This is an archive of the Maximo Yahoo Community. The content of this pages may be a sometimes obsolete so please check post dates.
Thanks to the community owner Christopher Wanko for providing the content.
Maximo 7118
WebSphere 6.1.0.37
I am attempting to set up SSO with AD. I am roughly following the instructions in http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065 (WebSphere with a side of SPNEGO). Our active directory implementation is set up in a forest, with a parent domain A, and two children domains B and C. Our application server and most of our users are in B. I can get it working perfect for users in B, but it will not do SSO for the users in C, and presents them with a login box. I CAN get the VMMSYNC job working for users in C, so there is some level of visibility present.
Has anyone out there set up AD/SSO in a similar environment? If so could you provide any tips and or tricks for getting it to work for users in a domain other than the one the application server resides in.
Thanks!
Chris A Hanna, CTR
Application Programmer
Digital Management Inc.
US Coast Guard Operations Systems Center
christopher.a.hanna@uscg.mil
(304)433-3234
Have you checked out the steps listed here ?
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_SPNEGO_tai.html
Dinesh
--- In MAXIMO@yahoogroups.com, "Hanna, Christopher CTR" <christopher.a.hanna@...> wrote:
>
> Maximo 7118
> WebSphere 6.1.0.37
>
> I am attempting to set up SSO with AD. I am roughly following the instructions in http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065 (WebSphere with a side of SPNEGO). Our active directory implementation is set up in a forest, with a parent domain A, and two children domains B and C. Our application server and most of our users are in B. I can get it working perfect for users in B, but it will not do SSO for the users in C, and presents them with a login box. I CAN get the VMMSYNC job working for users in C, so there is some level of visibility present.
>
> Has anyone out there set up AD/SSO in a similar environment? If so could you provide any tips and or tricks for getting it to work for users in a domain other than the one the application server resides in.
>
> Thanks!
>
> Chris A Hanna, CTR
> Application Programmer
> Digital Management Inc.
> US Coast Guard Operations Systems Center
> christopher.a.hanna@...
> (304)433-3234
>
Yep, I have that document, basically the same steps as outlined in the white paper.
We also discovered yesterday, while mapping the existing users to their AD accounts, that the sAMAccountName is not unique across the two domains. So now I also need to get the AD/SSO process to use the UserPrincipalName instead, or something else that is globally unique. I tried checking the box in WebSphere for using domain-qualified user names, but that just pre-pends the realm name of the federated repository, rather than the actual domain. I also tried modifying the WIMConfig.xml to map UID to UserPrincipalName instead of sAMAccountName, however that completely broke everything, couldn't even log into the WebSphere console.
Any thoughts from anyone who's been through a similar implementation would be greatly appreciated.
Thanks!
-Chris H
-----Original Message-----
From: MAXIMO@yahoogroups.com [mailto:MAXIMO@yahoogroups.com] On Behalf Of dinesh_t_shenoy
Sent: Tuesday, August 16, 2011 4:14 PM
To: MAXIMO@yahoogroups.com
Subject: [MAXIMO List] Re: SSO with an AD forest
Have you checked out the steps listed here ?
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_SPNEGO_tai.html
Dinesh
--- In MAXIMO@yahoogroups.com <mailto:MAXIMO%40yahoogroups.com> , "Hanna, Christopher CTR" <christopher.a.hanna@...> wrote:
>
> Maximo 7118
> WebSphere 6.1.0.37
>
> I am attempting to set up SSO with AD. I am roughly following the instructions in http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101065 (WebSphere with a side of SPNEGO). Our active directory implementation is set up in a forest, with a parent domain A, and two children domains B and C. Our application server and most of our users are in B. I can get it working perfect for users in B, but it will not do SSO for the users in C, and presents them with a login box. I CAN get the VMMSYNC job working for users in C, so there is some level of visibility present.
>
> Has anyone out there set up AD/SSO in a similar environment? If so could you provide any tips and or tricks for getting it to work for users in a domain other than the one the application server resides in.
>
> Thanks!
>
> Chris A Hanna, CTR
> Application Programmer
> Digital Management Inc.
> US Coast Guard Operations Systems Center
> christopher.a.hanna@...
> (304)433-3234
>