Comments
Posted by Mark G Brew on 11/29/2005 05:34:33 AMredirect bouncing , only getting anon
even though thsi code is picking up the ltpatoken cookie, its still only recognising me as anon, teh security.xml seems fine when i login and change the URL but the security.asp doesnt seem to be recieving the details.
usign domino 654 and iis on win 2000
Posted by Mark G Brew on 11/29/2005 10:25:29 AMsome log messages from the above
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Retrieved global static cache memory for config [LtpaToken].
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Decoding Websphere style Single Sign-On token (LTPA).
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Decrypt Websphere style Single Sign-On token (LTPA). Token length inval
id <54>.
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> ERROR: when decoding token [Single Sign-On token is invalid].
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> *** Retrieving Extra Token Info (SECTokenValidateAndGetTokenInfo) ***
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> ConfigName specified [LtpaToken].
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Retrieved global static cache memory for config [LtpaToken].
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Decoding Websphere style Single Sign-On token (LTPA).
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> Decrypt Websphere style Single Sign-On token (LTPA). Token length inval
id <54>.
29/11/2005 16:20:41.15 [0B04:000D-0A3C] SSO API> ERROR: when decoding token [Single Sign-On token is invalid].
Posted by Steve Duncan on 11/29/2005 10:04:58 PMHello
I never really updated this as I have made changes because no one really showed any interest. This is maybe be an encoding issue with the cookie value. Are you using asp or asp.net? I will pull the latest version I am using if you let me know.
Steve
Posted by Mark G Brew on 11/30/2005 03:11:32 AMHi
Thanks for the reply, wasnt expecting it to be honest!!
would really like the latest version if there is one, Its a really neat trick and i'm surprised there has been no interest!!
thanks for your work, and i look forward to seeing a new version. meanwhile i am suspecting that the ltpaToken is getting chopped somewhere so i am investigating that. using standard .asp at the moment on a win2k server, but will more than likely be using in an asp.net environment eventually.
thanks again.
Mark
Posted by Mark G Brew on 11/30/2005 03:53:42 AMdid this:
Steve,
added a line of code to the asp ( domToken=Replace(domtoken, " ", "+") ) to reconvert the spaces back to '+' for domino, and it suddenly started working!!! It seems Domino 6 was only reading the cookie up to the first space.
anyway, would love to see your new code, what have you changed ?
Posted by Ferdinand Vroom on 03/07/2006 06:30:50 AMdomToken=Replace(domtoken, " ", "+")
Mark,
Where in the security.asp should I insert, domToken=Replace(domtoken, " ", "+")?
I guess line 50?!
Is it possible to replace the source in the Code Bin?
Greetings,
Ferdinand
Posted by Jeff Chatelain on 05/30/2006 06:57:42 PMError 500
Hi there,
this is great.
Unfortunatly when i provide a valid username and password i get a 500 error code.
I use domino 5.0.1 & IIS 5.0
Can someone help.
Thanks
Posted by Jeff Chatelain on 05/30/2006 06:58:23 PMOupss...
Sorry made a typo. I use domin 6.0.x
Thanks
Posted by Steve Duncan on 05/31/2006 04:53:23 PMOupss
Hello Jeff
I think your issue is probably what Mark pointed out, I added the line of code to the source. So download the zip file or update the URLDecode function at the bottom of the includes\security.asp file.
S
Function URLDecode(inString)
'URL decode Function
'2001 Antonin Foller, PSTRUH Software, http://www.pstruh.cz
Dim Pos, pPos, What
What = inString
'replace + To Space
'What = Replace(What, "+", " ")
'Do Not use it For data length over 100k
Pos = InStr(1, What, "%")
Do While Pos>0
What = Left(What, Pos-1) + _
Chr(Clng("&H" & Mid(What, Pos+1, 2))) + _
Mid(What, Pos+3)
Pos = InStr(Pos+1, What, "%")
Loop
' Mark G Brew 11/30/2005
' Convert spaces back to +
what = Replace(what, " ", "+")
URLDecode = What
End Function
Posted by mu bull on 07/31/2006 10:38:57 PMIIS6
Can this code works on IIS ? with single sign-on to Domino DWA7 mail ?
Posted by Steve Duncan on 08/03/2006 07:22:21 AMIIS6
This code sample is meant to work with ASP I have a vb.net class that I am using in production in a number of places but I have not had time to put into a demo that you can have if that is what you are looking for. If you notes environment is using session based auth it should work.
Steve
Posted by Brent Hawthorne on 11/15/2006 09:15:30 AMvb.net class
Even w/o a demo, I'd love to get a copy of your vb.net code. Would get me that much closer to convincing mgmt of project viability.
Posted by Steve Duncan on 11/15/2006 11:37:23 AMvb.net class
Hey Brent
Post your email and I will send you something
Steve
Posted by Brent Hawthorne on 11/15/2006 12:43:55 PMvb.net class
Thanks Steve. I can be reached at bhawthorne@centexhomes.com
Posted by leaoner zy on 12/07/2006 01:01:43 AMi beg your pardon!
how to set that the IIS server will be able to see notes Domino cookie(ltpatoken cookie),Waiting for your response!
Posted by Steve Duncan on 12/14/2006 10:17:57 PMtoken
Hello Leaoner
In the address book, under configuration, web, web configuration, you will see a Web SSO Configurations document. Under the basics tab, there is a field DNS Domain. So if your
notes server: notes.company.com
IIS server: iis.company.com
set that field to .company.com.
Browsers will then submit the token on requests to your iis server.
Posted by leaoner zy on 12/19/2006 08:16:07 PM^_^
3KS Steve,I 'll try it following your guidance.Thanks again!
Posted by Steve Duncan on 12/19/2006 11:08:15 PMDot.NET
Hey Leaoner
If you are using dot.net and not asp classic, post your email and I will send you the dot.net version.
s
Posted by leaoner zy on 12/20/2006 11:52:48 PM^_^
Thanks you again,Steve, You 're so kind ,
Posted by Brian W Wiggins on 03/23/2007 09:20:48 AMvb.net
would it be possible for you to send me the vb.net code as well? It would be greatly appreciated.
e-mail is Brian_Wiggins@hotmail.com
Posted by Steve Duncan on 03/23/2007 08:12:24 PMAsp.Net Code Available
The asp.net code is in the code bin now
Posted by Eric DURAND on 11/13/2007 11:26:59 AMproblem with extended chars in notes username
Hello There,
I'm trying the .NET version and I thank you for this great feature.
But i got some troubles because of extended chars (such as , , , etc ...) inside domino usernames. This makes the resolution of username inside iis part responding with errors (Beno�t_DE_BALINCOURT in place of Benot_DE_BALINCOURT for example). Do you know a way to solve it ?
Thanks a lot
Eric
Posted by ravi Mr Kumar on 09/25/2008 02:42:46 PMProblem in getting authorization xml in code
Hi there,
I am able to validate the login credentials, but during call to get user aurhorization details i am not able to get the right xml, It is returning me the html code rather than user details, please some one help in this regard, I think there is something wrong in the url where i am posting http request. I am able to get ltpa token. Please help me it reaaaaaaaaaaalllllllllllly urgent.
Posted by ravi Mr Kumar on 09/25/2008 02:45:57 PMProblem in getting authorization xml in code
<add key="AuthXMLCredentialsURL" value="http:/<<domino servername>>/names.nsf/credentials.xml?readform>
when i am using this url it says htto 404 , page can not found.as much i know there should be credentials.xml but i am afraid it is not there on my domino server.
Thanks a lot in advance
Posted by Steven Duncan on 01/29/2009 12:18:26 AMProblem in getting authorization xml in code
Ravi
<add key="AuthXMLCredentialsURL" value="http://domino.yourdomain.com/sso.nsf/credentials.xml?readform"/> is in the sso database not in the names.nsf.
Steve
Posted by Sagun Chadda on 07/20/2009 06:12:59 AMBlank Page
HI Steven,
How are you doing. Well i came across the posting, however, I am not able to make it work @ all in my setup. Not sure what wrong is set @ my end and would really appreciate your valuable time to help me out.
I had used both asp and vb version but always stumble with blank page.
When using asp I am not able to capture the current session or token and VB version end up with blank page.
I am runing IIS V6 and Domino 6 and also teted on Domino 7. I am using Windows login (Security) of IIS server.
Will really appreciate if you can guide me step by step to setup either of the solution using VB or aps.
Once again thanks for all the help and time..
Looking forward to hear from u
SC
Posted by Steve W Duncan on 07/23/2009 08:01:13 PMRe: blank page
Hi Sagun
You have to turn off the windows login and use form based authentication.
Steve
Posted by Godfrey George on 02/22/2010 10:32:44 AMHi Steve
i am using ADFS login and want to do a SSO with Domino notes 6.5
Can you send me the .NET or C# code please.
my email address is goddy_g@hotmail.com
Thanks
GG
Posted by Emerson G Claridad on 03/09/2010 09:51:07 PMNeed Help
I found your project and this website last week when I was searching for an SSO solution for our company. This is probably the simplest solution ( and the preferred solution) that I have found so far.
We already tested it on our test servers in the office and for the first time, we were able to demonstrate a working model of Web SSO.
Our programmers will probably need help on their projects in the days to come.
Posted by Emerson G Claridad on 03/10/2010 03:32:25 AMYour Email Address
Our company is really interested in your SSO project. How can we get more information?
We are also willing to help you continue and improve the project.
My e-mail address is emergc@gmail.com. Thank you.
Posted by Aurelio Suerte Felipe on 03/10/2010 08:26:57 PMSingle Sign-on using Domino Web SSO
Hi Steve,
Greetings!
We are currently evaluating different kinds of SSO solutions. We found that your SSO solution is not so hard to implement. However, we have some problems with regard to implementation. We don't know how to extract the openntf.dll so we can fit it in our web portal project. We are currenlty integrating applications on IIS and Domino servers. Please help us to understand the opnentf.dll file and its functionalities.
I hope to hear from you soon.
Thanks
Au
Posted by Olivier Voutat on 07/07/2010 08:39:11 AMHello Steve
I've been testing your code cause at my company we want to move from Domino to Asp.NET
But we don't want to change everything immediately, so we would like that the customers could authenticate in the Asp.NET server and still go to the already existing Domino Forms (attached to domino users accounts)
I'm an Asp.NET developper so I don't know very much about Domino. Basically, I asked my collegues to install your sso.nsf Lotus Base in one of our test Domino Server (version 8.5.1) and added a user to ACL as "Manager"
In debug I can see that the requests works fine since I get the LptaToken cookie, with the cookieValue and all the others parameters.
What I cannot see is, where do you use the AuthorizationCookie? I see that you use the Cookie value for the authorization but that's all. It returns me Fullname as anonymous but the Manager role is there.
And after the FormsAuthorizationTicket is encrypted in the cookie, I try to go to a lotus form in the domino web server but it doesn't recognizes me as an authenticated user.
What am I missing? Help me please.
Olivier Voutat
Posted by S Duncan on 07/07/2010 09:05:58 AMHello
The ACL on the notes database should be set to have "Anonymous" access set to No Access.
In the web config,
- the authorization node says to allow only authenticated users.
- the authentication node sets the mode to forms based auth and allows non authenticated users to the userLogin.aspx page.
While debugging userLogin.aspx.vb, do you reach the call to the function GenerateAuthTicket? Does objUser.FullName have a value?
Steve
Posted by Olivier Voutat on 07/08/2010 12:49:19 AMMore info
Hi Steve,
Thank you for responding so quickly. Here is my authentication and authorization web.config part.
<authentication mode="Forms">
<forms name=".ESPACE" loginUrl="~/Account/Login.aspx" protection="All" timeout="30">
</forms>
</authentication>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
I do reach the GenerateAuthTicket part, but the Fullname has only the name Anonymous. But the roles get the Manager role.
Posted by S Duncan on 07/09/2010 09:50:11 AMContact
Hi Olivier
Post your email and we can talk about it over IM.
Steve
Posted by Olivier Voutat on 07/09/2010 10:16:22 AMServers
I read in some places that if I want this to work, the Domino Server and the Asp.NET server should be on the same machine?!
http://www.proposion.com/n2nhelp.nsf/769e1b028f863f84852566c100358467/9ed72ebf77225e0f85256c67007c3c8f!OpenDocument&AutoFramed
Posted by Olivier Voutat on 07/09/2010 10:18:12 AMIM
I'm sorry, we can't. All IM are blocked at my company
Posted by S Duncan on 07/09/2010 01:12:36 PM
So after you login to notes you are redirected back to userlogin.aspx, at the line
securityCookieValue = Request.Cookies(auth.CookieName).Value
do securityCookieValue has a value?
If so in the function
Public Function Authorize(ByVal securityCookie As String) As Boolean
look at the code
authResponse = authRequest.GetResponse()
streamReader = New System.IO.StreamReader(authResponse.GetResponseStream())
' Read The Results into an xml document
Dim document As New XmlDocument
document.Load(streamReader)
streamReader.Close()
authResponse.Close()
Inspect the document variable and see what the content is? Does it look like your notes login page or is there valid xml in there?
Posted by Olivier Voutat on 07/12/2010 12:57:22 AMXml Content
Hi Steve,
Yes, it has a value {LtpaToken=AAECAzRDM0FBREJCNEMzQUI0QzMxMDAwMTA5iE8HbM9AEp9yL7sXco7BbRVC58U=}
and I get an xml
<?xml version=\"1.0\"?><security><acl>2</acl><fullname>Anonymous</fullname><commonname>Anonymous</commonname><groups><group>*</group></groups><roles><role>Manager</role></roles></security>
I read in some places that the Asp.NET server should be in the same server but on a different port. Is it that true? Or should I install on a server that has the same domain as the authentication domino server. Example: http://domino.myserver.com & http://aspnet.myserver.com
Posted by S Duncan on 07/12/2010 07:24:56 AMXml Content
You do not have to have IIS and Domino installed on the same server as long as the realm of the domino cookie will allow for the browser to submit the ticket when making requests to the IIS server. So if the ticket realm is myserver.com and your IIS server is aspnet.myserver.com, the browser will submit the cookie when making requests.
With a browser, go to the value specified in "AuthXMLLoginURL" in the web config, it should ask you to login. Login, then go to the url specified in "AuthXMLCredentialsURL", do you get xml for a non anonymous user then?
Posted by Olivier Voutat on 07/12/2010 09:12:31 AMXML Content
I sincerely don't know how they setup these Domino Servers (Gladly they are Test Servers). Using the AuthXMLLoginURL to authenticate, the XML works. It is not Anonymous.
_
I will try to explain a little bit how the Domino Servers are configured:
_
The AuthXMLAuthenticateURL is like, per example:
http://mytestserver.company.ch/names.nsf?Login
_
The AuthXMLCredentialsURL is like
http://othertestserver.company.ch/tests/rochat/sso.nsf/credentials.xml?readform
_
but mytestserver is a mapping for othertestserver.
_
But if I type
http://othertestserver.company.ch/names.nsf?Login
I don't get any page
_
I will look with our Domino Administrator to see if that can interfere and how.
Posted by Olivier Voutat on 07/13/2010 12:48:28 AMXML Content
Extra info, using the AuthXMLLoginURL to authenticate, the XML returns the users data, but the AuthXMLAuthenticateURL shows me the login page, as if it was not authenticate.
Posted by Olivier Voutat on 07/13/2010 01:00:13 AMLol, I'm going nutz :)
The xml was returning me the non anonymous data. I still got it once this morning. But now, I only get anonymous xml's.
Posted by Olivier Voutat on 08/09/2010 04:58:23 AMCredentials XML
Sorry, have a lot of different stuff to do so I put this on waiting for sometime.
Was checking one thing a I got a little surprised.
After logging at (using Internet Explorer)
http://testserver/tests/rochat/sso.nsf/web?openagent&login&redirectto=http://myothersite.com
if I try to get the xml in the same tab
http://testserver/tests/rochat/sso.nsf/credentials.xml?readform
I get the client data. But if I do it in another tab of the same browser, it returns me anonymous.
In Firefox, no problem, I can logging in one tab and get the XML information in another one.
Have you ever seen this?
Posted by Olivier Voutat on 08/09/2010 06:01:59 AMLogin page
But if I login using the login page in one tab, and I open it in another tab again, I'm recognized as logged in.
Posted by Olivier Voutat on 08/09/2010 06:18:16 AMServers
Just confirming an information about your last message:
-
If my domino server is
http://mydomino.mydomain.com
-
my IIS server should be
http://iiserver.mydomain.com
-
so my cookie can be used?
Ok, that's already a partial answer why it will not work after I discover why the login page doesn't work for the credentials XML because actually I have this:
-
My domino server is
http://mydomino.mydomain.com
-
my IIS server is
http://iiserver.otherdomain.com
Posted by Steve W Duncan on 08/09/2010 10:29:06 PMReponse
The browser will resubmit the token regardless of you being in a seperate tag. The thing you have to realize is during authentication from the IIS will reach out to your Notes servers using the token so the IIS server needs to have access to it but it won't if the browser does not see it in the same domain. To verify you have everything working and can understand it, run Visual Studio on your desktop. Put a hostname entry in your localhost file pointing to iisserver.otherdomain.com. Now the browser will see it in the same domain as the notes server and submit the token.
From there you would have a couple options if you are not going to change machine domain names
1. Something like http://www.15seconds.com/issue/971108.htm
2. Pass the token in the query string from you notes login.