Lotus Notes Eclipse Composite Application debugging

This post as a follow up to “The Activities side-bar in Lotus Notes and SPNEGO

In this post I describe the test setup used to look into SPNEGO and Eclipse Composite Applications
and how you can enable finer debugging.

The test set-up.

The Domino Policy as configured on our Windows Lotus Domino 8.5.2 server.

The Connections preferences tab after the Policy has been pushed to our client ( LN Windows 8.5.1 client Vanilla )

( Not really sure what the rules are before a Policy is pushed to a client but I got from my colleague and Lotus
Domino adept Arjan Vermeulen that running the ndyncfg.exe will do this, also re-opening your mail file from the
mail server where the policy is active should force pushing the policy. )

As can be seen on the screenshot the User name is filled in automatically ( MEN is my Windows AD username ).

All the required extra Accounts are created automatically as well.

The details of the Connections accounts have been set correct.

With the SPNEGO config the Connections search functionality works OK also adding RSS feeds into the internal
Feeds reader of LN works OK.

When I then click the link “Retry using existing options” I see the following messages in my LN
Trace. ( Help -> Support -> View Trace )

Unable to respond to any of these challenges: {negotiate=Negotiate}

In the SystemOut.log of the Activities servers we don’t see any errors.

Only the following information that a SPNEGO token is created for my account.

[12/13/10 11:03:58:603 CET] 0000008d SpnegoHandler I com.ibm.ws.security.spnego.SpnegoHandler handleRequest CWSPN0023I:
Username MEn@INTRA.E-OFFICE.COM Token size 1966.

To get some more info I searched how I could enable finer logging traces for Eclipse Composite applications
deployed in the Lotus Notes client.

After a lot of searching I found the following two be helpfull.

In the file \Lotus\Notes\framework\rcp\rcplauncher.properties add the following two options.

config.notes.8=-debug
config.notes.7=-console


This will bring up a terminal window when starting Lotus Notes and show all messages that
at least have the level WARNING. This is the same info as you can find under the View Trace
option in your Lotus Notes client.

To specify Java classes for which you want finer trace logging you can use the following.

In the file \Lotus\Notes\Data\workspace\.config\rcpinstall.properties add the Java classes
for which you want finer logging and to which level. For my investigation I used the following two.

org.apache.commons.httpclient.level=FINEST
com.ibm.rcp.internal.security.auth.module.level=FINEST

This gave me a little bit more info

2010-12-19T15:15:41.109+01:00 FINE Authorization required
org.apache.commons.httpclient.HttpMethodDirector org.apache.commons.httpclient.HttpMethodDirector .isAuthenticationNeeded 2
2010-12-19T15:15:41.109+01:00 FINEST enter HttpMethodBase.processAuthenticationResponse(HttpState, HttpConnection)
org.apache.commons.httpclient.HttpMethodDirector org.apache.commons.httpclient.HttpMethodDirector .processAuthenticationResponse 2
2010-12-19T15:15:41.109+01:00 FINE Supported authentication schemes in the order of preference: [ntlm, digest, basic]
org.apache.commons.httpclient.auth.AuthChallengeProcessor org.apache.commons.httpclient.auth.AuthChallengeProcessor .selectAuthScheme 2
2010-12-19T15:15:41.125+01:00 FINE Challenge for ntlm authentication scheme not available
org.apache.commons.httpclient.auth.AuthChallengeProcessor org.apache.commons.httpclient.auth.AuthChallengeProcessor .selectAuthScheme 2
2010-12-19T15:15:41.125+01:00 FINE Challenge for digest authentication scheme not available
org.apache.commons.httpclient.auth.AuthChallengeProcessor org.apache.commons.httpclient.auth.AuthChallengeProcessor .selectAuthScheme 2
2010-12-19T15:15:41.125+01:00 FINE Challenge for basic authentication scheme not available
org.apache.commons.httpclient.auth.AuthChallengeProcessor org.apache.commons.httpclient.auth.AuthChallengeProcessor .selectAuthScheme 2
2010-12-19T15:15:41.125+01:00 WARNING Unable to respond to any of these challenges: {negotiate=Negotiate}

It seems that the org.apache.commons.httpclient Java object instantiated by the Activities side-bar
isn’t capable of working with the negiotiate authentication scheme and only works with ntlm, digest and basic.

Also picked out WireShark out of my admin toolbox to dive into the HTTP traffic going out from my LN client
when using Lotus Connections functionality.

When working in WireShark I saw that the first request when using the Lotus Connections search functionality
already had a LTPAtoken set, login was not required, the response from the server was directly the HTML
page with the result.

Looking at the first request from the Activities side-bar, I didn’t saw a LTPAtoken set, in the HTTP traffic
following on this I saw that it ended at the login page from Activities.

Concluding, this ain’t going to fly, positive side learned a lot about Lotus Notes debugging and Accounts settings.

All with all leaving me a bit frustrated how is it possible that some Connections parts in the Lotus Notes client
can work with SPNEGO and some just won’t. These kind of plug-ins in your Lotus Notes client are great to
improve the adoption of Lotus Connections, users can access Connections from within their mail client
where they stay most of the time but that advantage soon shrinks if users get all kind of
authentication problems.

If big blue is using the Acticities side-bar themselves they probably have bumped into the same problems
we are currently facing. I guess they also have password change policies active and account lock-out restrictions.
But maybe there is some logical technical explanation why the Acticvities side-bar isn’t capable
of working with SPNEGO?

This entry was posted in notes and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 807,335 bad guys.