Thursday, August 02, 2007

Configuring SSO with LTPA

I had just wasted a few hours of my life because of some careless mistake made by our computer engineers.
I was tasked to configure single sign on for two servers, a Websphere Application Server v6 and a Websphere Portal Server v6. I configured my application server to use the same LDAP configuration as the portal. Export the LTPA key from Websphere Portal and import it to WAS.
I thought it will work. But it didn't. I thought I configured it wrongly thus tweak here and there. Tried every single thing I could imagine. I was also careless as I forgot to consult the log files. I just thought the LTPA token was not propagated properly.
I finally remembered to read the logs and found the following.
[8/2/07 21:55:35:047 PDT] 0000001d LTPAServerObj W SECJ0371W: Validation of the LTPA token failed because the token expired with the following info: Token expiration Date: Thu Aug 02 08:54:41 PDT 2007, current Date: Thu Aug 02 21:55:35 PDT 2007.
Finally I check the server date time settings. Guess what I found. The Portal server is just beginning to wake up at 6 in the morning. The WAS has the same time as my machine, 9:55 p.m., but it is somewhere in US. The engineer who setup the server didn't change the regional settings back to my country and it is still following US timezone.
I wonder who should I be screaming at when this type of things happens. I guess this is what happens when you are not surrounded by geniuses.


  1. Come lets go for some karaoke so that u can scream ur throat out...hehehehhe...anyway i din know u can export the ltpa from portal side wor...wat i did was export the key from WAS and pass it to the Domino engineers...they import the key into their side and SSO works between portal and domino...

  2. Erm...don't know how to term it correctly. I export the LTPA key from the WAS profile that is used by the portal server. I am still new to Portal mar :P

  3. Can you please illustrate the steps to configure SSO using LTPA between your portal server and WAS?

    How did the target app (WAS) interpret the LTPA token?


  4. In summary,

    1. Ensure both server date time is correct :P
    2. Ensure both server are configured to use a common user repository.
    3. Ensure both server share a same domain.
    4. Configure LTPA on either server, export the LTPA key to the other server.

    For more information, try to get some IBM redbooks. :)

    The target app LTPA token interpretation should be done by Websphere and be transparent to your application. Your app won't even know the difference between LTPA authenticated or normal authenticated.

  5. This may help, who are asking how to configure or the configuration steps


  7. Need some help on ltpa. How does websphere know to redirect to my specific login page if there is no ltpa token. Do we need to build that logic in to our application?

    Also how i can allow some pages to be open for anonymous access?

    Thanks in advance.