Need help with Sametime authentication

by Volker Weber

I am having some difficulties with single sign-on between WebSphere and Sametime. The Sametime Links toolkit advises to take the LTPA token and pass this on to Sametime. However that does not seem to work. The "links" never show anybody as being present.

The SSO configuration itself seems to be working just fine. I can log into a WebSphere application and then open the Sametime Conference Center and I find myself already logged in there.

If you look at WebSphere Portal you will see that this seems to ignore the LTPA token and instead passes an ST token to the Sametime server and that actually does work very well. I could use the same mechanism if I would only know how to generate this token for a user that has already logged into WebSphere.

What do we have? WebSphere Application Server 4.02 with WebSphere Portal 4.2, Domino 5.0.11 as an LDAP source, Sametime 3.0 SP1 on Domino 5.0.10.

Any help is appreciated.

Comments

1. You don't need the ST Toolkit with ST 3.0

2. Did you add the field "Sametime Server" to your Domino LDAP configuration?

3. Did you add the following lines to the sametime.ini on your ST server?
VPS_BYPASS_TRUSTED_IPS=1
VPS_TRUSTED_IPS=trusted IP address, trusted IP address

Enter the IP address of your Domino LDAP server into the 2nd line

4. Create the LTPA tokens in WAS Security Center, export them and import them into the Domino SSO web document.

5. The "DNS Domain" in your SSO document must reflect exactly the domain part of all servers involved and this must be the same on all servers. We had a problem that Sametime did not work with WPS, because one servers name was somename.muc.edcom.de and the second one anothername.edcom.de

Otto Foerg, 2003-06-30

I forgot 6: make sure that the person docs in Domino directory contain an correct entry in the field "Sametime server". If this field is empty you have no problem with the standalone ST client, because there is another "Sametime server" field in the location document, but WPS just looks into the persondoc ...

Otto Foerg, 2003-06-30

Thanks for your advise Otto, but the SSO configuration is correct and works. Unfortunatly the sametime functionality still works on WPS also.

The problem still lies on another Server (WebSphere Application Server) also present in the SSO configuration. The Domino Box where Sametime is hosted, recognizes the user via the provided LTPA Token, but Sametime seems to ignore this.

Dirk Bartkowiak, 2003-06-30

oh, a typo in my website address ;-)

Dirk Bartkowiak, 2003-06-30

Have you tried passing in a user name and password instead of LTPA token to see if the connection can be made at all?

The first login (writeSTLinksApplet) requires the user name, in fully distinguished name format. Is Sametime configured to use a Domino directory or LDAP?

Rob Novak, 2003-06-30

We can login via Username/Password submitted by writeSTLinksApplet().

WebSphere standalone and WebSphere Portal authenticates against a Domino LDAP Server, Sametime on a different Box authenticates against Domino Directory.

Dirk Bartkowiak, 2003-06-30

Footnote: Notes/Domino 6.02CF has finally been posted on IBM's ldd website.
http://www-10.lotus.com/ldd/r5fixlist.nsf/Progress/$first?opendocument

Moritz Schroeder, 2003-07-01

Otto, we were missing the second INI parameter and fixed that. Still no dice. Next thing will be to add the Sametime server to the person document.

However, I am wondering about the ST token, that WSP uses. Why is not using the LTPA token, and more importantly, WHERE is it getting the ST token from?

Volker Weber, 2003-07-02

My first posting contains an error: you need only one of the two INI parameters. The first one means that every server is trusted and the second one that this particular servers are trustet. Those two parameters belong to different sections in Sametime.Ini - please check documentation in InfoCenter, I have it not with me right now.

Please let me know whether the adding of the Sametime server to the person document helps. As far as I know this is a MUST. And don't forget to add the field "Sametime server" to the list of LDAP fileds in your server configuration field.

We have Sametime awareness working with every view in any Notes database that contains a names column in the order firstname lastname. But it´s not working in the People finder portlet of the Collaboration Center - I don't know why. Today I found an hint in InfoCenter that the Domino domain names of the Domino LDAP server and the Sametime server must be different. Crazy.

Otto Foerg, 2003-07-02

I've configured Sametime 3.0 Directory Assistance to point to an LDAP server for authentication. It seems to work correctly for Sametime Meeting components (e.g. I can "log on" to "schedule a meeting") but not for Sametime Connect components (i.e. the "login" times out after a minute when I try to start the web-based Sametime Connect client).

Help!!!

Mark

Mark Laff, 2003-07-23

Hi,

Below is a problem scenario, which I'm facing can anyone help in resolving this ?

Problem Scenerio: Authentication/Authorization by LDAP server is not happening.

Description: I configured Websphere Application Server which comes with WSAD with NestScape Directory server version 4.2. I created 2 groups ADMIN, USER and few People under each group. I created two entity beans and a session facade bean. Facade bean will be talking to entity beans. I gave certain role based permissions to the methods in session Facade bean. Only admin has permission for all the methods where as user is limited to certain methods. To test these functionality WSAD provides a Universal test client, where i can give the required parameters like SECURITY_PRINCIPAL AND SECURITY_CREDENTIAL. With this Universal test client it is working fine as expected. Where as when i am accessing the same with my web based struts client by passing the same parameters as above it is not working as expected. The exception says the user is UNATHUNICATED. Here i am giving the trace

Exception data: com.ibm.websphere.csi.CSIException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/itrm/AdminFacadeHome getAllRoles:1 securityName: /UNAUTHENTICATED;accessID: null is not granted any of the required roles: ADMIN USER


Thanks,
Dinesh

Dinesh, 2003-12-23

Has anyone successfully configured Sametime 6.51 with Active Directory as LDAP ... I can't get authentication to work in Sametime client, but can login to Meeting room using the Active Directory credentials.

Robert Nestar, 2005-06-14

Found this thread and realize that it is really old BUT...I'm having this exact problem and I'm not finding a resolution quickly. I'm running iNotes 8.0.2, ST 8.0.2, getting my LTPA token from TAM/Portal. If I get my LTPA token from a Domino server STLinks works fine. If I get my LTPA token from Portal STLinks doesn't work. If I navigate to the ST server via HTTP with the token from the Portal it works fine. Likewise I can go to a Quickr server with the token from the Portal and the only thing that doesn't work is the ST awareness.

The big difference between the token when you get it from a Domino server and Portal is that Portal authenticates against the user's AD credentials on the back end and contains the AD distinguished name in it. The person doc also contains the AD DN.

Rob Axelrod, 2010-01-25

Never mind (maybe) I think I found a technote that describes the problem. I will try it and let you know if it works.
http://www-01.ibm.com/support/docview.wss?rs=899&uid=swg21231292

Rob Axelrod, 2010-01-25

To Rob:
One year pasted,how about ur problem?
Now it's my turn to meet with the same problem. #_#

Van Vesee, 2011-03-10

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe