IBM Support

LO75743: SSO FOR WEB NOT WORKING IF AD PASSWORD & INTERNET PW ARE THE SAME

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as user error.

Error description

  • Domino 8.5.2FP3\Win7



Windows single sign-on for Web clients doesn't work if
internet password in person record domino directory and active
directory password are the same. Everything works fine if the
passwords
are not the same.


This really should work.

- Client password is "password 1" and AD password is "password
2" and everything works fine
- Then you change the client password to "password 2" to match
the AD password and it no longer works.

- Added the following debug parameters to the server notes.ini
followed by a server restart.
Then test with both passwords being different so I can see it
working.
Then test with both passwords the same so I can see it fail.

DEBUG_SSO_TRACE_LEVEL=2

WEBSAUTH_VERBOSE_TRACE=1

Console_log_enabled=1

Debug_ThreadID=1

Results on ecurep

Examined the console.log:

Following failure can be seen at 1:44 and even at 1:41 when
attempt was
successfull:

[12648688:00053-10027] 14.05.2013 13:44:51.29
NAMELookup::<NAMEVerifyLDAPPassword>> BIND LDAP
host='D00370003.AUTOMOBIL.DEKRA.DE:389' failed for user
'CN=A24766,OU=StandardUser,OU=User,OU=HV,OU=user,D
C=company,DC=test,DC=de' error:'Invalid credentials'
[12648688:00053-10027] 14.05.2013 13:44:51.29
NAMELookup::<NAMEVerifyLDAPPassword>> Informational: Restore
LDAP msgid
='6'
[12648688:00053-10027] 14.05.2013 13:44:51.29
NAMELookup::<NAMEVerifyLDAPPassword>> Restoring LDAP Connection
for
host='D00370003.company.test.DE:389' w/ user='AUTOMOBIL\C00999'
[12648688:00053-10027] 14.05.2013 13:44:51.29
NAMELookup::<NAMEVerifyLDAPPassword>> Received error 'Error
looking up
name on LDAP Server; See server log for further details.'
trying to verify LDAP credentials!
[12648688:00017-10027] 14.05.2013 13:44:51.29 WebAuth>
Unsuccessful LDAP
BIND for
user='CN=A24766/OU=StandardUserHV/OU=UserHV/OU=HV/OU=company /D
C=company/DC=dekra/DC=de'

-also LTPATOKEN and LTPATOKEN2 are existing

Can L3 provide some further debug\assistance to determine the
root cause here

Local fix

  • Do not use the same password

Problem summary

  • 



Problem conclusion


    

  • 



Temporary fix


    

  • 



Comments


    

  • This APAR is associated with SPR# PPOR98LKL8.
The problem was caused by a user error or user misunderstanding.

    



APAR Information




    

  • APAR number
    LO75743
    • 

  • Reported component name
    DOMINO SERVER
    • 

  • Reported component ID
    5724E6200
    • 

  • Reported release
    852
    • 

  • Status
    CLOSED  USE
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2013-06-12
    • 

  • Closed date
    2013-06-25
    • 

  • Last modified date
    2013-06-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5.2","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            25 June 2013
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback