Last week we discovered a SSO problem with WFL ( SAML over Domino & ADFS for Webapplications). All users couldn’t logon ( SSO ) anymore into HCL Verse and WebApplications. The Notes Federated Login worked fine, no problem over here.

No clue at this point that the ADFS SSL certificated was expired, because NFL keeps working. But….looking closer at the logs, we found out that webmail couldn’t get a SAMLRequest-response because: ADFS SSL Certificate Expired.

NFL keeps working fine and WFL stopped like it should because the ADFS SSL Certificate was expired.

I opened a CASE, and this week get a response back. In the meanwhile we created a new SSL Certificate for the ADFS Server. We are up and running again.

///////////////// response from HCL Support ///////////////
I have successfully reproduced the issue in the lab environment where I set the ADFS SSL certificate to expire, post which the WFL stopped working but NFL continued to work fine.  

Thus gone ahead and collaborated with the product development team to check the same. Product development too had a quick check at the NFL code and found out the issue with one of the code:    

– Client code is calling “SECIsCertChainTrusted” in this case which apparently allows for expired certs. ,   
if (err = searchAndCheckTrust ( myOrg,
myOrgLen,
subjectNameDesc.pText,
subjectNameDesc.wSize,
pCertChain,

1,
myName,
myNameLen,
TRUE, /* bAllowExpired */

bTrusted,
NULL,NULL,NULL) )

goto Done;  

– Thus the NFL allows the expired ADFS SSL certificate and continues to work.  
– Gone ahead and created a Software Problem Report -SPR#SMOYBLPMR3 documenting this product defect\bug with the product development team.  


– The product development team confirmed they have started working on this SPR and would correct the code in the future release code.   

Great support from HCL



Visits: 506

By angioni

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.