|SPNEGO Lessons Learned
Was installing IC3011 and integrating with SP2010. Needed to lay the foundation of IC3011 + Kerberos auth. Then turned on SPNEGO SSO to allow pass-through auth for browser clients like SP2010 offers. While setting up SPNEGO, there were a few issues I encountered and wanted to capture them so I remember the next time I need to do this.
Issue 1: Remember to Patch!
IC 22.214.171.124 supports WAS 126.96.36.199 through 188.8.131.52.
Be sure to at least reach WAS 184.108.40.206 as there are critical Kerberos fixes that will make your life easier.
Issue 2: Double Check Security
When applying a FixPack post initial installation / configuration, it may revert your security to disabled. Make sure to turn it back on right after upgrade.
Issue 3: Mind Your User IDs
My initial strategy was to use the same ID for all security related things. When establishing the SPN for the server that ID needs to be a separate ID than the one setup as the administrative ID within the app server and for the individual features.
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Mapping_an_Active_Directory_account_to_administrative_roles_ic301 – THIS ID IS SEPARATE FROM
http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Creating_a_service_principal_name_and_keytab_file_ic301 – THIS ID
Issue 4: Sync the Node(s)
Somewhere during all of the installation and patching activities to take a base 3.0.1 installation up to patched 220.127.116.11, the Node fell out of sync with the DM. I had to manually force the sync for the ISC to report the state of applications and node agents properly. The sync issue was also causing some of my configurations to not make their way to the running app server. Periodically run a syncNode from the command line to course correct your node agent.
Aug 02, 2012