What would cause the server to send DomAuthSessId cookie to the browser when I expect to see LtpaToken?
Some background now.
I have single Domino domain 7.0.2FP2 server with multiple Web Internet Site documents for various domains, three of which are enabled for session authentication, two for multi-server using different Web SSO config docs, one for single server. Single Server sends DomAuthSessId as expected, one of the SSOs sends DomAuthSessId, the third one sends the LtpaToken cookie.
If I disable session authentication for the Single Server one, the multi-server site which was sending DomAuthSessId (as opposed to the LtpaToekn the way I had expected) now ignores its session authentication setting altogether and causes browser to use OS username/password dialog. The other multi-server site still behaves as expected.
The well-behaved multi-server (along with a bunch of other sites which do not sue sessin authentication) is on a separate IP from the other two which are on the same on their own.
The well-behaved site has the CA certificate applied to it, the other two do not.
It sounds just as if the non-well-behaved “multi-server” is actually controlled by the web site document for the “single server” site. I would try starting to verify if this is generally the case (change other settings like html directory and see, if it affects the multi-server site as well.
If so, some slight misconfiguration might have slipped through in one web site document.
Managing different sites using the same IP address should definitely work, and I’ve done it in the past, though not on iSeries.
That was a good pointer, thank you. It lead me to finally being able to correct the problem and all is working now as expected (a purist might say here that things were working as expected before as well, but not as desired, since the set-up was erroneous :-). Here’s what the problem was.
Both the “ill-behaved” site’s and the singe-server site’s documents were bound to an IP address rather than to their respective host names. Since both domains resolve to the same IP, that was the connection between the two Internet site documents.
So, I replaced the IP with the host name in the single-server document and now all works fine. Of course, I do not get the SSL protocol on the host-name-bound site, but that is okay since Domino does not allow more than one SSL connection on one IP address.