Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

 
alt

Daniel Nashed

 

    Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    Daniel Nashed  23 October 2009 17:09:21

    If you use ST in the client there is a very convenient setting for SSO. You just specify the ST server and enable SSO

    (the Notes client uses the Notes Certificate and a NRPC session to the ST Sever to get a LTPA token to authenticate via ST afterwards).

    There are separate policy settings for the basic client and the standard client.

    The settings (see screen print) for the basic client work fine in 8.5.1 but the settings for the standard client do not work yet.

    This was a known issue which should have been fixed in 8.5.1.


    I have opened a PMR for this issue and got a new SPR
    "SPR SWSN7VCBB8 - Desktop policy: Instant Messaging using SSO setting didn't work"

    Because other PMRs are referring to earlier SPRs that should have been fixed according to support I am the first customer reporting this issue.
    That means the SPR has a low weight and might not get on the list for 8.5.2 or a fixpack.

    In my customer case this is almost a deployment blocker for their CTI and ST environment. (because they have to configure every client manually).

    So if this policy setting is important for you or your customers, you might want to open a PMR referencing the SPR and my PMR 65444,SGC,724.

    If you open a PMR feel free to send me a mail offline. I am currently trying to build a work-around with support using Lotus Script to set the right plugin properties.
    Once I got it working I am happy to share it offline.

    -- Daniel


    Comments

    1Patrick Picard  23.10.2009 18:31:20  Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    Hi Daniel

    I think you might need to add the server name in the Desktop Policy

    Basics --> "Server options" --> IBM lotus Instant messaging server

    Also, if you are packaging Notes to be deployed to the desktops, you can add the settings in plugin_customization.ini

    See my blog entry from yesterday

    { Link }

    Settings of interest:

    com.ibm.collaboration.realtime.community/defaultAuthType=ST-DOMINO-SSO #sets the type of token auth

    com.ibm.collaboration.realtime.community/loginByToken=True #checks the box "Use Token based single sign on"

    com.ibm.collaboration.realtime.community/tokenLoginOnly=True #forces token based auth

    com.ibm.collaboration.realtime.community/host=abc.yahoo.com #use your server FQDN

    However, you must make sure that the user doesnt have an xml file in

    data\workspace\.metadata\.plugins\com.ibm.collaboration.realtime.login\CANONICAL_NAME.xml

    otherwise the plugin_customization.ini won't apply

    2Pierre  24.10.2009 23:51:09  Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    The only problem left I have is to log people in automatically. Sametime settings were deployed by plugin_customization.ini like Patrick said and the SSO piece was so annoying that we took a server approach to it. We changed the LDAP search string on the Sametime server so that it recognizes both CN and non-CN users. That way I do not care if the box is ticked or not.

    3Daniel Nashed  25.10.2009 9:46:03  Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    here is what I got from support. there is also a setting for auto login. works fine for me in 8.5.1

    -- Daniel

    com.ibm.collaboration.realtime.community/defaultAuthType=ST-DOMINO-SSO

    com.ibm.collaboration.realtime.community/host=nsh-st.nashcom.de

    com.ibm.collaboration.realtime.community/loginByToken=true

    com.ibm.collaboration.realtime.community/name=nsh

    com.ibm.collaboration.realtime.community/loginAtStartup=true

    com.ibm.collaboration.realtime.login/autologin=true

    4Marzel Laning  08.11.2009 11:13:25  Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    Should "ST-DOMINO-SSO" not be "LtpaToken" to aviod problems with the still hard coded name van the LtpaToken name in some STlinks and other Sametime features.

    5Chris McEwan  17.03.2010 17:29:39  Policy to Push ST Server and SSO still broken in 8.5.1 for Standard Client

    Hi,

    Just a quick message to everyone that provided info on this page.

    Very helpful in my efforts to deploy 8.5.1 to 1200 clients !!

    Links

      Archives


      • [IBM Lotus Domino]
      • [Domino on Linux]
      • [Nash!Com]
      • [Daniel Nashed]