Hi,
Now that I've got pound up and running
(and I assume configured properly), I am having an issue with the authentication
and login process on a Lotus Domino server using Single Sign On (SSO).
In a nutshell, the problem is that when
I enter https://camproxy01.camsys.com/mail/btest.nsf (mail/btest.nsf is
the location of a user's mail file), enter my username and password into
the web authentication form that appears, and click "Login",
I am warned that my connection is about to move from secure to non-secure,
and I get an IE error page.
For some reason, after I click the "Login"
button to send my username and password, the Domino server seems to be
returning the path to the mail file as HTTP and not HTTPS. I can
actually see this in my web browser as the URL displayed changes from https://camproxy01.camsys.com/mail/btest.nsf
to http://camproxy01.camsys.com/mail/btest.nsf
If I subsequently add the HTTPS back
in, I am logged in immediately and everything works fine.
The following is the HTTP server debug
log:
*** New Request -- Parse and Check Request:
Session 0, Thread 5b4, Clock 21625
*** Process Request: Session 0, Thread
5b4, Clock 21640
GET /mail/btest.nsf HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: camproxy01.camsys.com
Connection: Keep-Alive
X-Forwarded-For: 192.152.136.45
HTTP/1.1 200 OK
Server: Lotus-Domino
Date: Mon, 30 Jan 2006 22:46:46 GMT
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1290
Cache-control: no-cache
**I believe this POST is me submitting
my username/password**
POST /names.nsf?Login HTTP/1.1
Accept: image/gif, image/x-xbitmap,
image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://camproxy01.camsys.com/mail/btest.nsf
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: camproxy01.camsys.com
Content-Length: 69
Connection: Keep-Alive
Cache-Control: no-cache
X-Forwarded-For: 192.152.136.45
**I also believe the following 302 is
where the problem lies. As you can see, the Location value is the
Non-SSL URL for the mail database. Shouldn't pound be catching this
and reformatting it?
HTTP/1.1 302 Found
Server: Lotus-Domino
Date: Mon, 30 Jan 2006 22:48:21 GMT
Connection: close
Location: http://camproxy01.camsys.com/mail/btest.nsf
Set-Cookie: DomAuthSessId=C12F6DAD97D65123CFF6BEFCB1FA9352;
path=/
Finally, my config file is as follows:
User "pound"
Group "pound"
Daemon 0
LogLevel 2
Alive 30
ListenHTTPS
Address
192.152.136.217
Port 443
xHTTP 0
WebDAV 0
Client 10
Change30x
1
Cert "/usr/local/etc/poundcert/newcert.pem"
CAList "/usr/local/etc/poundcert/caroots.pem"
VerifyList
"/usr/local/etc/poundcert/cacert.pem"
End
Service
URL ".*"
HeadRequire
"Host:.*camproxy01.camsys.com.*"
BackEnd
Address r6dev.int.camsys.com
Port 80
Priority 1
End
Session
Type IP
TTL 300
End
If I turn off SSO on the Domino server,
everything works. Doing this, however, prevents me from timing out
sessions, querying actively logged in users, switching between databases
without being re-prompted to login, etc - all things that I need to be
able to do. Turning off SSO also changes the login process somewhat,
in that instead of a web-based authentication form, I get a typical Browser
pop-up window for the username and password
Again, thanks all for any advice that
you can provide.
--jeff