I had a customer get in touch with me about a problem they were having when trying to start Sametime Classic meetings from IBM WebSphere Portal. They have a link in Portal to a load balancer which then directed HTTP traffic to one of two Sametime Classic Meeting servers.
When logging into Portal and selecting the link a browser would launch and the user would be logged into STCenter.nsf via SSO. When scheduling a meeting the Meeting Room Client (MRC) would load but as soon as the MRC tries to connect to Sametime Community services (chat) an error appears on the user’s screen.
I took this into a development environment and replicated the behaviour. After enabling debugging on the Sametime server I saw the following output in the stusers*.txt
101117_095933.869,INF,Users ,VpUsrAuthenticate::handleCheckUser: authenticating user with loginName=CN=Ben Williams/O=ACME by a single token
101117_095933.869,FTL,LDAP Aut,authenticating user by tokens
101117_095933.869,INF,LDAP Aut,Starting auth by tokens for [CN=Ben Williams/O=ACME] in org
101117_095933.869,FTL,LDAP Aut,checking LDAP format….
101117_095933.884,FTL,LDAP Aut,token verification failed. 
101117_095933.884,INF,LDAP Aut,AuthTokenContext::authenticateBeforeDirSearch verifyTokenAndExtractUserId failed with reason 4098
101117_095933.884,FTL,LDAP Aut,AuthContext::start: authenticateBeforeDirSearch failed with reason 4098
101117_095933.884,INF,Users ,VpUsrAuthenticate::checkedUser: VpUsrAuthenticate: bad login
I added debug_sso_trace_level=7 and Websess_verbose_Trace=1 to the Notes.ini but again nothing showed apart from when the browser opened STCenter.nsf, so on the Domino side of things SSO is working as expected.
Looking at the Java console output in the web browser when the MRC loaded I noticed “reverse proxy support disabled and detected” appear a few times. I observed this in the customer’s production environment and not in development so I ignored it which turned out to be a red herring.
It got me thinking about a problem I had with Sametime 8.0.2 and an LTPA parsing issue which produced similar errors although not exactly the same. That problem was fixed with a Sametime hot fix and was included in later versions of Sametime so it couldn’t be the same but must be along the same lines.
I exported the LTPAToken from the Portal deployment manager (DM) and imported it back into the Domino web SSO configuration document and restarted but this didn’t resolve the problem.
I then took more time looking at the Portal DM and noticed that Interoperability Mode was enabled which means that LTPAToken and LTPAToken2 are created.
Looking at the web SSO configuration document it was set to LTPAToken only.
After changing it to LTPAToken and LTPAToken2 and restarting things started working and users could now schedule and start meetings.
Leavers showing as off line through the Sametime Gateway
Thu, Aug 8th 2013 6:18a Ben Williams An internal user described a problem where as a leaver was showing as on line to IBM colleagues via their Sametime client, further more chats sent to the leaver was being received by the leaver’s manager. Our Gateway is federated with IBM’s so I can chat with them. I was a bit sceptical at first but after reproducing it I took a peek.
The manager had added the leaver’s email address to their person document so that email sent to the leaver was routed to them. Running a query fo [read] Keywords: ibm
IBM Connections SSO not working with Metrics
Thu, Aug 1st 2013 6:17a Ben Williams The one problem I had out the back of the Metrics install which was post-Connections 4.0 was the when users clicked on the Metrics tab they were not signed into Metrics automatically. Users were faced with the following screen.
The User ID field was pre-populated with the users userPrincipalName (firstname.lastname@example.org) which was not accepted. To log in to metrics the @acme.com needed to be removed leaving the users sAMAccountName which did work.
I changed the following fields in Cognos BI which w [read] Keywords: connections
Populating Profiles – long search filter error
Wed, Jul 17th 2013 9:15a Ben Williams A customer wanted to use a series of nested groups to populate Profiles. The theory is that the parent group has a number of child groups which are controlled by various location specific administrators.
Initially I hoped to be able to achieve this by using a special query (LDAP_MATCHING_RULE_IN_CHAIN) which would walk to the root and thus include all members of the nested groups.
“(&(objectClass=user)(member:1.2.840.1135188.8.131.521:(=CN=IBM Connections Users,DC=acme,DC=com)))”
I [read] Keywords: connections
Cannot share folders with a community
Mon, Jul 15th 2013 10:14a Ben Williams A customer notified me of a problem a user faced when trying to share a folder to a community. Quickly we found the problem was with the community and not the folder as the folder could be shared with other communities and various folders could not be shared with this specific community. This was a community that was created in Connections 3.0.1.
The user saw different errors in the web browser compared with the Windows connector.
I found a forum entry but it did not provide any resolution o [read] Keywords: connections
Android Sametime client not connecting when SSL is enabled
Mon, Jun 24th 2013 12:16p Ben Williams A customer has exposed their Sametime Proxy to the internet so that they can access it using the Sametime client on mobile devices. One step is to import SSL certificates which the customer did using the very good Zero to Hero presentations.
I queried the application of the intermediary and root Certificate Authority (CA) certificates. The Zero to Hero and all other IBM documentation tells you to import the root and intermediary certificates into the CellDefaultTrustStore. I have for the STProxy [read] Keywords: ibm
Active users showing as inactive in All Connections search
Fri, Apr 26th 2013 10:21a Ben Williams A customer was seeing some users marked as inactive when using the All Connections search but when clicking through to the user’s profile they were active and active in communities and all over areas of Connections.
Looking into the database tables I found that the “state” of these users were correct, for example, in the EMPINST.GIVEN_NAME a particular user had a PROF_USRSTATE equalling 0 which means he’s active. In the EMPINST.EMPLOYEE table affected users had their emai [read] Keywords: connections