IBM Support

Idle timeout for LTPA token not working

Technote (troubleshooting)


Problem

A Lotus® Domino® Web Server is set up for single sign-on (SSO) using Domino-generated keys and has an idle timeout enabled. The server fails to renew the token. As a result, the Web user's session expires, and the user is required to log in again.

Note: An idle timeout with WebSphere-imported keys is not supported.


Diagnosing the problem

If you work with IBM Support to collect SSO debug, you can see in the debug output that a token is being set, as shown in bold font below:


    [025C:000A-0CD8] 08/07/2008 07:21:01.94 AM SSO API> Encoding Domino style Single Sign-On token.
    [025C:000A-0CD8] 08/07/2008 07:21:01.94 AM SSO API> -Creation Ticks = 489AE8AD [08/07/2008 07:21:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:21:01.94 AM SSO API> -Expiration Ticks = 489AEFB5 [08/07/2008 07:51:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:21:01.95 AM SSO API> -Username = CN=web admin/O=LTSwebserver
    [025C:000A-0CD8] 08/07/2008 07:21:01.95 AM SSO API> Dumping memory of constructed token [67 bytes].
    [025C:000A-0CD8] 00000000: 0100 0302 3834 4139 3845 4441 3834 4139 '....489AE8AD489A'
    [025C:000A-0CD8] 00000010: 4645 3542 4E43 773D 6265 6120 6D64 6E69 'EF'
    [025C:000A-0CD8] 00000020: 4F2F 4C3D 5354 6577 7362 7265 6576 ED72 '/O=LTSwebserverm'
    [025C:000A-0CD8] 00000030: 3FCA AE68 F45E D8C1 EDB9 AA1D 961C A08A 'J?h.^tAX9m.*... '
    [025C:000A-0CD8] 00000040: 07D2 A2 'R."'
    [025C:000A-0CD8] 08/07/2008 07:21:01.97 AM SSO API> Dumping memory of encoded token [92 bytes].
    [025C:000A-0CD8] 00000000: 4141 4345 7A41 3451 554F 4646 454F 4546 'AAECAzQ4OUFFOEFE'
    [025C:000A-0CD8] 00000010: 444E 3567 5551 4756 6A51 4456 6A54 3331 'NDg5QUVGQjVDTj13'
    [025C:000A-0CD8] 00000020: 575A 6749 5759 7452 5761 7634 7A54 4D31 'ZWIgYWRtaW4vTz1M'
    [025C:000A-0CD8] 00000030: 4656 334E 575A 7A4A 585A 324A 585A 744C 'VFN3ZWJzZXJ2ZXLt'
    [025C:000A-0CD8] 00000040: 6A79 6F39 6C72 3037 6477 3569 5237 7132 'yj9orl70wdi57R2q'
    [025C:000A-0CD8] 00000050: 4A48 4B61 4E6F 4849 676F 3D3D 'HJaKoNIHog=='
    [025C:000A-0CD8] 08/07/2008 07:21:01.98 AM SSO API> -Next Renewal = 08/07/2008 07:26:01 AM.
    [025C:000A-0CD8] 08/07/2008 07:21:01.98 AM SSO API> -Max Idle Time = 08/07/2008 07:31:01 AM.

The idle timeout in this example is 5 minutes, so the token should be renewed before 7:36 AM (the interval is basically double the idle time out; for more information, refer to Technote #1160458).

Because it has been longer than 5 minutes, you expect the SSO debug to show that the token should be renewed, but it returns an error:
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> Dumping memory of encoded token [92 bytes].
    [025C:000A-0CD8] 00000000: 4141 4345 7A41 3451 554F 4646 454F 4546 'AAECAzQ4OUFFOEFE'
    [025C:000A-0CD8] 00000010: 444E 3567 5551 4756 6A51 4456 6A54 3331 'NDg5QUVGQjVDTj13'
    [025C:000A-0CD8] 00000020: 575A 6749 5759 7452 5761 7634 7A54 4D31 'ZWIgYWRtaW4vTz1M'
    [025C:000A-0CD8] 00000030: 4656 334E 575A 7A4A 585A 324A 585A 744C 'VFN3ZWJzZXJ2ZXLt'
    [025C:000A-0CD8] 00000040: 6A79 6F39 6C72 3037 6477 3569 5237 7132 'yj9orl70wdi57R2q'
    [025C:000A-0CD8] 00000050: 4A48 4B61 4E6F 4849 676F 3D3D 'HJaKoNIHog=='
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> Dumping memory of decoded token [67 bytes].
    [025C:000A-0CD8] 00000000: 0100 0302 3834 4139 3845 4441 3834 4139 '....489AE8AD489A'
    [025C:000A-0CD8] 00000010: 4645 3542 4E43 773D 6265 6120 6D64 6E69 'EFB5CN=web admin'
    [025C:000A-0CD8] 00000020: 4F2F 4C3D 5354 6577 7362 7265 6576 ED72 '/O=LTSwebserverm'
    [025C:000A-0CD8] 00000030: 3FCA AE68 F45E D8C1 EDB9 AA1D 961C A08A 'J?h.^tAX9m.*... '
    [025C:000A-0CD8] 00000040: 07D2 A2 'R."'
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> -Creation Ticks = 489AE8AD [08/07/2008 07:21:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> -Expiration Ticks = 489AEFB5 [08/07/2008 07:51:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> -Username = CN=web admin/O=LTSwebserver
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> ERROR: token should be renewed.
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> -Next Renewal = 08/07/2008 07:26:01 AM.
    [025C:000A-0CD8] 08/07/2008 07:27:20.69 AM SSO API> -Max Idle Time = 08/07/2008 07:31:01 AM.

Lastly, the SSO debug shows the session is expired:
    [025C:000A-0CD8] 08/07/2008 07:31:18.20 AM SSO API> Decoding Domino style Single Sign-On token.
    [025C:000A-0CD8] 08/07/2008 07:31:18.20 AM SSO API> Dumping memory of encoded token [92 bytes].
    [025C:000A-0CD8] 00000000: 4141 4345 7A41 3451 554F 4646 454F 4546 'AAECAzQ4OUFFOEFE'
    [025C:000A-0CD8] 00000010: 444E 3567 5551 4756 6A51 4456 6A54 3331 'NDg5QUVGQjVDTj13'
    [025C:000A-0CD8] 00000020: 575A 6749 5759 7452 5761 7634 7A54 4D31 'ZWIgYWRtaW4vTz1M'
    [025C:000A-0CD8] 00000030: 4656 334E 575A 7A4A 585A 324A 585A 744C 'VFN3ZWJzZXJ2ZXLt'
    [025C:000A-0CD8] 00000040: 6A79 6F39 6C72 3037 6477 3569 5237 7132 'yj9orl70wdi57R2q'
    [025C:000A-0CD8] 00000050: 4A48 4B61 4E6F 4849 676F 3D3D 'HJaKoNIHog=='
    [025C:000A-0CD8] 08/07/2008 07:31:18.20 AM SSO API> Dumping memory of decoded token [67 bytes].
    [025C:000A-0CD8] 00000000: 0100 0302 3834 4139 3845 4441 3834 4139 '....489AE8AD489A'
    [025C:000A-0CD8] 00000010: 4645 3542 4E43 773D 6265 6120 6D64 6E69 'EFB5CN=web admin'
    [025C:000A-0CD8] 00000020: 4F2F 4C3D 5354 6577 7362 7265 6576 ED72 '/O=LTSwebserverm'
    [025C:000A-0CD8] 00000030: 3FCA AE68 F45E D8C1 EDB9 AA1D 961C A08A 'J?h.^tAX9m.*... '
    [025C:000A-0CD8] 00000040: 07D2 A2 'R."'
    [025C:000A-0CD8] 08/07/2008 07:31:18.22 AM SSO API> -Creation Ticks = 489AE8AD [08/07/2008 07:21:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:31:18.22 AM SSO API> -Expiration Ticks = 489AEFB5 [08/07/2008 07:51:01 AM].
    [025C:000A-0CD8] 08/07/2008 07:31:18.22 AM SSO API> -Username = CN=web admin/O=LTSwebserver
    [025C:000A-0CD8] 08/07/2008 07:31:18.22 AM SSO API> ERROR: token is expired due to idle timeout.

Resolving the problem


This issue is now fixed in Lotus Notes and Domino 8.0.2 FP5.

Fix details: SPR# MKIN7HFUSE

Refer to the Upgrade Central site for details on upgrading Notes/Domino.

A workaround is to discontinue use of the idle timeout.

Related information

Document information

More support for: IBM Domino
Web Server

Software version: 8.0, 8.5, 9.0, 9.0.1

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1316245

Modified date: 26 April 2010