I try to start the web-based Sametime Connect client).
Help!!!
Mark
Hi,
Below is a problem scenario, which I'm facing can anyone help in resolving this ?
Problem Scenerio: Authentication/Authorization by LDAP server is not happening.
Description: I configured Websphere Application Server which comes with WSAD with NestScape Directory server version 4.2. I created 2 groups ADMIN, USER and few People under each group. I created two entity beans and a session facade bean. Facade bean will be talking to entity beans. I gave certain role based permissions to the methods in session Facade bean. Only admin has permission for all the methods where as user is limited to certain methods. To test these functionality WSAD provides a Universal test client, where i can give the required parameters like SECURITY_PRINCIPAL AND SECURITY_CREDENTIAL. With this Universal test client it is working fine as expected. Where as when i am accessing the same with my web based struts client by passing the same parameters as above it is not working as expected. The exception says the user is UNATHUNICATED. Here i am giving the trace
Exception data: com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/itrm/AdminFacadeHome getAllRoles:1 securityName: /UNAUTHENTICATED;accessID: null is not granted any of the required roles: ADMIN USER
Thanks,
Dinesh
Has anyone successfully configured Sametime 6.51 with Active Directory as LDAP ... I can't get authentication to work in Sametime client, but can login to Meeting room using the Active Directory credentials.
Post a comment
Recent comments
Ben Poole
on Finally getting started on last.fm at 12:41
Volker Weber
on Finally getting started on last.fm at 12:31
Ben Rose
on Finally getting started on last.fm at 12:22
Yves Luther
on Coming up next Thursday: sticky and sweet at 12:19
Hartmut Wiehr
on Wo gibt es gescheite CD-Läden? at 11:13
Michael Becker
on Wo gibt es gescheite CD-Läden? at 10:26
heiko hebig
on Amazing photos - all taken with a mobile phone at 01:50
Chris Reckling
on Finally getting started on last.fm at 00:53
Alexander Kluge
on Finally getting started on last.fm at 22:31
Volker Weber
on Finally getting started on last.fm at 22:22
Jamey Shiels
on Synchronizing iPhone with ... Lotus Notes at 22:10
Dominik Schwind
on Finally getting started on last.fm at 21:25
Kevin Pettitt
on Showstopper for Lotus Connections at 20:45
Martin Hiegl
on Showstopper for Lotus Connections at 19:27
goran angelov
on iPhone: Can't hear through the receiver or speakers? at 18:53
Sean Cull
on I have seen faster at 18:27
Matthias Leisi
on Coming up next Thursday: sticky and sweet at 18:21
Ted Stanton
on Showstopper for Lotus Connections at 18:17
Handly Cameron
on Showstopper for Lotus Connections at 18:15
Volker Weber
on Showstopper for Lotus Connections at 18:11
Alan Lepofsky
on Showstopper for Lotus Connections at 18:09
Volker Weber
on Showstopper for Lotus Connections at 18:04
Ben Rose
on Showstopper for Lotus Connections at 18:04
Ted Stanton
on Showstopper for Lotus Connections at 17:52
Ben Poole
on Showstopper for Lotus Connections at 17:48
Click here to subscribe
