198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
What a motto?
Fri, Apr 22nd 2016 3
Introducing: Coda Global
Thu, Mar 24th 2016 6
Making Ubuntu MEAN!
Mon, Mar 2nd 2015 3
IBM ConnectED 2015, As I Saw It
Tue, Feb 3rd 2015 2
IBM ConnectED 2015
Tue, Jan 13th 2015 2
Developing Social Rendering Lists
Mon, Sep 9th 2013 3
Dressing Up Connections - Social Rendering
Thu, Sep 5th 2013 2
Top 10
Introducing: Coda Global
Thu, Mar 24th 2016 6
WebSphere Plugin Key & Password Expiration 4/26
Thu, Apr 19th 2012 4
iOS Connections Mobile Update
Sat, Sep 8th 2012 3
From Yammer…
Thu, Jun 28th 2012 3
Surveys for IBM Connections
Sun, May 19th 2013 3
Developing Social Rendering Lists
Mon, Sep 9th 2013 3
Making Ubuntu MEAN!
Mon, Mar 2nd 2015 3
What a motto?
Fri, Apr 22nd 2016 3
IBM ConnectED 2015
Tue, Jan 13th 2015 2
SPNEGO Lessons Learned
Thu, Aug 2nd 2012 2


SPNEGO Lessons Learned
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

Was installing IC3011 and integrating with SP2010.  Needed to lay the foundation of IC3011 + Kerberos auth.  Then turned on SPNEGO SSO to allow pass-through auth for browser clients like SP2010 offers.  While setting up SPNEGO, there were a few issues I encountered and wanted to capture them so I remember the next time I need to do this.

Winking smile

Issue 1: Remember to Patch!

IC 3.0.1.1 supports WAS 7.0.0.11 through 7.0.0.21.

http://www-01.ibm.com/support/docview.wss?uid=swg27021342

Be sure to at least reach WAS 7.0.0.15 as there are critical Kerberos fixes that will make your life easier.

Issue 2: Double Check Security

When applying a FixPack post initial installation / configuration, it may revert your security to disabled.  Make sure to turn it back on right after upgrade.

Issue 3: Mind Your User IDs

My initial strategy was to use the same ID for all security related things.  When establishing the SPN for the server that ID needs to be a separate ID than the one setup as the administrative ID within the app server and for the individual features.

http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Mapping_an_Active_Directory_account_to_administrative_roles_ic301 – THIS ID IS SEPARATE FROM

http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Creating_a_service_principal_name_and_keytab_file_ic301 – THIS ID

Issue 4: Sync the Node(s)

Somewhere during all of the installation and patching activities to take a base 3.0.1 installation up to patched 3.0.1.1, the Node fell out of sync with the DM.  I had to manually force the sync for the ISC to report the state of applications and node agents properly.  The sync issue was also causing some of my configurations to not make their way to the running app server.  Periodically run a syncNode from the command line to course correct your node agent.



---------------------
http://feedproxy.google.com/~r/Socialaboration/~3/oOlEvlU7MsY/spnego-lessons-learned.html
Aug 02, 2012
3 hits



Recent Blog Posts




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition