|
| Problem | SSO throws login challenge multiple times when accessing protected resources on Websphere. Users must be defined using Hierarchical naming convention, while configuring user registry on both Websphere and Domino end while configuring SSO/Security. | | | | Solution | SSO fails when accessing protected resources
If the Web user is prompted each time they access a resource, SSO is not configured correctly. The following are some of the possible problems and solutions.
1.WebSphere Application Server and Domino must both be configured to use the same LDAP directory. The HTTP cookie used for SSO stores the full Distinguished Name of the user (DN), for example, cn=John Doe, ou=Rochester, o=IBM, c=US and the DNS domain.
2.If the Domino Directory is being used, Web users must be defined using hierarchical names. For example, update the User name field in the Person document to include John Doe/Rochester/IBM as the first value.
3.URLs issued to Domino and WebSphere application servers configured for SSO must specify the full DNS server name, not just the host name or an TCP/IP address. For browsers to be able to send cookies to a group of servers, the DNS domain must be included in the cookie. The DNS domain in the cookie must match the URL. This is why cookies cannot be used across TCP/IP domains.
4.Domino and WebSphere Application Server must be configured to use the same DNS domain. Verify that the DNS domain value is exactly the same (including casing). The DNS domain value can be found in the Configure Global Security Settings of each WebSphere administrative domain and the Domino Web SSO Configuration document. If you make a change to the Domino Web SSO Configuration document, replicate the document to all Domino servers participating in SSO.
5.Clustered Servers must have the TCP/IP host name populated with the full DNS server name in the Server document for Domino ICM (Internet Cluster Manager) to redirect to cluster members using SSO. If this field is not populated, ICM will redirect URLs to clustered web servers with only the TCP/IP host name, by default, and will not be able to send the cookie because the DNS domain is not included in the URL. To correct the problem, - Edit the Server document
- Select the Internet Protocols tab, select the HTTP tab
- Enter the server's full DNS name in the host names field.
6.If an LDAP server port value was specified for WebSphere administrative domain, the Domino Web SSO Configuration document must be edited and a \ must be added to the LDAP Realm field for WebSphere servers. For example, replace mymachine.mydomain.ibm.com:389 with mymachine.mydomain.ibm.com\:389. | |
| |
| |
|
Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security Operating system(s): Multi-Platform Software version: 3.5, 4.0 Software edition: Standard, Advanced Reference #: 1005863 IBM Group: Software Group Modified date: 2004-08-03
(C) Copyright IBM Corporation 2000, 2004. All Rights Reserved.
|