December 14, 2012

Connections, Sametime, Domino, AD, and SSO

Filed under: Collaboration,Lotus,Social Networking — Mike Burford @ 1:09 pm
Tags: , ,

The Connections project I’m currently working on is somewhat complex: Connections 4, Domino for mail, iNotes, Traveler, and Sametime Community server (not all on the same server), Sametime Standard, FileNet, and MS Active Directory 2008 for LDAP and authentication across the environment.

Being that I’m still a relative ‘newbie’ as far as WebSphere Application Server (WAS) is concerned, having only really used it for the setup and maintenance of the IBM/Lotus products sitting on top of it, I approached the SSO implementation with a degree of uncertainty and slight concern. We’re yet to implement SSO to include FileNet, that’s happening in the next week or two, so it was specifically for Connections, iNotes, Sametime awareness, Sametime Chat, and Sametime Meetings.

Sametime Standard is installed on a single WAS, Connections is on a separate server, and there are currently two Domino servers. So I generated the LTPA token in the Connections WAS, ensured that the LTPA domain was the same across all environments, and imported the token into Sametime Standard WAS and the Domino servers. And it worked, almost. Connections, iNotes, chat, awareness, and the Sametime Proxy server web chat client all worked when logging in with AD credentials. Sametime Meeting Server didn’t, and as soon as anyone logged into Meeting Server they were disconnected from everything else. The confusing aspect for me was that the Sametime Proxy and Sametime Meeting servers are both installed on the same WAS – with different IP addresses and DNS aliases so that they will play nicely together – so as the LTPA token is imported into WAS, I would have expected both the Proxy and Meeting servers to either work with SSO, or not.

What I’d missed was the Federated Repository Realm Name on the Sametime Standard WAS server. I’d changed it on the Connections server but Sametime was using the default realm name. This was what was breaking SSO for the Meeting Server and a quick rename and reboot sorted the problem.

About these ads


  1. I am running into the same problem but my realm names are the same. They are actually the default realm name for both Sametime and Connections, I exported and imported the LTPA token from Websphere to Websphere and I experience the same thing where the other session gets logged out. Do I have to change the Realm name to something other than the default name?
    Realm = defaultWIMFileBasedRealm
    What else did you do to get this working?

    Comment by Brian Wert — February 28, 2013 @ 12:30 pm

  2. Brian, sorry for the delayed response. I’ve got the Realm name on both servers pointing to the AD LDAP server (servername.domain.local:389). The other key thing is to have the SSO Domain Name identical. Since I posted the above we tried to incorporate FileNet into the SSO configuration and ended up breaking everything. What it turned out to be was that the SSO Domain Name on the FileNet server was in upper case, so I reset the field on the other two WebSphere servers to match. However, users don’t connect to the server with the server name in upper case, so SSO was only working partially – which made it really hard to troubleshoot. Setting it back to lower case (.domain.local – preceding dot for Domino compatibility) sorted things out.

    Comment by Mike Burford — March 5, 2013 @ 9:24 am

  3. Thanks for the reply, my LDAP servers are different. Novell and Domino so I am guessing this is why I can’t get SSO working. I can get SSO from Sametime to Domino and from Connections to Domino just not Sametime to Connections.

    Comment by Brian Wert — March 6, 2013 @ 9:49 am

  4. I haven’t tried it with those servers for LDAP sorry, I hope you’re able to find something that helps.

    Comment by Mike Burford — March 7, 2013 @ 8:10 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

%d bloggers like this: