Web SSO woes

We are about to implement a webmail server in a remote site. This site has a newly installed mail server cluster. One on the LAN and one in the DMZ to serve webmail/Internet replication.

I had previously setup the Web SSO fields in the server document for the machine that is sitting out in the DMZ. I added the server name to the Web SSO for LptaToken document. We already have this in place in a couple of locations, so we’ve proved the concept and know it works.

I placed the domlog.nsf database that I wanted on the server.

Once all that was in place, I tried accessing the server’s URL successfully directly and logged into a test mailbox without problem.

Now time to test the Web SSO.

We have a DNS entry for notes.domain.com, this has a webmail redirection setup so that the browser is re-directed to the homemail server that the logging in user has a mailbox on. This is automatically done by a lookup on the person document.

Since we haven’t implemented our 2 clustered mail servers in many of our sites yet, many of the mailboxes are all on our hub servers in Hong Kong. We play some DNS tricks to make all this work and get the webbrowser to be redirected to the user’s home mail server, however, the home mail servers is just a C-NAME alias of the Hub1 server’s DNS entry.

So today, the web SSO wasn’t working properly.

I had this problem once before where is seemed like it intermittently worked. In reality, it worked but about 10 seconds after I logged in and was redirected, and then told that the login failed on the second server. If I clicked refresh on the browser, it went ahead and logged into the webmail account.

I realized that the token wasn’t yet valid on the second server. It was “too soon” in other words.

I used the DEBUG_SSO_TRACE_LEVEL=1 Notes.ini parameter to see what was going on during web re-direction and authentication. You can also use DEBUG_SSO_TRACE_LEVEL=2 to get even more information.

I was able to see the “ERROR: Token is expired” and see the time of token creation and token expiration as compared the time on the server.

Without the details in those extra logging levels, I wouldn’t have been able to figure out what the problem was.

We have our Windows 2003 servers set to synch their time with an Internet time source (NTP server). I double checked and made sure that I have previously configured the new server to synch it’s time with the same NTP server that the notes.domain.com server was using.

In fact it was configured and working properly.

The only thing I could do was to manually set the 2nd (or re-directed) server’s time 10 seconds ahead of the notes.domain.com server. This way when the token is created on the 1st server, then redirected to the second server, the token will have been valid for at last 8 or 9 seconds already depending on long the redirection took.

I’m not sure why the time wasn’t exactly the same on the 2 servers, because they were both syncing properly with the NTP server.

I’m guessing that the time might not be synching if it is only a few seconds off. Perhaps it needs to be more than 1 minute to be corrected.

Who knows. It’s working now though. Let’s hope it stays that way.

Leave a Reply


I'm currently available
for Lotus Notes / Domino consulting engagements.


Connect with me: