|
Problem |
SSO throws login challenge multiple times
when accessing protected resources on Websphere. Users must be defined
using Hierarchical naming convention, while configuring user registry on
both Websphere and Domino end while configuring SSO/Security. |
|
|
|
Solution |
SSO fails when accessing protected
resources
If the Web user is prompted each time they access a
resource, SSO is
not configured correctly. The following are some of
the possible problems
and solutions.
1.WebSphere Application Server and Domino must both
be
configured to use the same LDAP directory. The HTTP
cookie
used for SSO stores the full Distinguished Name of the
user (DN),
for example, cn=John Doe, ou=Rochester, o=IBM,
c=US
and the DNS domain.
2.If the Domino Directory is
being used, Web users must be defined
using hierarchical names. For example, update the User
name
field in the Person document to include John
Doe/Rochester/IBM as the first value.
3.URLs issued to Domino and WebSphere application
servers
configured for SSO must specify the full DNS server
name, not
just the host name or an TCP/IP address. For browsers
to be able
to send cookies to a group of servers, the DNS domain
must be
included in the cookie. The DNS domain in the cookie
must match
the URL. This is why cookies cannot be used across
TCP/IP
domains.
4.Domino and WebSphere Application Server must be
configured to
use the same DNS domain. Verify that the DNS domain
value is
exactly the same (including casing). The DNS domain
value can be
found in the Configure Global Security Settings of
each
WebSphere administrative domain and the Domino Web
SSO
Configuration document. If you make a change to the
Domino
Web SSO Configuration document, replicate the document
to all
Domino servers participating in SSO.
5.Clustered Servers must have the TCP/IP host name
populated
with the full DNS server name in the Server document
for Domino
ICM (Internet Cluster Manager) to redirect to cluster
members
using SSO. If this field is not populated, ICM will
redirect URLs to
clustered web servers with only the TCP/IP host name,
by default,
and will not be able to send the cookie because the
DNS domain
is not included in the URL. To correct the
problem,
- Edit the Server document
- Select the Internet Protocols tab, select the HTTP
tab
- Enter the server's full DNS name in the host names
field.
6.If an LDAP server port value was specified for
WebSphere
administrative domain, the Domino Web SSO
Configuration
document must be edited and a \ must be added to the
LDAP
Realm field for WebSphere servers. For example,
replace
mymachine.mydomain.ibm.com:389 with
mymachine.mydomain.ibm.com\:389. |
|
|
|
|
|
|