IBM Support

Open Mic Webcast replay: Sametime authentication setup and troubleshooting: LDAP, Wimconfig, SSO - 15 November 2011



The recording and summary is available for the event held 15 November 2011 on the topic of "Sametime authentication setup and troubleshooting: LDAP, Wimconfig, SSO."


Advanced questions and other discussions for this Webcast can be found in this Sametime forum post.



Format: MP3 file, size of 6.51 MB (6,833,616 bytes)

Duration: 56:56

Click the link to play the recording. Right-click and select Save As to save to your local system for later playback.


Audio approximate time index:

Time Question & answer summary
0:00 Introduction & overview
02:30 Presentation
45:45 How do you use attributes other than mail, uid, or cn to authenticate? Is that altering wimconfig to use other LDAP attributes?

Within the presentation for this event (attached), the section "Tweaking wimconfig.xml" describes step-by-step how to add an additional LDAP attribute and how to map it. In the web chat, you asked about changing the LDAP realm for LTPA. It is something you can change, but I recommend being very methodical. For example, you have to remap the WAS admin user to the roles after you make such a change, and synchronizing is often needed manually from the node itself. The steps to do that are covered in the slides. It is critical that all of the servers are in the same LTPA realm.
47:35 For single sign-on (SSO), are there any plans to support multiple domains over SSO, such as and

That's not something that is possible simply because the way SSO works is as much on the browser as it is on the server. The browser and the server decide what realm or what domain the cookie is allowed to be shared with, as part of that negotiation. The industry specification says I can only share cookies out to the domain level of; an entity like doesn't have access to them. So at this time, no plans.
48:50 Can you discuss SSO behavior with other IBM technologies, like when using IBM Connections, Lotus Quickr for WebSphere Portal, or WebSphere Portal? I noticed that the order in the configuration of the LDAP repository, where you put the BindID and define the LoginID attributes, seems to matter. For SSO to work properly against the Sametime Meeting server, mail has to be listed first. What's happening there?

The order of those attributes sets what property is going to be set in the remote user header. The Sametime Meeting components specifically look for mail to be there because when they do their searches for users within the code, they have to know where to start. The configuration order doesn't actually affect what it is in the LTPA token itself - that's always the user DN. It is up to the application to decide, and the Sametime Meeting requirement is about looking things up from the remote user header, and not from the LTPA token. To clarify, it's not as much about the SSO as it is about the Sametime Meeting requirement for looking up the user after they are logged in, using what is in the remote user header.
51:15 We are having A/V issues with Sametime when we tie into our production Sun ONE LDAP environment, specifically A/V drops and in the logs, it looks like the user is coming in as NULL. When running against Domino LDAP, A/V works perfectly. Any tips or where to check the configuration?

The place I'm going to look in that scenario is the Business Card configuration. It could be that the Business Card is not returning a mail address, and that's why you are seeing NULL. To check, hover over the user to bring up the Business Card and check the value. If not correct, follow the Troubleshooting references for business cards in the presentation for this event. Client logs will be useful to review as well.
54:50 After upgrading to Sametime 8.5.2, we are not seeing presence awareness for names in the Notes mail inbox (we use Sametime integrated in Notes). Is that a configuration problem?

Most likely, it could be a configuration problem. To troubleshoot, you can walk through the process of authentication, review logs and debug. If you need assistance in that troubleshooting, you can open a service request with IBM Support.

Web conference chat consolidation:
1 Can you provide a list of IBM courses needed to get up to speed with Sametime 8.5 (WebSphere, Sametime, etc.)?

Refer to these learning resources:
2 Can you talk about using the SSO Domain Name format of "" vs. using ""? I typically use the former in order to support sub-domains within the given DNS Domain.

"" or "" are equally valid.
3 When enabling SSO between multiple Cells such as Portal, Connections, etc., does the Realm name need to change from defaultwimfilebasedrealm to for example? I have had to do this a number of times, otherwise SSO will not work correctly or in both directions.

The realm must match across all WebSphere Application servers (WAS) and Domino servers.
The LDAP Realm will change to "" when either integrating SSO with Domino or a J2EE system using a "stand-alone LDAP" configuration.
Usually we've seen it as the LDAP name for the realm when pulling the LTPA from an earlier WAS (Portal typically).
Also, make this realm change before you extract the LTPA Key that will be exchanged with either Domino or stand-alone LDAP J2EE, because the realm name with the LDAP DNS:389 will now be in that LTPA Key.
4 Can we use secured LDAP here?


Will there be any need to import the LDAP's certificate into the WebSphere?

Yes, in 8.5.2 you have the option to import the SSL certificate into the cell's trusted keystore in the guided activity. The prior version required you to import the SSL certificate via the ISC (or ikeyman).
5 Can Sametime 8.5.2 browser meetings work over https..??

Yes, can use https://<server>/stmeetings. By default, the SSL certificate will be the WAS default certificate. And note, by default, that would be https://<server>:9443/stmeetings.
A good article on changing the SSL certificate is Configuring Sametime 8.5.2 WebSphere servers to support HTTPS and SIPS encryption.
6 Are multiple federated repositories supported in Sametime?

Yes you can have multiple LDAP repositories. Keep in mind though the more you have the longer LDAP related operations (such as authentication) will take.
7 Are there any issues using LTPA for SSO with Sametime on Active Directory (AD), and Quickr using Domino authentication?

Ideally you want to use the same repository across all instances. You can set up name mapping within Domino/DA, but that can be tricky. You will want to use same LDAP as the nature of SSO requires all participating servers to use the same user repository.
8 Are there any roles to take care of relative to Sametime activities (access to log, changing settings, ...)?

Most of the settings in ISC are a part of WebSphere (not Sametime) and require the Administrator role. The Sametime System Console section is the only part that belongs to Sametime and requires the "All Authenticated Users" role.
9 Can we allow external users with temporary accounts to login?

It can be guest users. Otherwise user have to be present in LDAP.
10 I'm new to this, what is a cell?

A "cell" is the logical container that all nodes will belong to that will share the same configuration and security model - all managed by the deployment manager. See this course for a good starting point: 1 hour course to demystify WebSphere Application Server for Lotus.
11 We are on Sametime 8.5 with SSO enabled for iNotes. I am having issues with configuring instant messaging on iNotes. I am not able to authenticate using the SSO authentication

There can be various reasons - you must have it configured, restart server, access via a proper hostname. First, check that SSO is working between the servers, for example, logging in to names.nsf. For troubleshooting tips, refer to "Configuring and Troubleshooting iNotes with Sametime Awareness."
12 The slides mention SPNEGO authentication for the Sametime Connect client. This is also now available for the integrated client within Notes, correct?

Yes, you can use SPNEGO with UIM or the Notes integrated client
13 Is it possible to put Sametime servers based on Internet web sites?

Internet Sites is fine, but see Can Sametime work with Internet Sites enabled? (technote 1157740). If your org is "IBM", then you need to set the parameter ST_ORG_NAME=IBM.
14 If I am logged into Sametime through Lotus Notes and simultaneously if I have Sametime Meeting Center open in a browser, then all chat messages come to me via browser chat by default. It completely ignores that I am available on the client. Why does this happen.?

Look in the Sametime product documentation for the sametime.ini setting VPS_PREFERRED_LOGIN_TYPES. The last client you logged in with is where your messages go, unless at least one of the client types is listed in VPS_PREFERRED_LOGIN_TYPES.
Client types are found in this technote:
15 Is there a way to set the web browser as last (non-preferred)? We find we need to modify the sametime.ini file on all servers and set the preferred login types every time there is a Sametime update.

I don't believe so; you have to update servers each time IBM releases a new client.
16 Where should the WebSphere debug variables be added?

WebSphere variables are under the Troubleshooting section in the integrated system console (ISC). Then select Logs and trace. And then the component you want to debug (such as the app server or dmgr).
17 With regard to nested group membership, how many levels are supported within WebSphere?

WebSphere by default has no limit. The Sametime applications, though, by default limit to 4 for policy lookup. This is configurable in the policy settings. Having a very high nesting level can impact performance though.
18 I am using Sametime 8.5.2 with my users/groups in the Domino Directory. My users log into Active Directory (AD). Can I use AD for SSO and Domino for the LDAP?

No, the nature of SSO requires all participating servers to use the same user repository.
19 Is there one site that houses all the Open Mic prior events?

We post all Open Mic events on our Technical Exchange page. Search for "Lotus Technical Exchange" and it'll come right up.
20 Can we have users from public IM's like MSN or Google Talk come into our Sametime buddy list?

Yes, this usage is a feature of the Sametime Gateway. If you want your Sametime Community to have awareness / chat functionality with external communities, Sametime Gateway allows this whereby you have a Sametime Gateway server to connect to Google Talk or Microsoft Office Communications Server communities. Refer to the Sametime Gateway product documentation.

Document information

More support for: Lotus End of Support Products
IBM Sametime

Software version: 8.5.2

Operating system(s): IBM i, Linux, Solaris, Windows

Reference #: 7023223

Modified date: 18 November 2011