Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

Traveler 8.5.3.2 released -- Isuses with older companion app

Daniel Nashed  1 March 2012 13:18:20

Traveler 8.5.3.2 ( aka FP2) has been released.

A couple of issues have been fixed in this FP. See details here http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_APAR_listing#8532

This fixpack is also needed to use the new companion app version 2.0.5.
A couple of customer updated their companion app to 2.0.5 could not read encrypted email any more.
The new Traveler version did solve this problem. IBM is still investigating.

Also there is some new functionality in the new companion app in combination with the new Traveler release.
You can now control if the user can export the message and if the companion app only works with trusted certs.

See details here -> http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_Companion_security_settings_LNT853

Probably when introducing this new functionality some compatibility issue with earlier releases has been introduced.
The documentation says that if you use this new functionality you need to update your companion app.
But it looks like something went wrong in this area.

Updating the companion app to 2.0.5 should solve the issue.

I had also some issues with intermittent sync problems after the update but that might be related to my installation -- still testing.


--- Update 06.02.2012 ---

my sync issues are solved. it turned out that my Android device needed a full sync and that the full sync blocked sync for my iPhone and iPad with the same user.
this works as designed and if I would not have stopped the Android device syncing, the problem would have gone away earlier.

the second update is that it turned out that the customers reporting companion app problems had turned on session based authentication.
smartphones and the companion app cannot handle forms based authentication properly and need basic authorization headers!
you have to setup basic authenication for all Traveler servers that do not use secure reverse proxy.
in the case of a reverse proxy the proxy handles the authentication and uses basic authentication.
that authentication is forwarded to the Traveler server and depending on the proxy it makes sense to use multi server authentication to reduce the overhead for the session.

when switching to basic authentication the companion app worked again.


-- Daniel


Here is the documentation page for the update.

http://www.lotus.com/ldd/dominowiki.nsf/dx/Lotus_Notes_Traveler_8.5.3.2
Comments

1Stefan Tessmann  02.03.2012 14:48:01  Traveler 8.5.3.2 released -- Isuses with older company app

On our installation the upgrade to 8532 does not fix the problem. Decrypting of mails is still not possible on iOS devices.

2Harald Gaerttner  05.03.2012 13:43:29  Traveler 8.5.3.2 released -- Isuses with older company app

Same here ... update to 8.5.3.2. didn't solve the decrypting problem on iOS!

3Daniel Nashed  06.03.2012 10:11:59  Traveler 8.5.3.2 released -- Isuses with older company app

The Taveler update does not solve the problem in all cases.

In my Traveler environment it still works with the 2.0.4 and 2.0.5 companion version and Traveler 8.5.3.2.

You should open a PMR and check with IBM what goes wrong in your environment.

I will post an update as soon there is feedback from IBM.

-- Daniel

4Daniel Nashed  06.03.2012 19:18:15  Traveler 8.5.3.2 released -- Isuses with older company app

problem solved. I updated the post. the companion app problem is solved switching to basic authentication which is the recommended configuration for Traveler servers directly serving devices thru HTTPS.

-- Daniel

5Harald Gaerttner  07.03.2012 10:12:13  Traveler 8.5.3.2 released -- Isuses with older company app

Thanks for the great help!

6Simon  09.03.2012 16:37:58  Traveler 8.5.3.2 released -- Isuses with older company app

Can you tell me how you switched basic authentication?

7Daniel Nashed  09.03.2012 17:34:41  Traveler 8.5.3.2 released -- Isuses with older company app

@Simon, basic authentication is used when no session authentication is configured.

You find it in the server doc "Internet Protocols / Domino Web Engine" Session authentication: Disabled.

If you use Internet Site documents you find the setting in the Internet Settings document.

-- Daniel

8Simon  13.03.2012 16:09:41  Traveler 8.5.3.2 released -- Isuses with older company app

Thanks Daniel, I'm hoping that IBM will sort this out rather than us having to change our configuration... and update all of our documentation.

9Daniel Nashed  14.03.2012 1:05:02  Traveler 8.5.3.2 released -- Isuses with older company app

@Simon, it's documented that the recommended configuration is basic authentication.

And this is what mobile devices need. forms based authentication does not work completely as said before.

There are configurations in proxy environments where multi-server authentication makes sense.

But those a special cases that depend on what the proxy does.

-- Daniel

10Simon  14.03.2012 9:41:35  Traveler 8.5.3.2 released -- Isuses with older company app

Daniel, thanks again. As both methods worked before the 2.05 update and now only one does then I was sure that IBM would sort this out.

We contacted IBM about this and this is what we go t back.

---

This a known problem with Companion 2.0.5 when using a server set up for session-based authentication. We have submitted a fix to the App Store, however it may take up to two weeks for a new version to appear there. In the meantime, you can work around the problem by temporarily disabling session authentication on the server, or creating an Internet site document with an Override Session Authentication rule in place for "/servlet/traveler*", both of which will allow Companion to work using basic authentication.

We apologize for the inconvenience and hope to have a new version of the app available shortly.

IBM Lotus Notes Traveler Team

---

They got back to us in a matter of hours! I was very impressed.

Simon

11Daniel Nashed  14.03.2012 21:18:54  Traveler 8.5.3.2 released -- Isuses with older company app

@Simon, the Traveler team rocks! And that includes the support for Traveler.

The point is that you should still stay with Basic Authentication unless you have a very good reason to switch to session based authentication for the reasons I mentioned.

If you stay with the recommended configuration the likelyhood that you run into trouble is lower a lot lower ;-)

-- Daniel

12Hubert Ku  20.03.2012 11:03:09  Traveler 8.5.3.2 released -- Isuses with older company app

Hi Daniel,

Session-based authentication is supported by Traveler, below paragraphs are snipped from the 8.5.3 manual.

Hubert

==========================

Enabling session authentication

Performance can be enhanced by enabling single-server or multi-server session-based name-and-password authentication for web users. This allows the IBM Lotus Notes Traveler client to log in once per session instead of logging in for each device-to-server communication. The session authentication parameter can be found by clicking Internet Protocols > Domino Web Engine in the server document (if not using Internet site documents), or by clicking the Domino Web Engine tab of the Internet site document for Web Protocol (if using Internet site documents).

Before enabling session authentication, make sure that you review the "Session Authentication" topic in the latest version of the Domino Administrator documentation in this information center. Review the session authentication details, and make sure that it is the correct option for your environment.

==============================

13Daniel Nashed  20.03.2012 16:33:51  Traveler 8.5.3.2 released -- Isuses with older companion app

@Hubert, it might be supported by Traveler in general but mobile devices cannot handle forms based authentication correctly.

If you chance your password, the device will not notice the chance and you will be blocked.

As said before this only makes sense in a proxy environment if the proxy handles the authentication.

The cookie can help to avoid that the client needs to authenticate again.

But this really depends on the environment. In general I would not recomment to use session based authentication for Travaler.

It's a matter of context when to use session based and when basic authentication.

If you switch to session based authentication I would always use multi-server session based authentication.

-- Daniel

14Simon  28.03.2012 13:07:59  Traveler 8.5.3.2 released -- Isuses with older companion app

For the records, IBM still haven't fixed this. The problem changed to rejecting the username and password with the Companion 2.06 upgrade. We have just upgraded our Traveler server to 8.5.3.2 but this has not resolved the problem.