• Share
  • ?
  • Profiles ▼
  • Communities ▼
  • Apps ▼

Blogs

  • My Blogs
  • Public Blogs
  • My Updates
  • Administration
  • Log in to participate

▼ Tags

 

▼ Similar Entries

Test your Knowledge ...

Blog: News
DianeMorneau 100000K1AJ
Updated
0 people like thisLikes 0
No CommentsComments 0

A Verse Theme for IB...

Blog: News
DianeMorneau 100000K1AJ
Updated
1 people likes thisLikes 1
CommentsComments 1

What is ICEC?

Blog: News
DianeMorneau 100000K1AJ
Updated
0 people like thisLikes 0
No CommentsComments 0

Orient Me!

Blog: News
DianeMorneau 100000K1AJ
Updated
1 people likes thisLikes 1
No CommentsComments 0

Migration/Backup of ...

Blog: Dougclectica
DougBreaux 270007SMYJ
Updated
0 people like thisLikes 0
CommentsComments 1

▼ Archive

  • June 2014
  • April 2014
  • March 2014
  • December 2013
  • December 2012
  • September 2012
  • July 2012
  • June 2012
  • May 2012

▼ Blog Authors

Special Weapons!

View All Entries
Clicking the button causes a full page refresh. The user could go to the "Entry list" region to view the new content.) Entry list

Setting up the Connections accounts in Lotus Notes to use SPNEGO

MJLee 270005B4B4 | | Tags:  connections notes lotus spnego ‎ | 13,699 Views
Having a SPNEGO configuration with your Connections account in Lotus Notes can make using and administering Connections widgets so much easier. But right now, setting it up to use is not a simple proposition. Unfortunately I learned the hard way that there are some issues that make using this configuration difficult/impossbible to implement until some of these issues are fixed in the future code. That is unless you know some tricks to get around those problems. 
 
Let's start out by going over how you would think to implement the configuration in Lotus Notes. If you are going to set up SPNEGO in your Connections account for an individual user you might go to your preferences and click on the Connections entry the list. Then you would check the "Enable IBM Connections Features" checkbox. Next you would enter the URL into the "Server URL" field. Then click on the "Advanced" button and choose the "OS Credential" option. That sounds like it should be pretty simple and someday that may be all you need to do. But for now let's go over some of the things that you will need to do to get this working.
 
The first thing to take care of is the krb5.ini. This is the Kerberos configuration file that Lotus Notes is going to need to initialize SPNEGO in your Windows environment. It will need to be placed in the < Lotus Notes>/framework/rcp/deploy/extras directory. Below is an example of how this file needs to be configured.
 
 
[libdefaults]
default_realm = <change to something like IBM.COM/Should be the AD Domain>
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
SERVER.IBM.COM = {                                                   (This line should not be changed)
kdc = logonserver.ibm.com:88                                    (change to the value of your logonserver.   You can get this by typing echo %logonserver%)
admin_server= logonserver.ibm.com:88                  (change to the value of your logonserver.   You can get this by typing echo %logonserver%)
default_domain = <change to something like ibm.com>
}
[domain_realm]
.ibm.com = <change to the realm value to be used.  ie. IBM.COM>
ibm.com = <change to the realm value to be used.  ie. IBM.COM>
 
 
A couple gotchyas that are relatively minor are that when you set up your Connections preferences you need to specify "https://" address as the server the server URL.  And you will want to use the "https://<hostname>/activities/service/authredirect.jsp" for the Authentication URL field. (NOTE: Greenhouse doesn't support SPNEGO.  I'm just using this as an example)
 
 
image image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
After making these changes you may still find that SPNEGO doesn't work as you would expect. Well one reason may be that you are an administrator on a Windows 7 PC.  This is a quirk of the UAC in Windows. In order to get SPNEGO to work you can right-click the Notes icon when you start and choose "Run as Administrator".
 
This should work to get your Activities widget working. But many times you'll want to do something like use another widget. For example the "Status Updates" widget is very popular. But if you're using SPNEGO you'll notice that the  thumbnail pictures of users may not be coming down.  this is a known issue that you can address by adding a line to your plugin_customization.ini file. This is located in your <Lotus Notes>/framework/rcp/ directory. This changes the behavior of the plug-in to pull the images via a feed mechanism.  
 
com.ibm.lconn.statusupdates/download.image.enabled = true
 
 
PUSHING IT OUT
So after making all those changes you should now have a working SPNEGO enabled Connections account on your Lotus Notes client. What you usually end up wanting to do from this point forward is to push these changes out to a large group of users. The way to do that is through Policies. If you go to your Name and Address book go to your Policies folder and click on the Accounts view. Click on the Add Account button and start filling out the form. The key fields will be the "Account type" which should be Connections; the "Connections service URL"; and the "Authentication URL" on the Advanced tab. Also on the Advanced tab, you need to choose the Authentication type and set that as OS-CRED.  
 
image

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The most important trick to pushing this policy out is to place the krb5.ini in the Account file field. This will place that file in the rcp/deploy/extras folder. Note: You can only place one file in this field.  So this will be problematic if you need to create a custom icon.
 
 image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
For the issues associated with the UAC causing authentication failures when using SPNEGO, there are a couple options. One you can create a VBS script that will starts the notes program with elevated privileges. Or you can modify the shortcut. Right-click on the icon and select properties. You will see a Compatibility tab and on that you can choose to check the "Run this program as an administrator" option. Both of these options have the negative side effect of creating a pop-up that alerts you to the fact the program will need to run with elevated privileges. If you want to bypass that's pop-up, you can create a scheduled task that will run with elevated privileges and then start that task via a shortcut.
 
Note: You need to be an administrator for these.  Regular users will not need to implement these options to get SPNEGO to work.


Dim oShell,oExec
If WScript.Arguments.Named.Exists("elevated") = False Then
    CreateObject("Shell.Application").ShellExecute "wscript.exe", """" & WScript.ScriptFullName & """ /elevated", "", "runas", 1
    WScript.Quit
Else
    Set oShell = CreateObject("WScript.Shell")
    oShell.CurrentDirectory = CreateObject("Scripting.FileSystemObject").GetParentFolderName(WScript.ScriptFullName)
End If
Set oExec = oShell.Exec("notes.exe")

 
 
 image
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
Start tasksch.msc
In the Left hand pane, go to the Task Scheduler Library
In the Right hand pane, click Create Task
 General Tab: 1) Give the task a name; 2) check Run with highest privileges; 3) Configure for Windows 7
 Actions Tab: 1) New - Start a program,  2)  Start in <Notes data directory>     
 Conditions Tab: 1) Uncheck "Stop if the computer to battery power";  2) Uncheck "Start the task only if the computer is on AC power
 Settings Tab: Uncheck  "Stop the task if it runs longer than"

The task you created will now show up in the middle pane.
 
Create a shortcut
 Right click on the desktop and choose New -> Shortcut
 For the location -> schtasks /run /tn <taskname>
 click Next
 Type what you want to call the shortcut and Finish
  • Add a Comment Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry
Notify Other People
notification

Send Email Notification

+

Quarantine this entry

deleteEntry
duplicateEntry

Mark as Duplicate

  • Previous Entry
  • Main
  • Next Entry
Feed for Blog Entries | Feed for Blog Comments | Feed for Comments for this Entry