Error loading Web SSO Configuration document

Technote (FAQ)


Question

You enable a Lotus Domino server for multi-server session authentication, also called Single Sign-On (SSO), and create the Web SSO Configuration document. When you load the HTTP task, however, you notice the following error:


    "HTTP Server: Error loading Web SSO Configuration 'LtpaToken' (Single Sign-On configuration is invalid)" (for Domino 6.x)

or
    "HTTP: Error loading Web SSO configuration Reverting to single-server session authentication" (for Domino 5.x)

To troubleshoot the issue, you try the following steps:

- Recreate the SSO document.
- Create the SSO document with the Server ID instead of an Administrator ID.
- Verify that the server you are testing with is listed in the "Participating Servers" section of the SSO document.
- Verify that the public keys from the Server or Administrator ID match those from the Server or Person document.
- Recreate the SSO document with only one participating server (the entry in the "Domino Server Names" field).

While the error remains after trying the first four steps, SSO loads successfully after you list only one participating server. Why would removing certain servers from the "Domino Server Names" field allow SSO to load successfully?

Answer

In one particular case, the error occurred due to the presence of the Domino server's name as an alternate name in a Person document. When the SSO Configuration document is saved, it is encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field. In implementing the encryption, the Domino server performs a lookup to the $Users view prior to moving on to the $Servers view. Therefore, if you have the Domino server's name listed as an alternate name in the "User Name" field of any Person document, the SSO document is encrypted with the public key from the Person document instead of the public key from the Server document.


To avoid the error, remove the server name entry from the Person document, rebuild the views in the Domino Directory, then recreate the Web SSO Configuration document.

Example:

    You have a Domino server named Acme/ABC. In your Domino Directory, you create a Person document that contains the following entries in the User Name field:
      User Mailin/ABC
      Joe Admin/ABC
      User Mailin
      Acme/ABC

    In order to prevent the SSO error, you must remove the "Acme/ABC" entry from the Person document.

Searching the $Users view in the Domino Directory is the quickest method of determining whether you have the server name in the User Name field of a Person document.


    Historical Number

    196606

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Domino
Web Server

Software version:

6.5, 7.0, 8.0, 8.5

Operating system(s):

AIX, Linux, OS/400, Solaris, Windows, i5/OS, z/OS

Reference #:

1100774

Modified date:

2009-11-24

Translate my page

Machine Translation

Content navigation