|
Home > Archive > WebSphere Application Server > May 2004 > Problem with LTPA and WAS 5.0 / 5.02
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Problem with LTPA and WAS 5.0 / 5.02
|
|
| Ole Eirik Dalbye 2004-05-21, 5:39 pm |
| I have set up Websphere 5.02 on a W2K adv. server. Security was
succsessfully configured against an Active Directory LDAP tree. My
problem occurs when I try to enable LTPA as the authentication
mechanism.
I go to LTPA settings and provide a password to encrypt/decrypt the
LTPA keys. Then I click Single Signon(SSO), check that it is enabled
and provide my domain for where the single signon shall apply. After
that I change from SWAM to LTPA under Global Security.
After server restart I am not able to login to the WAS Administrative
Console. And i DO use a fully qualified name (FQDN) in my URL. If I
try to login with a valid username/password it just bounces back to
the Login screen. An invalid login attempt will return with a "wrong
username or password" message. I have had this error before on
previous installations if I did not use a FQDN in my URL when
accessing the administrative console after enabling LTPA.
The only thing different this time is that the servers are registered
in my customer's Active Directory domain controller. All involved
servers are registered in the domain (mil.no). When I do nslookup they
all respond to [hostname].mil.no. For the other installations I just
modified the server host files with FQDN.
When frustration hit me I tried to change the LTPA/SSO domain from
mil.no to the WAS server hostname.mil.no. That would let me log into
both the Administrative Console and my web application. I guess that
is the same as leaving the domain field empty. SSO will only work for
that host, and not across several hosts in my domain - which I need it
to do.
I know there is a setting during WAS installation where it asks for
the WAS hostname and a fully qualified name/IP. I guess wrong input at
that point can create this kind of error? Any idea in what XML file
those data are stored so I can verify that?
Any good suggestions? ...... thanks for reading this
Ole Eirik Dalbye
| |
| Dexthor 2004-05-24, 7:30 am |
| Did you setup 'LDAP settings' in Security->User Registry ?? Global Security
page automatically redirects you to the LDAP User registry page, where you
could set the 'Server Admin ID' settings that help you to bind to LDAP and
base DN etc.,
You can disable security by changing 'securityenabled=true' to false in
seurity.xml (I guess.. ) in the $WAS_HOME/config/cells/ folder and
restarting WAS.
Pay attention to the LDAP settings page.When you set the Server Security ID,
it gets validated and you should see 'successfully validated/green message
on top', if you see an error or warning, you must resolve it, before you
proceed to bounce WAS.
HTH
Dexthor.
"Ole Eirik Dalbye" <dalbye@no.ibm.com> wrote in message
news:a3b941bb.0405210610.4f3a69f8@posting.google.com...
> I have set up Websphere 5.02 on a W2K adv. server. Security was
> succsessfully configured against an Active Directory LDAP tree. My
> problem occurs when I try to enable LTPA as the authentication
> mechanism.
>
> I go to LTPA settings and provide a password to encrypt/decrypt the
> LTPA keys. Then I click Single Signon(SSO), check that it is enabled
> and provide my domain for where the single signon shall apply. After
> that I change from SWAM to LTPA under Global Security.
>
> After server restart I am not able to login to the WAS Administrative
> Console. And i DO use a fully qualified name (FQDN) in my URL. If I
> try to login with a valid username/password it just bounces back to
> the Login screen. An invalid login attempt will return with a "wrong
> username or password" message. I have had this error before on
> previous installations if I did not use a FQDN in my URL when
> accessing the administrative console after enabling LTPA.
>
> The only thing different this time is that the servers are registered
> in my customer's Active Directory domain controller. All involved
> servers are registered in the domain (mil.no). When I do nslookup they
> all respond to [hostname].mil.no. For the other installations I just
> modified the server host files with FQDN.
>
> When frustration hit me I tried to change the LTPA/SSO domain from
> mil.no to the WAS server hostname.mil.no. That would let me log into
> both the Administrative Console and my web application. I guess that
> is the same as leaving the domain field empty. SSO will only work for
> that host, and not across several hosts in my domain - which I need it
> to do.
>
> I know there is a setting during WAS installation where it asks for
> the WAS hostname and a fully qualified name/IP. I guess wrong input at
> that point can create this kind of error? Any idea in what XML file
> those data are stored so I can verify that?
>
> Any good suggestions? ...... thanks for reading this
>
> Ole Eirik Dalbye
|
|
|
|
|