ShowTable of Contents
|Num||Details in this example|
|Quickr Domino server||Windows 2003||Domino 8.5.1 FP5 and Lotus Quickr 22.214.171.124||2||Host name of these 2 machines are:|
|Network Dispatcher||Windows 2003||Edge Components 7.0||2||Host name of these 2 machines are :|
2 virtual hosts are:
also the Domain controller
|Windows 2003||Active Directory 2003 ||1||Hose name of AD server is:|
qdad.cn.ibm.comDomain name is cn.ibm.com
|Client||Windows XP||IE 8 and FireFox 3.X||1|
Setup a Domino cluster and install Quickr 126.96.36.199 on it
1) Install and setup Lotus Domino 8.5.1 and FP5 on both Quickr servers, details please refer to Lotus Domino Information Center
2) Add both nodes to a domino cluster
Open the server document of both nodes, configuration > server > All Server Documents , expand the nodes in "ibm", select the nodes you want to add to a cluster, click "Add to Cluster", create a cluster as you like.
3) Install Lotus Quickr 188.8.131.52 on both Quickr servers, details please refer to Quickr Domino 8.5.1 server installation and basic configuration
and Best Practices for setting up Quickr Clustering
4) Configure LDAP for Quickr
This need to be configured for both quickr servers according to this guide
, please check "Disallow new users
" option because local user can't log in the Quickr server any more after SPNEGO is enabled.
Then I recommend granting a couple of AD LDAP users as Quickr Administer because local user have no chance to log in Quickr server anymore after SPNEGO is enabled. If you are admin, you can grant Administer role to you. I also recommend granting Administrator role to a specific AD LDAP group. Then you can maintain the LDAP group instead of granting Administrator role in Quickr.
Use Load Balancer to create 2 virtual hosts
According to the topology, we need to use Load balancer to create 2 virtual hosts, for inside and outside access separately, here is an example for creating the first virtual host, the second one is the same to the second one.
First of all, make sure that the 2 virtual hosts have IP registered in common DNS.
Start Load Balancer by typing "lbadmin" in the command line:
add one server to this cluster:
Click next and add another node to this cluster
now you have added both nodes added to this port:
Have a look now:
Change the stick time for port:80 to 600
Now we have virtual host: " virtualhost1.cn.ibm.com" prepared, visiting it will redirect request to both Quickr servers, and you can create another virtual host virtualhost2.cn.ibm.com the same way
Then add loopback adapters to both Quicker servers:
Open "Control Panel" , "Add new hardware",
then you will see a newly created loopback adapter in "Network Connections"
Add the IP of the two virtual hosts to this loopback adapter, and point the "Preferred DNS server" to the IP of this Quickr server, reminder that the loopback adapter should be created on both Quickr servers
Configure SPNEGO access for Quickr
Create a new user in the domain controller: "virtualhost1"
Map http request for virtualhost1.cn.ibm.com (inside domain access) to the newly created user by running the following commands in AD server:
ktpass -princ HTTPfirstname.lastname@example.org -mapuser virtualhost1 -mapOp set -pass
Quickr Domino server joins AD domain
Firstly, point the "preferred DNS server"of the Quickr server to AD server,
Then, join this server to AD domain: click Start -> My Computer, then right click, select Properties to open System Properties Window, lick Change on Computer Name tab.
Check Domain in "Member of" section, input the Domain name. It should refer to your environment. The Domain name is "cn.ibm.com" in my test environment.
Input LDAP user name and password existed on AD directory, then click OK
Confirm your computer join the domain successfully, then click OK.
Click OK on the change, then click OK again on System Properties Window.
Click Yes on System Setting Change Window to restart server
After join the domain, you should log in by domain user, here we login to both Quickr Server using the newly created user: email@example.com, after logged in to the server, "virtualhost1" will showup at the top of Windows start menu
Enable SPNEGO for Domino servers
the following steps need to be applied on both Quickr servers, take qd01 for example:
Create a directory assistance database. I usually name it as "da.nsf"
Add Directory Assistance on the database. Here is my setting on "Basics" tab. Please pay more attention on setting on red rectangle.
My settings on "LDAP" tab, please fill in all files in red rectangle. I didn't enable SSL in this case.
Please click Verify button to make sure your settings are correct.
Once settings on DA works. Fill in the Directory assistance database name on Domino configuration document as below:
Enable SPNEGO for Quickr
After SPNEGO works on Domino, then it's time to enable SPNEGO on Quickr, the following steps need to be applied to both Quickr servers
add "Anonymous" on LotusQuickr/lotusquickr/main.nsf
Before Domino Administrator has access to edit ACL. You should create a group named as "QuickPlaceAdministratorsSUGroup
" in "People&Group" and add Domino Administrator into the group( in this example, Domino Administrator is admin/ibm ).
Because there is the group in all Quickr places database. After joining the group, users have Administrator access on these database. Restart Domino server to take it effect.
Then open ACL of LotusQuickr/lotusquickr/main.nsf. Add "Anonymous", then check User type as "Unspecified" and Access as "No Access". Otherwise, SPNEGO doesn't work on Quickr because web user will log in as an anonymous user, not the domain user.
Setting on Notes.ini
Add "QuickPlaceSPNEGO=1" in notes.ini, then restart to take it effect. This parameter will disable prompt user name and password when end user create a place from browser.
This action should be applied to both Quickr nodes.
On section, please pay more attention bold text. Modify them to meet your environment settings.
user_directory on qpconfig.xml
( enter last name, first name)
Create Internet site documents for inside and outside domain access
We suggest that both inside and outside domain share the same LTPA key, so first of all, prepare a LTPA key , which can be exported from a Websphere Application Server
Then we start to create internet site documents
create Web SSO file for outside domain access
Click "Create Web SSO Configuration"
Pay attention to the red rectangle contents, you can pick a name for this SSO file, here I named it as "Outside", notice that the Organization and DNS Domain need to be consistent with your Domino cluster
Import LTPA keys you just exported from WAS to Domino:
use the password you set when exporting LTPA keys from WAS:
This part will show up once importing succeeded:
Create internet site document for outside access
"Descriptive name for this site" can be anything, but "Host names or addresses mapped to this" should be the second virtual host: vritualhost2.cn.ibm.com
Choose Multiple Servers(SSO), and pick up the SSO file just created for outside access, here it is named as "Outside"
now the internet site document for outside domain access is created
Create Web SSO file for inside domain access
it is the same as outside Web SSO file, the only difference is that inside access need to authenticated with SPNEGO, so "Windows Single Sgn-on integration" should be enabled, also remember to import the same LTPA key to this SSO configuration file:
Create internet site document for inside access
Enable internet site document for both Quickr servere
The following steps should be applied to both server documents,take qd01 for example:
after enabling this:
you will see the following message in "Domino Web Engine" tab
replicate server configuration files between two nodes
enable "log in" and " log out" link in qpconfig.xml on both nodes
Config hostname and hosturl_notification in "cluster" stanza in qpconfig.xml on both nodes, here outside domain host is used
Enable "use_relative_path" in qpconfig.xml
Restart both the Quickr servers to take effect
For outside domain client
then we can visit via outside domain virtual host:
there is a login page, and everything act as a normal quickr server
For inside domain client
Make sure the machine has joined AD domain and log in as domain user. ( the same step as step 4-(2))
SPNEGO support both IE and FireFox browser.
Enable settings for firefox
Launch Firefox, and input "about:config" on address box. Click "I'll be careful, I promise!" on warning dialog. Then input "network.negotiate-auth.trusted-uris" in Filter field.
Double click the item, then fill in your Quickr Domino server URL: http://virtualhost1.cn.ibm.com
. It also supports wildcard character. You can just fill in http://cn.ibm.com
. Click OK, then restart Firefox
Enable settings for IE
SPNEGO on Quickr Domino supports IE and Connector as well.
Now Let's get IE browser works. Here is my IE version:
Launch IE browser and click Tools > Internet Options, click the Security tab, select "Local intranet" and click Sites.
Ensure that the “Include all sites that bypass the proxy server” is checked. Then click Advanced button.
Add the URL for the Domino server, and click OK twice. For example, here my Domino server name is virtualhost1.cn.ibm.com, specify:
Or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain, for example:
Click Custom Level, scroll to the User Authentication section, select "Automatic logon only in Intranet zone," and click OK.
Click the Advanced tab, scroll to the Security section, verify the option “Enable Integrated Windows Authentication” is selected.
If your proxy server configuration is done manually rather than via automatic configuration script:
* Click the Connections tab.
* Click LAN Settings
* Click Advanced.
* Add the Domino server URL to the list “Do not use proxy server for addresses beginning with," and click OK.
Click OK and restart the browser.
Now, IE browser should access Quickr Domino by SPNEGO.
To make Connector work for Quickr Domino SPNEGO
- Enable Enable Integrated Windows Authentication o IE browser. It has been done in above steps.
- Add registry string HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Lotus Quickr\Desktop Integration\Settings\EnableSSO
0 – disable
1 – enable
- Restart the machine, then launch Connector Explorer. Now the Authentication type is changed, and no need input User ID and password. See following snapshot:
Then domain user can access Quickr Domino through SPNEGO.
There are 3 ways to get the host for requests:
might be inside or outside virtual host, depends on the first url that user used to visit Quickr
configured in qpconfig.xml , cluster stanza
in our example, it is outside domain virtual host that used in qpconfig.xml
configured in qpconfig.xml, cluster stanza (see above, the second one)
By default, all requests will use (a) - relative path, except for the following conditions:
1) Web Service
All xml:base in response will use (b)
2) Placecatalog.nsf and Placestatistics.nsf
In our example, Placecatalog.nsf and Placestatistics.nsf will register with (b)
- Place Administration
In the summary page of a place, place URL will use (b)
- Send Link/Notification
All actions related to "Send Link/Notification" in the web page will use (c)
The subscribe link will use (a), but the link in the feed will use (b)
qptool newsletter command will use (b) in the link of newsletters
The following 4 operations will use the (b) as request host:
- Copy Link,
- Send Link,
- Open in Browser,
- Search in Browser
Can't visit inside virtual host from outside of the domain, unless user have logged in from outside domain
End user will get an error page when visiting inside virtual host from a client which is outside of domain
If a user visit from inside domain, "log out" link will not take effect
Log out link is enabled for outside domain user to log themselves out, but this will not take effect if the user is visiting Quickr from inside domain, users can always see themselves logged in.