It sounds like there is a problem with Domino's configuration. Did you export the LTPA key from the Portal and import it into Domino's Web Doc? Can you show us the LTPA key file? Also check the realm between Portal and Domino.

-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

Thanks for replying. I figured out that some users in domino don't have a uid (only cn). So when a user logs into the domino site, the LTPAToken has CN=user, etc., and when they go to the portal site, portal maps CN to uid, so the token works. If they go to the portal site first, the LTPAToken has uid=USER, etc., but then some users don't have uid in Domino, so they have to re-login at the domino site.

I found this link: http://www.ibm.com/support/docview.w...id=swg21205905
that has an agent that can copy all the cn values to the shortname (uid).

So I guess all the domino users need to have shortnames? Or, could I have portal authenticate against cn instead of uid? If I did that, for the portal admin user, who's not in the domino directory, I would need to add a cn attribute?

In Domino, user DNs are always of form "cn=user,o=someorg", they can't be "uid=user,o=someorg". "CN" is required for objectclasses like dominoPerson, groupOfNames, and groupOfUniqueNames. So CN should be always available.

LTPA SSO really don't care what you used to log in. Since it normally requires the same LDAP on both servers, as long as they are the same DN, the user should be OK.

I suspect what you described is not the reason of SSO failure.

-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

portal) but not the other way. that means the problem is probably with the portal sso config?
thanks for you help.

Can you attach the following files?
- /config/cells/ /security.xml
- /config/cells//wim/config/wimconfig.xml
- the LTPA key you imported into Domino
- the LDIF of your domino user or the screenshot of the Basic tab of the Person Doc in Domino

-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

attached is security.xml

attached is wimconfig.xml, and here's what the ltpa key looks like:

#IBM WebSphere Application Server key file
#Wed Jun 24 16:04:27 HST 2009
com.ibm.websphere.CreationDate=Wed Jun 24 16\:04\:27 HST 2009
com.ibm.websphere.ltpa.version=1.0
com.ibm.websphere.ltpa.3DESKey=xxxxxxx
com.ibm.websphere.CreationHost=BLAHportal01
com.ibm.websphere.ltpa.PrivateKey=xxxxxxx
com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRe alm
com.ibm.websphere.ltpa.PublicKey=xxxxxxxx

not sure where to find the LDIF, and in our directory there's no "basic" tab.

ok, it works if in domino I add the short name "cn=BLAH" for user BLAH. I know the domino directory we are using has a custom setup. looks like DN is just the straight username, not cn=username, etc. so, is there a way to work around it? or I guess we will have to add cn=username for every user??

Domino groups should not have the suffix, by default. In your wimconfig.xml, I see you have set "o=abc" as the base entry and search base for groups. My suggestion is to make them both null, like


cn
and

groupOfNames


Notice that I also changed the login property from uid to cn, such that you can log in with CN on portal.

By the way, you should be able to open a Person Document in the Notes client and see the "Basics" tab. This is the panel where we can see CN and UserID/Short Name.
-FF

The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.