Problem during SPNEGO/Kerberos configuration for Domino

I love this feature and encourage all of my customers to implement SPNEGO/Kerberos authentication for iNotes and other Domino HTTP Services.

At one customer, I got the following error message on the Domino console (after enabling some debug parameters):

Accepting the security context (AcceptSecurityContext) requires continuation

I didn’t find anything Domino related, only some API documentations.

The problem was related to the fact, that Kerberos authentication doesn’t really work with DNS alias names (at least in this environment).

In our environment, we used the Domino URL to configure the SPN as described in the documentation.

setspn -a HTTP/domino1.acme.com SERVICEACCOUNT

But the Domino servername was only a DNS alias, not the real machine name. So we just had to register another spn with the “real” windows machine name and now it worked.

setspn -a HTTP/real-windows-name.acme.com SERVICEACCOUNT

You can still use the Domino URL to access the server, no need to use the machine name!

Now it is working and all users can just open a browser url to access their nice iNotes 9 webmail interface. This sounds like a “nice to have” feature, but if users are not longer forced to enter a login (they maybe do not know because http password is not synchronized or for other reasons), it is a tremendous increase of user satisfaction.

Advertisements
This entry was posted in General, IBM Notes/Domino and tagged , , , , , . Bookmark the permalink.

4 Responses to Problem during SPNEGO/Kerberos configuration for Domino

  1. seancullfocul says:

    are you just using IE or do you use other browsers ? tks, Sean

  2. Garry says:

    Could I confirm with you that you now have two SPNs set for Domino,
    setspn -a HTTP/domino1.acme.com SERVICEACCOUNT
    AND
    setspn -a HTTP/real-windows-name.acme.com SERVICEACCOUNT

Comments are closed.