Support Flash Alert: iOS 12 native Mail app authentication issue with session based authenticaiton
Daniel Nashed – 19 September 2018 05:54:50
There is a support flash for an issue with iOS 12 with the native mail app.
Before this change in iOS 12 a wrong configuration did not impact the user for normal operations. There have been only issues when the password was changed.
Mobile devices cannot handle forms based authentication. If you configure session based authentication or multi server session based authentication the server will not use the basic authentication headers.
On the other side the recommended authentication on a Domino HTTP server and also on a Traveler server is multi-server session based authentication with LTPA cookies (from security and performance point of view).
For mobile devices connecting to Traveler you have to ensure basic authentication headers are used because mobile devices do not understand the forms-based authentication for sync requests (they do in the web browsers).
Enabling basic authentication headers in combination with multi-server session based authentication is only possible if you use the more modern HTTP configuration leveraging "Internet Sites".
Using an Internet Site you can override session based authentication for the /traveler URL by configuring a Authentication override rule.
If the server has auto configuration enabled, the required documents will be created automatically if Internet Sites are used for the server.
So the right configuration would be either with no Internet Sites and basic authentication.
Or with Multi-Server Session based Authentication and Internet Sites with the Overwrite Authentication rule -- which is the recommended configuration even on a stand-alone Traveler server!
This isn't a new requirement and the wrong configuration already caused issues when an user's HTTP password changed. In that case the mobile device wasn't able to figure out that the password was wrong.
The server did send the form with a 200 status code instead of the authentication challenge with a 401. That wasn't understood by the mobile device.
It worked by coincident because the client sent the basic authentication header anyway.
Here is an example how your internet site should look like.
There is one
Site name
Web Site: Nash!Com Traveler Website (domino.acme.de; 1.2.3.4)
Rule (Override Session authentication): /traveler*
Rule (substitution): /Microsoft-Server-ActiveSync* --> /traveler/Microsoft-Server-ActiveSync*
Rule (substitution): /servlet/traveler* --> /traveler*
There is one additional setting that it required.
In the internet site you have to ensure that once the user is authenticated with basic authentication for the Traveler URL the user still gets a LTPA cookie:
When overriding session authentication, generate session cookie: Yes
Here is the link to the new technote:
https://www.ibm.com/support/docview.wss?uid=ibm10731987
Which also contains a link to the documentation how to properly configure the Domino HTTP task on your Traveler Server
https://www.ibm.com/support/knowledgecenter/SSYRPW_9.0.1/httpauthentication.html
-- Daniel
- Comments [5]