Setting up Single Sign-On (SSO) for a Lotus Domino server requires the use of a Web SSO Configuration document. There are two ways of creating a Web SSO Configuration document:
1. Using the "Web Server Configurations" view (compatible with Domino R5 servers)
2. Using the "Internet Sites" view of Domino 6 (available for Domino 6 and Domino 7 servers)
You create a Web SSO Configuration document using Internet Sites, including creating the Web Site document and enabling the use of Internet Site documents on the Basics tab of the Server document.
When you restart the HTTP task after these changes, however, you see the following error:
"HTTP Server: Error loading Web SSO configuration 'LtpaToken' (Single Sign-On configuration is invalid)."
Therefore, SSO is not functioning.
Or you may find that even though the error appears on the server console, users can authenticate as expected.
This issue has been reported to Quality Engineering as SPR# DMEA5E2RBA; there are no plans to address the issue in the current release. The error occurs if you previously configured SSO in the Server document and Domino applies this setting, instead of ignoring this hidden field once Internet Sites is enabled.
To work around the issue, take the following steps to reset the field in the Server document:
1. On the Basics tab of the Server document, for the "Load Internet Configurations from Server\Internet Sites document" field, select Disabled.
2. Now go to the Internet Protocols -> Domino Web Engine tab. The field "Session Authentication" should now be visible. Make sure this is set to Disabled.
3. Save the Server document.
4. Return to the Basics tab, and switch "Load Internet Configurations from Server\Internet Sites document" to Enabled.
5. Save and close the Server document. Start the HTTP task.
This procedure ensures that the Domino server uses the Web SSO Configuration in the Internet Sites view, instead of looking in the Web Configurations view.
When you use the Internet Sites for SSO, the Domino server uses the configuration settings for session authentication from the Web Site document in the Internet Sites view. The settings for session authentication in the Server document no longer apply, so those fields are hidden when you enable Internet Sites.
As noted above, the problem is that the server does not disregard the hidden fields in the Server document. If you had previously set session authentication to "Multiple Servers (SSO)," Domino tries to find the Web SSO Configuration document in the Web Configurations view. Since that document does not exist in that view, the error occurs.
This behavior is not limited to SSO. It can occur for LDAP when the "SSL key file name" field on the Ports -> Internet Ports tab of the Server document contains a previous entry, and Domino reads that setting from the Server document instead of the Internet Sites.
To make sure that Domino reads the SSL key file name from the Internet Sites, use the same procedure above to display the "SSL key file name" field in the Server document and clear it.