With IBM Connections, there are options to utilize different SSO options. One of the easier is using Windows Integrated Authentication, better known as SPNEGO. This uses the AD domain and the user’s Windows credentials to issue a ticket that can be used to authenticate users against other resources, such as an IBM Connections site.

In some cases, this doesn’t work like it should. One example is if the user gets an email with a link to download a file stored in Connections, but hasn’t yet authenticated with the site. By default, the Files download isn’t configured to support this, it relies on getting the LTPA token after authentication to serve requests. The user gets a login page (or just the basic auth pop-up) before getting to the download page. For users that are used to never “logging in” to Connections, this can cause some anxiety and unnecessary Service Desk calls.

Here’s what you can change in IBM Connections 5.5 to get File downloads to “work” as expected. You’ll need to remove the spaces between the < symbol and the following character for the XML to work. That’s just so its readable here.

1 - Backup the web.xml from the <WASRoot>\profiles\dmgr01\config\cells\<cellname>\applications\Files.ear\deployments\Files\files.web.war\WEB-INF folder

2 - Locate the <security-contraints> nodes in the web.xml file and add the following:

    <pre>
<code>
<security-constraint>
<display-name>Forms</display-name>
<web-resource-collection>
<web-resource-name>Form</web-resource-name>
<url-pattern>/form/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<description>Form</description>
</auth-constraint>
</security-constraint>
</code>
</pre>


3 - Perform a full resynch of all nodes

4 - Restart all clusters

Also check the SPNEGO config to make sure the url /form/anonymous/* isn’t included in the filter criteria. If it’s there, remove it, save the change and resent the nodes. SPNEGO config should be dynamic, so a restart won’t be needed.

We opened a PMR for this and we’re waiting to hear if IBM is going to make this change permanent in a future release.