How I Got XPiNC Run-On-Server With SSO Working

May 17, 2013 7:24 PM

Tags: xpinc sso miasma

Among the new features in Domino 9 is this little guy, found on the Launch pane of a database's properties when you set it to open an XPage:

If you've ever used an XPiNC application before, you'll know this is a godsend, promising the vast performance benefits of running an app on a server combined with the "the users are stuck using the Notes client" benefits of XPiNC.

I turned this on for a new app on one of my client's servers (let's say the server name is ClientName-2/ClientName) and took it out for a spin. However, I immediately noticed something was amiss: the status bar declared that it was unable to find the server "". With a bit of searching, I found I wasn't alone: Notes assumes that the Domino server is available as its common name in local DNS for some reason, and fails in various ways depending on your network's DNS failover behavior and whether or not is a real web site.

So, okay, as the last comment on that linked question indicates, you can "fix" this behavior by manually adding entries to the "XPages Performance" preferences pane (I have two because it's on two clustered servers, you see):

(Though it's blurred here, I note that the "Server" column stores only the common name of the server, not its full hierarchy. Let's hope all your common names are distinct!)

Alright, now that that is sorted out, Notes should use the URL you typed in rather than its own ludicrously-naïve guess. Open up the app again and bam:

Oh. Okay. Here's where things got fun. At this point, the Notes client is essentially using an embedded web browser to point to and carrying with it no authentication information. The documentation cheekily suggests that this means that your "configuration is not correctly set up" and basically leaves it at that.

I'll spare you the intervening days of frustration and cut to the chase: I needed to create an Account document in the client, set up SSO on the server (I had been using normal session auth), and disable loading Internet configurations from Server\Internet Sites documents (seriously).

Because I wasn't about to have my users use the Preferences -> Accounts pane if I could avoid it, I discovered that you can apply Accounts via policies. I went into the "Accounts" view of the "Configuration" tab of Administrator and created an account like so:

(That bit about "PreferredUsernameField" was because I stole the instructions from something about the social stuff in 9. I don't know if it's required, but I don't dare remove it now.)

Once I had that account document created, I went to the active Desktop policy document, then the "Accounts" tab, clicked "Update Links", and chose "All Supported" (because I only had the one anyway):

So at this point, I had it so that the Notes client was properly picking up the Account document, but it still wasn't signing in via SSO properly. That's when I had flashbacks to setting up a Sametime server, I felt a dread in the pit of my stomach, and I disabled Internet Sites for the server. Once I generated a new SSO configuration (with no "Organization" specified, so it was choosable in the server document) and restarted HTTP, it started to work. Hooray-ish!

Fortunately, in my case, I'm lucky: there's a spare server available that doesn't need to handle normal web requests (at least barring a catastrophe), so I can afford to disable Internet Sites configuration for it. However, long-term, I would be delighted to be wrong in my diagnosis - so if anybody knows a way to get this working while still supporting Internet Sites, please let me know. I would also love to know if there's a way to either avoid using those "run these apps on the server" entries in the client prefs or distribute those via policy as well.

Commenter Photo

Terry Lawson - Oct 3, 2013 10:20 AM


Thanks for this useful information. But i think your described problems are only the tip of the iceberg.

i've been messing around with this topic since days and weeks! IBM helped me a lot with configuring it with policies.. but still some problems are still present:

  1. Login with account document and Session Authentication enabled does not work for me, with basic authentication it works (PMR open)
  2. When setting the Password the first time, Notes crashes (fully reproducable, SPR open)
  3. When reopening the Notes Client, and clicking on a still opened Tab with a "Run-On-Server" XPage in it, then it suddenly opens it locally with XPiNC (SPR open)

Other Problems:

  • Password Changes: The Password in the account documents is not synchronized with the HTTP Password of the person document, so if the user openens the same XPages Application, he will be prompted for password again (-> guess what this leads us to the above problem no. 2...)
  • Multiple Client Installations: If a user has e.g. a Laptop and a desktop PC, the above problems are multiplied by 2.. 

I desperatly hope that IBM will make some improvement here SOON.. The statement ** simply enable the checkbox "run serverbased xpages directly on server" ** is simply a joke!


New Comment