Internet Explorer – Edge Mode without SPNEGO SSO

Created:
Last Update:

Author: Christoph Stoettner
Read in about 2 min · 268 words

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

Last week I had an issue that some Domino Server didn’t provide SSO through SPNEGO any longer (environment worked for over 2 years now). This environment uses the customized domcfg.nsf template of Andreas Artner , maybe it’s related, but I don’t think so, on Windows 7 with latest Internet Explorer 11 and Domino Servers 9.0.1 with latest fix pack.

So what happened? The Domino servers are placed in the “Local Intranet Zone” of IE through Group Policy from beginning. The Windows administrators started to enable “Enterprise Mode” for better handling of compatibility mode and one of the steps is to deactivate the “Display intranet sites in compatibility View” option.

After this, all sites which are not explicitly configured in “Enterprise Mode” are loading in “Edge Mode” and not longer in quirks mode.

Nearly everything worked fine, XPages load every HTML5 Element, the sites seem to deliver content faster and so on.

BUT:

The configured SPNEGO authentication does not load any longer. The domcfg.nsf loads directly the fallback login form. I analyzed with Fiddler 4 , but nothing suspicious was in the trace. So we configured one Domino Url to load in Quirks Mode (IE Level 5) and Desktop SSO worked immediately. So we played with the different levels and it showed that only the “Edge Mode” in IE11 made problems, when we went a step back and used the IE 10 compatibility mode everything worked: XPages, HTML5 and Desktop Single Sign-On.

I hope this saves you some time during troubleshooting, I think the Enterprise Mode is a trending thing and removing the Quirks Mode is an important step.

Author
Add a comment
Error
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Aaron Burden: Fountain pen and a notebook
Since years i think that the Internet Lockout Feature of IBM Domino is not enough. The function is documented here: IBM Domino Administrator Help Cite of this document: There are some usage restrictions for Internet password lockout: You can only use Internet password lockout with Web access. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus® Quickr®, and IBM Sametime® are not currently supported. However, Internet password lockout can be used for Web access if the password that is used for authentication is stored on an LDAP server So documentation tells us, that only HTTP can be secured through inetlockout.
Created:
Last Update:
Read in about 3 min
Aaron Burden: Fountain pen and a notebook
You can use policy setting document “Mail settings” to deploy a standard message disclaimer for your users. First you have to configure your domino server which makes the smtp conversion of internet mails. For this server open the “configuration document” and check if “Message disclaimers” is enabled. Now we need a policy for all traveler users, or if you want to deploy personalized signatures, for each traveler user. I created a dynamic policy (explicit policy document and set of group/user in “policy assignment”) for my traveler user and made a mail setting document for the disclaimer: “Notes client can add disclaimer” to disabled: So the server will append/prepend the disclaimer text.
Created:
Last Update:
Read in about 1 min
Aaron Burden: Fountain pen and a notebook
In only two weeks starts LCTY Edcom Nachlese 2012 in Munich. I prepare a session on Single Sign On in Notes / Domino environments. So i had time to check some settings in Lotus Notes. Since 8.5.3 we have a new option Domino-SSO for Connections Plugin. I made several tests with my installed Notes Client on Mac OS, but i had no success. I tested with several settings in the preferences dialog and with different settings in plugin_customization.ini . I had one configuration where i can use Sametime Tokenbased Login and leave “Domino Single Sign-On Server” empty in connections preferences, but this works only with running Notes Client and i had to apply the setting again after restart the client.
Created:
Last Update:
Read in about 1 min