This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Manny Minnuplopader
Jan 13, 2014, 11:03 AM
4 Posts
topic has been resolvedResolved

How to bring Notes Client federated Login to work?

  • Category: Administration
  • Platform: IBM i
  • Release: 9.0.1
  • Role: Administrator
  • Tags: SAML notes client federated login
  • Replies: 5

Hello,

we want to integrate NotesFederatedLogin (NFL) in our new XENAPP 6.5 infrastructure.

We have a R2008R2 ADFS 2.0 Server and a Microsoft CA.

We have 2 clustered domino V9.0.1 GERMAN HUB-server on iSeries.

On every domino-HUB exists the VAULTID, the idpcat.nsf and the serverconfiguration/policies.

No problem to run SAML with HTTPS to the HUB-Server :-) :-)

 

But we have no idea to get the notes client 9.0.1 GERMAN to get startet. :-(

 

The client contains the internet-cross-certifikat from Microsoft CA via policy

but DEBUG_SAML=31 on domino HUB only gives us: GenerateTEKey : Vec0 : size=32 ptext=0 ... and the same for Vec1 ???

when we try to rollout our first NFS-Client.

It seems, that the SAML-Process do not start?

Are there other condition for the client rollout?

The Reference in our ID-VAULT points to our primary domino-HUB.

 

We worked with the Single Login Dokument from AdminCamp 2013 from 24.09.2013.

has anybody an idea where we have to search for?

 

Hope, I'm not the first one and somebody can help!

Frank Monien

 

P.S.: just found in Clientlog during rolling out

[14E0:0002-14CC] 13.01.2014 16:28:03,92 CheckForNFLEnablementFromMediaKit> ignoring NFL setup since deploy.nsf is not installed
[14E0:0002-14CC] 13.01.2014 16:28:03,99 BCaseInitialize>  ENTER

before the userpassword ist requested

~Autumn Quethipiskioden
Jan 13, 2014, 3:34 PM
18 Posts
Use client side debugging as shown in AdminCamp 2013 presentation and post logs <EOM>
~Manny Minnuplopader
Jan 14, 2014, 3:11 PM
4 Posts
SAML NFL MULTIUSER-Installation CITRIX=1

Hallo,

I'm working with the Client DEBUG-Parameter AdminCamp 2013 from 24.09.2013.

New Situation: in a normal SingleUserInstallation NFL works fine !!

In XENAPP MultiUserEnvironment I've an Extra: Integrating the SAML-Certifikats into the deploy.nsf before setup.

Now the client log looks a little bit nicer:

[0FDC:0002-0E7C] 14.01.2014 16:02:01,73 CheckForNFLEnablementFromMediaKit> Enabled NFL for client setup
[0FDC:0002-0E7C] 14.01.2014 16:02:03,09 CTrustMgmt::CopyCertsFromMediaKit> Enabled NFL on client
[0FDC:0002-0E7C] 14.01.2014 16:02:03,09 CTrustMgmt::CopyCerts> Running CopyCerts
[0FDC:0002-0E7C] 14.01.2014 16:02:03,09 CTrustMgmt::BuildCache> Building cache
[0FDC:0002-0E7C] 14.01.2014 16:02:03,36 CTrustMgmt::ProcessOneCert> Copied cert or cross cert doc with source note id 0x9CE
[0FDC:0002-0E7C] 14.01.2014 16:02:03,36 CTrustMgmt::ProcessOneCert> Copied cert or cross cert doc with source note id 0x9D2
[0FDC:0002-0E7C] 14.01.2014 16:02:03,36 CTrustMgmt::ProcessOneCert> Cross Certificate is not in the hierarchy for this user: 0x9D6
[0FDC:0002-0E7C] 14.01.2014 16:02:03,53 DeskManageNFLState> Client not launched in NFL supported mode

has anybody done this before ?

Best regards

Frank Monien

~Autumn Quethipiskioden
Jan 15, 2014, 2:57 PM
18 Posts
I can't see a benefit of deploying the inet cross cert using deploy.nsf, ...
, because NFL has to be activated by using a security policy.
This said, for first time setup you have to use the Notes ID password, pull the security policy and activate NFL.
Further more, you have to deploy not only the INet Cross cert, but the notes certs, too.
So, what is the behavior when deploying the INet Cross cert using a security policy?
~Manny Minnuplopader
Jan 15, 2014, 2:56 PM
4 Posts
XENAPP 6.5

starting NotesClient with "notes.exe" ... and not with "nlnotes.exe" brings success!

NFL works!

~Autumn Quethipiskioden
Jan 15, 2014, 6:03 PM
18 Posts
Sorry, but starting Notes with nlnotes.exe is ancient, no one should use this and of cause...

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal