IBM Support

LO39209: IDLE SESSION TIMEOUT ON WEB SSO CONFIGURATION DOES NOT WORK WELL WITH DEBUG_SSO_TRACE_LEVEL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • Step to reproduce:
1. Configure the Web SSO with following setting:
Server document:
 - Session authentication: Multiple Servers (SSO)
 - Web SSO Configuration: Ltpa Token
Web SSO configuration document:
 - Configuration Name: Ltpa Token
 - DNS Domain: <Input your server's Internet Domain>
 - Domino Server Names: <Choose your server>
 - Expiration (minutes): 30
 - Idle Session Timeout: Enabled
 - Minimum Timeout (minutes): 1

2. Execute "set config debug_sso_trace_level=1" to set the
notes.ini parameter.
3. Execute "tell http restart"
4. Access a database on the server with Web Browser.
Following messages are printed:
[0EF8:000A-0BD0] 2009/04/01 19:31:50.82 SSO API> Setting token
name parameter [LtpaToken]
[0EF8:000A-0BD0] 2009/04/01 19:31:50.82 SSO API> Encoding Domino
style Single Sign-On token.
[0EF8:000A-0BD0] 2009/04/01 19:31:50.82 SSO API> -Creation Ticks
  = 49D34296 [2009/04/01 19:31:50].
[0EF8:000A-0BD0] 2009/04/01 19:31:50.82 SSO API> -Expiration
Ticks = 49D3499E [2009/04/01 20:01:50].
[0EF8:000A-0BD0] 2009/04/01 19:31:50.82 SSO API> -Username
  = CN=Notes Admin/O=802ja
[0EF8:000A-0BD0] 2009/04/01 19:31:50.83 SSO API> -Next Renewal =
2009/04/01 19:32:50.
[0EF8:000A-0BD0] 2009/04/01 19:31:50.83 SSO API> -Max Idle Time
= 2009/04/01 19:33:50.

5. Wait 35 seconds, then reload Web Browser again.

6. Wait 30 seconds, then reload Web Browser again.
Following messages are printed:
[0EF8:000C-0DDC] 2009/04/01 19:32:55.93 SSO API> *** Validating
Token List (SECTokenListValidateAndGetInfo) ***
[0EF8:000C-0DDC] 2009/04/01 19:32:55.93 SSO API> ConfigName
specified [LtpaToken].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.93 SSO API> Retrieved
global static cache memory for config [LtpaToken].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> *** Retrieving
Extra Token Info (SECTokenValidateAndGetTokenInfo2) ***
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> ConfigName
specified [LtpaToken].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> Retrieved
global static cache memory for config [LtpaToken].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> Decoding Domino
style Single Sign-On token.
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> -Creation Ticks
  = 49D34296 [2009/04/01 19:31:50].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.94 SSO API> -Expiration
Ticks = 49D3499E [2009/04/01 20:01:50].
[0EF8:000C-0DDC] 2009/04/01 19:32:55.96 SSO API> -Username
  = CN=Notes Admin/O=802ja
[0EF8:000C-0DDC] 2009/04/01 19:32:55.96 SSO API> ERROR: token
should be renewed.
[0EF8:000C-0DDC] 2009/04/01 19:32:55.96 SSO API> -Next Renewal =
2009/04/01 19:32:50.
[0EF8:000C-0DDC] 2009/04/01 19:32:55.96 SSO API> -Max Idle Time
= 2009/04/01 19:33:50.

7. Wait 30 minute, then reload Web Browser again.
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> *** Validating
Token List (SECTokenListValidateAndGetInfo) ***
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> ConfigName
specified [LtpaToken].
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> Retrieved
global static cache memory for config [LtpaToken].
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> *** Retrieving
Extra Token Info (SECTokenValidateAndGetTokenInfo2) ***
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> ConfigName
specified [LtpaToken].
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> Retrieved
global static cache memory for config [LtpaToken].
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> Decoding Domino
style Single Sign-On token.
[0EF8:000F-091C] 2009/04/01 19:33:36.57 SSO API> -Creation Ticks
  = 49D34296 [2009/04/01 19:31:50].
[0EF8:000F-091C] 2009/04/01 19:33:36.58 SSO API> -Expiration
Ticks = 49D3499E [2009/04/01 20:01:50].
[0EF8:000F-091C] 2009/04/01 19:33:36.58 SSO API> -Username
  = CN=Notes Admin/O=802ja
[0EF8:000F-091C] 2009/04/01 19:33:36.58 SSO API> ERROR: token
should be renewed.
[0EF8:000F-091C] 2009/04/01 19:33:36.58 SSO API> -Next Renewal =
2009/04/01 19:32:50.
[0EF8:000F-091C] 2009/04/01 19:33:36.58 SSO API> -Max Idle Time
= 2009/04/01 19:33:50.

8. Wait 30 minute, then reload Web Browser again.
Following messages are printed:
[0EF8:0010-0D54] 2009/04/01 19:33:52.58 SSO API> *** Retrieving
Extra Token Info (SECTokenValidateAndGetTokenInfo2) ***
[0EF8:0010-0D54] 2009/04/01 19:33:52.58 SSO API> ConfigName
specified [LtpaToken].
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> Retrieved
global static cache memory for config [LtpaToken].
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> Decoding Domino
style Single Sign-On token.
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> -Creation Ticks
  = 49D34296 [2009/04/01 19:31:50].
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> -Expiration
Ticks = 49D3499E [2009/04/01 20:01:50].
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> -Username
  = CN=Notes Admin/O=802ja
[0EF8:0010-0D54] 2009/04/01 19:33:52.60 SSO API> ERROR: token is
expired due to idle timeout.

Problem:
The login form is appeard in the Web Browser with the error
message "Your session with the server has expired or is invalid.
 The current operation was not executed."

This problem occurred even if you access the database at more
frequent intervals.
It seems the LTPA token is not renewed even if the message
"ERROR: token should be renewed" is printed.

Local fix

  • Execute "set config debug_sso_trace_level=" to unset the
parameter.

Problem summary

  • This problem was resolved as: No Plans to Fix Ever

Problem conclusion

  • This problem was resolved as: No Plans to Fix Ever

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    LO39209
    • 

  • Reported component name
    NOTES/DOMINO 7X
    • 

  • Reported component ID
    5724E6200
    • 

  • Reported release
    801
    • 

  • Status
    CLOSED  PRS
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2009-04-01
    • 

  • Closed date
    2009-05-07
    • 

  • Last modified date
    2009-05-07
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Modules/Macros


    

  • NA

    



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSKTMJ","label":"Lotus Domino"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 May 2009
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback