I had a customer get in touch with me about a problem they were having when trying to start Sametime Classic meetings from IBM WebSphere Portal. They have a link in Portal to a load balancer which then directed HTTP traffic to one of two Sametime Classic Meeting servers.

When logging into Portal and selecting the link a browser would launch and the user would be logged into STCenter.nsf via SSO. When scheduling a meeting the Meeting Room Client (MRC) would load but as soon as the MRC tries to connect to Sametime Community services (chat) an error appears on the user’s screen.

I took this into a development environment and replicated the behaviour. After enabling debugging on the Sametime server I saw the following output in the stusers*.txt

101117_095933.869,INF,Users   ,VpUsrAuthenticate::handleCheckUser: authenticating user with loginName=CN=Ben Williams/O=ACME by a single token
101117_095933.869,FTL,LDAP Aut,authenticating user by tokens
101117_095933.869,INF,LDAP Aut,Starting auth by tokens for [CN=Ben Williams/O=ACME] in org[]
101117_095933.869,FTL,LDAP Aut,checking LDAP format….
101117_095933.884,FTL,LDAP Aut,token verification failed. [4098]
101117_095933.884,INF,LDAP Aut,AuthTokenContext::authenticateBeforeDirSearch verifyTokenAndExtractUserId failed with reason 4098
101117_095933.884,FTL,LDAP Aut,AuthContext::start: authenticateBeforeDirSearch failed with reason 4098
101117_095933.884,INF,Users   ,VpUsrAuthenticate::checkedUser: VpUsrAuthenticate: bad login

I added debug_sso_trace_level=7 and Websess_verbose_Trace=1 to the Notes.ini but again nothing showed apart from when the browser opened STCenter.nsf, so on the Domino side of things SSO is working as expected.

Looking at the Java console output in the web browser when the MRC loaded I noticed “reverse proxy support disabled and detected” appear a few times. I observed this in the customer’s production environment and not in development so I ignored it which turned out to be a red herring.

It got me thinking about a problem I had with Sametime 8.0.2 and an LTPA parsing issue which produced similar errors although not exactly the same. That problem was fixed with a Sametime hot fix and was included in later versions of Sametime so it couldn’t be the same but must be along the same lines.

I exported the LTPAToken from the Portal deployment manager (DM) and imported it back into the Domino web SSO configuration document and restarted but this didn’t resolve the problem.

I then took more time looking at the Portal DM and noticed that Interoperability Mode was enabled which means that LTPAToken and LTPAToken2 are created.

Looking at the web SSO configuration document it was set to LTPAToken only.

After changing it to LTPAToken and LTPAToken2 and restarting things started working and users could now schedule and start meetings.

Recent Blog Posts

72

Active users showing as inactive in All Connections search Fri, Apr 26th 2013 10:21a Ben Williams A customer was seeing some users marked as inactive when using the All Connections search but when clicking through to the user’s profile they were active and active in communities and all over areas of Connections. Looking into the database tables I found that the “state” of these users were correct, for example, in the EMPINST.GIVEN_NAME a particular user had a PROF_USRSTATE equalling 0 which means he’s active. In the EMPINST.EMPLOYEE table affected users had their emai [read] Keywords: connections ibm database email profile websphere

133

Installing Sametime Bandwidth Manager Wed, Apr 24th 2013 10:18a Ben Williams A customer has raised some interest in Bandwidth Manager to help monitor and control the bandwidth being used between their various offices in various locale so I went about installing it on my home environment. I won’t add all the screen shots but I will run through the high level steps and add my thoughts. Before you start though you will want to raise a PMR and reference LO67698: BANDWIDTH MANAGER MODULES DO NOT START UP WITH THE BANDWIDTH MANAGER WAS SERVER which describes a problem wh [read] Keywords: ibm lotus notes policies sametime application centos community database db2 exchange exchange google profile security server websphere wiki

71

Increasing library size for Connections communities using policies Mon, Apr 22nd 2013 6:18a Ben Williams A customer wanted more files to be added to a particular five communities. The default is a cumulative 512MB allowed to be uploaded to a community library. Changing the global value from 512MB to 1GB wasn’t the way to go about it so a new policy needed to be created to be applied to these five communities. The customer wasn’t allowed access to the communities so the easiest way was to use the browse option as we only had the user’s word on what the name of all five were and sea [read] Keywords: connections ibm policies community email websphere xml

98

Unlocking and locking Places during an upgrade using an xml Thu, Apr 18th 2013 8:17a Ben Williams During an upgrade from Quickr on Domino 8.5.1 to 8.5.3 FP37 I noticed that the customer had a large amount of locked Places. I didn’t want to lock them after the upgrade manually so a little Googling found some old wikis detailing the upgrade from QuickPlace to Quickr which contained the following commands. The following commands allow you to write to xml the locked Places and then after the upgrade use that same xml to lock the Places. load qptool report -q [PlaceIsLocked]=1 -o qptool.loc [read] Keywords: domino quickplace quickr xml

135

Sametime Gateway federation with Google now working Fri, Apr 12th 2013 10:16a Ben Williams A few weeks ago I blogged that Sametime Gateway federation with Google not working. It turns out it is now working. I was waiting for this to be fixed by Google and incidentally had to restart a customer’s Gateway server and on restart I noticed whilst tailing the trace.log that there were no errors like I had seen before. I emailed IBM as I had two PMR’s open (for separate customers) and told them that it is now working. Shortly afterwards I received the following official response [read] Keywords: ibm sametime community google server xml

147

Sametime Gateway federation with Google not working Tue, Mar 19th 2013 12:13p Ben Williams Last week I started seeing problems with the s2s federation with Google, errors like the following were appearing in the SystemOut.log. [12/03/13 17:24:43:112 GMT] 0000003b LoggableInput 3 com.ibm.rtc.gateway.xmpp.util.LoggableInputStream read(byte b[], int off, int len) XMPP logging < : length=203 msg: It looked like Google were building white lists with approved domains. A friendly guy in IBM Support told me that there have been some changes in the Google policies and IBM are trying to R [read] Keywords: ibm policies sametime google mobile xml

241

ST_RESOLVE_WHITELIST – Whitelist for Sametime Community server Wed, Mar 6th 2013 8:09a Ben Williams LDAP and Sametime doesn’t always sit well together. There are various things you can do to try and improve LDAP performance, many of which are documented in Best Practices for using LDAP with Lotus Sametime. STResolve seems to be the main contributor to these problems especially with the latest version of the Notes client which wants to resolve the email address of each email in the view to see whether the user is on line. We all know that joebloggs@hotmail.com does not exist in your LDAP [read] Keywords: ldd lotus notes notes client policies sametime community desktop email google server

275

Change who the announcement is from when sending a Sametime IM to a mobile device Tue, Jan 29th 2013 5:14a Ben Williams A customer was having a problem with notifications sent to someone using a mobile device logged into an STProxy server. The name of the server was not “Server” as it is normally but rather a random other server. There were two approaches, continue fixing it or remove the “Server” name and replace it with the name of the recipient which personally sounded a far better option. The (always) helpful Cormac O’Leary from the Sametime PMR team assisted and liaised with L3 [read] Keywords: sametime linkedin mobile server xml

309

Adding Quickr Places to the Connectors using a URL Fri, Jan 25th 2013 5:15a Ben Williams A customer found Add Quickr places to connectors via HTML link blog post from Michael Urspringer and wanted an easier way to populate the Connectors for users. Michael’s post said to use the following format; quickr://server.acme.com/library/[@P_PLACENAME_/@RMain.nsf] I remembered that there was a major shift between 8.2 and 8.5 and that I had noticed (whilst resolving another problem) that some of the elements had changed. Thankfully when testing this on a Quickr 8.5.1 server I found tha [read] Keywords: domino ibm quickr server

262

Another Sametime APNs test – resend push notifications Fri, Jan 18th 2013 6:12a Ben Williams Following on from Sametime on iPhone – APNS test application I was sent another APNs test application during troubleshooting another STProxy/iPhone problem. This time you can return the certificate being used and also resend notifications to the device. The application can be obtained here. Running the following will provide you with the details of the certificate being used which can be checked against Apple’s documentation. /opt/IBM/WebSphere/AppServer/java/bin/java -jar apnstest.jar [read] Keywords: collaboration ibm sametime apple application iphone java linux websphere