logo

Getting ISS/Domino SSO Working

I would like to formally revoke my statement from Monday's blog where I confessed my love of Lotus Notes. I hate the damn product!

Wihout going in to too much detail I just want you to know I am having a nightmare trying to get IIS/Domino Single Sign-On to work with Directory Assistance. Let's just say I've spent the last two days clutching at some pretty big straws in my attempt to get them to cooperate and it's becoming a bit of a joke.

I've tried it all. Reboot, reinstall, lowercase, uppercase, canonical, not canonical, restart without looking, restart while talking nicely to the monitor. None of it works. I've even trawled the forum!

At this point the rational thought process would be to assume I was attempting the impossible. But that can't be. I know this because I already have it set up and working on one server in one domain. Try it in the other domain and it's just not playing. Hence I have dropped my big straws and picked up the fine-toothed comb in an attempt to make the differences between the two setups more obvious. Nothing yet. I just wish things like this made more sense and the help files were more useful.

PS: If anybody dares to suggest calling Lotus "Support" I will track you down and savagely beat you with all the big straws I've been clutching at ;o)

Update [Thu 27th March, 12:33PM]: The solution has been found. Turns out it's a bug in the Domino 5.0.12 incremental. I know it shouldn't have taken the fine-tooth comb to realise that the working server setup was at 5.0.11 and the broken one at 5.0.12 but this was low down on my list of reasons that it might not work. The hard part was actually getting IIS to let go of the nnotes.dll so that we could downgrade to 5.0.11. This requires using net stop "service" at the command prompt as simply stopping it in the list of Windows' Services didn't seem to work.

So, there you go. If you use Domino 5.0.12 and IIS and SSO and Directory Assistance, users in anything other than the primary directory can't authenticate!

I guess the thing to do now is report it to Lotus. Well I would but we don't even know if we've got a support agreement here or not... somebody was talking about digging out the passport. I know how they feel ;o)

Comments

  1. Thought about re-installing the operating system... if all else fails !

    • avatar
    • Jake
    • Wed 26 Mar 2003 09:11

    Friday's my last day. If it's not working by then I may well suggest it on my way out of the door. Wry smile included ;o)

    Good to see you still reading Mr Neal.

  2. But Jake, the support is *SO* helpful! How can you not call this one in?!? At the very least, your current employer will have a ticket opened which will sit at the call-center level for 6 months before they call them back and ask them if they can close it out "since it's been opened an awfully long time now".

    • avatar
    • Joe
    • Wed 26 Mar 2003 09:36

    Yeah, Lotus (un)Technical Support.... Now I know what happened to the PG Tips monkeys.

    • avatar
    • Richard Shergold
    • Wed 26 Mar 2003 09:39

    Jake, if you phoned them they'd probably refer you to codestore.net anyway.

  3. If this is a windows server then check the permissions on the folders. I had a similar problem as you are. IIS/SSO worked on one server but not the other. It turned out to be a folder permissions thing (and I don't think it was even on a folder in \lotus\domino, perhaps the winnt folder or subfolder, of one of the iis folders)

    good luck

    • avatar
    • AB
    • Wed 26 Mar 2003 12:58

    Maybe IIS/SSO doesn't work, Domino/Websphere sometimes doesn't work either. What me at the moment frustrates is the fact Websphere, another great product of IBM, doesn't support nested groups.

  4. Jake,

    I may have missed something in your blog but I have helped an organization install IIS/SSO. Not getting into the whole scenario and the Why's, the company is has a separate R5 Domain running Domino and IIS with an R4 2nd address book housing 2000 users. I have 3 servers clustered and one of them is still running Domino HTTP for troubleshooting. 6 months no problems with SSO. But a slew of issues when using URLScan.

    Let me know if I can lend a hand.

    • avatar
    • dave
    • Wed 26 Mar 2003 13:04

    safe to assume the itch is back? ;-)

    • avatar
    • scott
    • Wed 26 Mar 2003 13:08

    What do you need IIS for?

    IIS is so full of security leaks, wouldn't you rather put up Apache? After all, that's the basis for the Domino HTTP engine.

    If you're having operating system problems, then you could move to Linux...Oh fooey, IIS won't run on anything other than winders ;-?

    * Bill Gates smiles to himself *

    • avatar
    • John Vaughan
    • Wed 26 Mar 2003 13:24

    tony higham seems to be big on domino / iis combo. you might find some info on searchdomino about that. he did at least one streaming slideshow thing over there and talked about architecting it. i don't remember how much technical detail was there, but who knows you might find a clue there.

    • avatar
    • Kurt Higley
    • Wed 26 Mar 2003 14:50

    Ah, SSO. The ultimate holy grail!

    Its a good thing my hair grows fast or I'd be bald.

    My apologies.

    Kurt

  5. I think you need a trunk monkey.

  6. We user this all the time...

    Please email me if you want some advise.

    One hint the secondary address book must be in the root ( yes I know the book says it does not have to be but I have had problems if it is not in the root )

    • avatar
    • Jake
    • Wed 26 Mar 2003 16:54

    Thanks to all for the offers of help. However, I think this is going to be one of those times where it's just too mysterious a problem to find the solution by any other means than trial and error.

    It does work on one server/domain setup, just not on the other. I've followed the book and know how it should be setup. It just *doesn't* work! Oh well, it's all fun and games ;o)

  7. Jake - you ever though of trying Lotus Technical Support? ;)

    Or maybe posting a question on notes.net (remembering to blame IRIS for the bug, shouting in capital letters, and demanding someone anwsers else you will shoot them)!!

    At least come Friday - you can leave the telephone number for Lotus Technical Support - and a wry smile!!

    I love it!

    • avatar
    • prawnFresh
    • Thu 27 Mar 2003 04:04

    Have you ever thought about becoming a waster, and do what I do. Give up!

    Hell man, you've got like two days left! This time should be spent drunk, hitting up on any sexy female employees, because your never gonna see them again.

    ...and may I suggest trying to get into your bosses knickers.. that is if she's female, and quite hot. That one always looks good on a resume.

    • avatar
    • Jake
    • Thu 27 Mar 2003 04:13

    Leaving a piece of work unfinished is always an option when you have one day left. However, anything I leave, I leave with Mike "Notetips" Golding to sort out. I'd rather not do that to him as he's a nice chap. I also don't want their last memory of me to be that I couldn't work something as simple as this out. There's a smidgen of professionalism in me somewhere ;o)

  8. Know what you mean - I feel the same way - takes years to build reputation - 5 minutes to destroy it!

    Years ago contractors got away with not being pro's - i think with the market how it is those people will get 'found out' !

  9. ps - Mike's a nice guy - so I will email 'Lotus Technical Support' number to him if you like - always pleased to help!

    ;)

    • avatar
    • mark
    • Thu 27 Mar 2003 05:12

    Just to check, you have made sure that the application security settings on the web site you want this to work on are set to low (this is assuming IIS5)

    Mark

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Wed 26 Mar 2003

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content