You enable a Lotus Domino server for multi-server session authentication, also called Single Sign-On (SSO), and create the Web SSO Configuration document. When you load the HTTP task, however, you notice the following error:
"HTTP Server: Error loading Web SSO Configuration 'LtpaToken' (Single Sign-On configuration is invalid)" (for Domino 6.x)
"HTTP: Error loading Web SSO configuration Reverting to single-server session authentication" (for Domino 5.x)
To troubleshoot the issue, you try the following steps:
- Recreate the SSO document.
- Create the SSO document with the Server ID instead of an Administrator ID.
- Verify that the server you are testing with is listed in the "Participating Servers" section of the SSO document.
- Verify that the public keys from the Server or Administrator ID match those from the Server or Person document.
- Recreate the SSO document with only one participating server (the entry in the "Domino Server Names" field).
While the error remains after trying the first four steps, SSO loads successfully after you list only one participating server. Why would removing certain servers from the "Domino Server Names" field allow SSO to load successfully?
In one particular case, the error occurred due to the presence of the Domino server's name as an alternate name in a Person document. When the SSO Configuration document is saved, it is encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field. In implementing the encryption, the Domino server performs a lookup to the $Users view prior to moving on to the $Servers view. Therefore, if you have the Domino server's name listed as an alternate name in the "User Name" field of any Person document, the SSO document is encrypted with the public key from the Person document instead of the public key from the Server document.
To avoid the error, remove the server name entry from the Person document, rebuild the views in the Domino Directory, then recreate the Web SSO Configuration document.
You have a Domino server named Acme/ABC. In your Domino Directory, you create a Person document that contains the following entries in the User Name field:
In order to prevent the SSO error, you must remove the "Acme/ABC" entry from the Person document.
Searching the $Users view in the Domino Directory is the quickest method of determining whether you have the server name in the User Name field of a Person document.