SSO Not Working: WebSphere and Domino Server

Technote (FAQ)
Problem
Customer has WebSphere running with a Lotus Domino Server and signal sign on (SSO) is enabled. LTPA is used for authentication. Customer logs into WebSphere, then gets prompted again when accessing Domino. The same thing happens when logging into Domino first - WebSphere prompts for a login when it should not. The following error message appears in the tracefile:

fb7dbcc9 RegistryEntry X Error finding
registry entry for privilege id user: ssss\CN=xxx, O=yyyy
com.ibm.ejs.security.registry.RegistryErrorException
at
com.ibm.ejs.security.registry.WSRegistryImpl.getRelativeName(WSRegistryI
mpl.java:778)
at
com.ibm.ejs.security.registry.WSRegistryImpl.getSecurityName(WSRegistryI
mpl.java:525)

The "ssss" in the error message above represents the customer's SSO domain name.
The "xxx" and "yyy" represent the CN and O values for the user in the registry.
Solution
The RegistryEntry error indicates that the Domino server is passing into WebSphere a domain or realm name that WebSphere does not recognize. The error indicates that WebSphere does not recognize the domain "ssss" listed in the error message. When using LTPA for SSO, we are using session-based authentication. This means that the LTPA token contains the domain name information needed for the user to move from server to server without re-authenticating. This name is provided to Domino by importing the LTPA key file. If a customer changes the SSO domain in WebSphere, they must

1. Regenerate the LTPA keys.

2. Export the LTPA keys to a file.

For version 3.5.x, the two steps above are performed on the Authentication Mechanism tab of "Set Global Security Wizard".

For version 4.0.x, , the two steps above are perrformed on the Authentication tab of the Security Center.

3. Import the keyfile into the Domino Server.

Bring up Domino Administrative Client. Under the "Configuration" page select "All Server Documents" under the "Server" node. Highlight the server and select "Web", then select "Create Web SSO Configuration".

Ensure that the Token Domain is the same name that is specified as the SSO Domain in WebSphere.

Select "Keys", then "Import WebSphere LTPA Keys". Select the location of the exported keyfile and the password.

Click OK.

The LTPA key file contains the SSO domain name from WebSphere. This will be the domain/realm that Domino will use.

For information pertaining to WebSphere and Domino LDAP Server configuration, see Hint and Tip #1005863.












Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security
Operating system(s): Multi-Platform
Software version: 3.5, 4.0
Software edition: Advanced, Enterprise
Reference #: 1054556
IBM Group: Software Group
Modified date: 2004-09-06