Configuring SPNEGO for the IBM Connections Mail Plug-in

You can use SPNEGO to create a secure environment between Connections and your Microsoft Exchange or IBM® Domino® mail servers. For Domino servers, it is better to use LTPA.

1. Complete the following task: Mapping an Active Directory account to administrative roles.
2. Complete the following task: Creating a service principal name and keytab file.
3. Set up service delegation.
   1. In the Active Directory Users and Computers settings, locate the user account for the IBM Connections server that you created in step 4-8 of the previous procedure, Creating a service principal name and keytab file.
   2. Double-click the user account to open the Properties window.
   3. On the Delegation tab, select Trust this user for delegation to any service (Kerberos only) or Trust this user for delegation to specified services only and select either option under that.
      Tip: The more secure option is Trust this user for delegation to specified services only.
   4. If you choose Trust this user for delegation to specified services only, click the Add button for the Services to which this account can present delegated credentials field, and add the information for Exchange Web Services.
4. Complete the following task: Configuring SPNEGO on WebSphere® Application Server.
   Important: In step 11, instead of selecting LTPA, select Kerberos and LTPA authentication.
5. Complete the following steps:
   1. In the WAS-root/AppServer/profiles/Dmgr01/config/cells/cell-name/LotusConnections-config directory, open the LotusConnections-config.xml file.
   2. After the versionStamp element, add the following code:

      <properties>
      		<genericProperty name="shindig.properties.override.cre.makeRequest.passCookies">true</genericProperty>
      		<genericProperty name="shindig.config.container.overrides">
      					{
      						"gadgets.sso" : {
      							"spnegoDomain" : "exchange1.example.com,exchange2.example.com",
      							"cookieDomain" : "domino.example.com",
      							"cookieNames" : "LtpaToken,LtpaToken2"           
      							}
      						}
      			</genericProperty>
      </properties

   3. For the spnegoDomain property, enter all domains of mail servers that are secured with SPNEGO. Separate multiple domains with commas (,) and no spaces.
   4. Do one of the following:
      • If your environment includes Domino mail servers, for the cookieDomain property, enter all domains for Domino mail servers. Separate multiple domains with commas (,) and no spaces.
      • If your environment does not include Domino mail servers, remove the cookieDomain and cookieName properties and values.
   5. Save and close the LotusConnections-config.xml file.
6. If you are using Domino servers, complete the following steps:
   1. Open Domino administrator console.
   2. Open the server document for servers, and click Edit Server.
   3. In the Timeouts section, click Internet Protocols - HTTP.
   4. Clear the HTTP persistent connection field.
   5. Save and close the document.
7. Restart your Connections servers.