Hi!
I wan’t to configure SPNEGO in Domino 9.0.1.
I’ve tried this config and SPNEGO works:
Windows DNS-Domain: rz.company.org
Domino Server Hostname: server.rz.company.org
But in this example SPNEGO fails:
Windows DNS-Domain: rz.company.org
Domino Server Hostname: server.rz.product.org
Is it possilble to get SPNEGO working with an other DNS Domain?
Subject: consider SAML instead
The Windows single sign-on for Web clients feature can operate across Windows domains, see here:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_SETTING_UP_WINDOWS_SINGLE_SIGN_ON_FOR_WEB_CLIENTS_FOR_MULTIPLE_ACTIVE_DIRECTORY_DOMAINS_STEPS.html http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_SETTING_UP_WINDOWS_SINGLE_SIGN_ON_FOR_WEB_CLIENTS_FOR_MULTIPLE_ACTIVE_DIRECTORY_DOMAINS_STEPS.html
However, it should be noted that there are limitations related to your scenario. In particular, there is a browser session cookie which is set for performance reasons (otherwise SPNEGO negotiation might take place on every HTTP request); the browser session cookie is scoped to a particular DNS domain and cannot cross DNS boundaries such as company.org and product.org.
Rather than use Windows single sign-on for Web clients feature, I recommend that you investigate using Domino 9.01 SAML web authentication. This feature can leverage a Microsoft ADFS identity provider that is integrated with Active directory, and provide transparent user authentication by SPNEGO/Kerberos. There are a variety of options for achieving single sign-on across DNS boundaries.
best regards,
Jane Marcus
Subject: found it
Hi Jane,
thanks, i found my mistake. I the Domain field of the LTPA Token must be the DNS Domain (product.org) and not the Windows Domain DNS company.org.
I try playing with SAML, sounds interesting.
Thanks
Bernd