IBM Connections with Exchange Back-end – Chrome and Kerberos Delegation


First of all, thanks to my new found friend Michele Buccarello who had shared this document earlier last month on some very good pointers about how to integrate Exchange with IBM Connections.  With that document and some guesswork as to encryption settings between WAS and Exchange I was able to solve the problem – 90% of the way. We got it to work with IE and FireFox but Chrome was balking and getting into a log-out cycle. I used Fireshark to take a look and noticed it was an auth.redirect action by the HOMEPAGE app that was followed by a rest API call to Opensocial calendar settings .for my acocunt – and then righ back to the auth.redirect …. a classic redirect loop.
As things were working in FF and IE I knew it was not a system issue but rather a problem localized to Chrome so I looked up some technotes and knowledge base articles and here is how I solved it:
Chrome can be taught to work with Kerberos delegation just as IE and FF. For “normal” SPNEGO it takes it’s settings from IE and will accept them but with Exchange there is delegation going on (if you look at the Connections documentation it has you change two settings for both IE and FF, one of them refers to delegation) and Chrome needs to get a whitelist of which website it accepts delegation tickets from:
Option 1: Command line
Change the command line that starts Chrome to include a command switch:
chrome.exe –auth-negotiate-delegate-whitelist=*
Set the value to either [*] (make sure there are NO QUOTES surrounding the [*] as some documentation in various articles will have you enter it as) or any combination of the actual url you are connecting to i.e.: [*.domain.com] to limit it to anything inside the intranet domain or [connections.domain.com] for only the Connections website itself. Apparently this can also be a comma separated list of entries if that works for you.
Option 2: Create Windows Registry entry
Create this entry: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]
In it create a string entry: [AuthNegotiateDelegateWhitelist]
Any of the values used in the above command line example will work in this registry entry so I suggest to try it above first.
Enjoy – you’re welcome!
Advertisements

Rebranding of Notes Mail / Connections Mail and Consequences – #RebrandingFail


I received this marketing/sales email earlier today and reading it made me a bit confused and also concerned. Not because I think that IBM and email is going away, but because f the way that IBM has initialized it’s latest round of rebranding Notes (aka Connections Mail) there is confusion in the marketplace and this is a great example for what clients are going to be bombarded with:

Dear Victor,

IBM is ending the “Lotus” brand, and has been building more functionality into “IBM Connections”, suggesting that they may be trying to get rid of email as a single platform. Notes users have had no choice but to look for alternatives and make plans to switch over to another system.

Unfortunately, migration away from Notes is tricky and companies need 3rd party assistance to make the switch. For companies who plan to consolidate control over legacy data, the most important consideration in selecting a 3rd party is the subsequent accessibility of historical Notes data.

ZL Technologies has years of experience successfully migrating our customers off of Domino systems and specializes in providing them with a Unified system of information governance. To find out how ZL is able to accurately migrate all your legacy data while drastically reducing storage footprint and minimizing resulting operational costs, read our complimentary datasheet.

To learn more about us, please visit our website at http://www.zlti.com, or reach out to ZL experts directly at zl_info@zlti.com.

 

I have worked with ZL’s previously and they have a very kick-ass product. However, I can’t see the necessity for my clients to now suddenly “run for the hills” and look for another mail system. Again, I don’t really blame ZL that much as they are simply taking advantage of IBM’s efforts to sell their products. Rather, I lay the blame for this squarely at IBM. I don’t feel that the whole rebranding thing was well explained (a all!) at Connect2014 nor did I as a business partner get any follow-up and additional info. I am no sure if and how much effort IBM has extended to the follow-up of their (for me very confusing) announcement at Connect, but clearly it ain’t enough. In the absence of a clear and resounding message, messages by third parties like this is all that clients will be hearing.

I assume more companies will be using this as an opening to try and sell their services and products to make sure that those poor IBM customers that will be abandoned by IBM can safely migrate to another – hopefully much safer – platform with all their data intact and enjoy another 100 years of email longevity . . ..

Should I tweet it … #rebrandingfail ??