~Tony ZekfootexikleFeb 20, 2014, 3:51 PM9 Postsconsider SAML insteadThe Windows single sign-on for Web clients feature can operate across Windows domains, see here: http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=%2Fcom.ibm.help.domino.admin85.doc%2FH_SETTING_UP_WINDOWS_SINGLE_SIGN_ON_FOR_WEB_CLIENTS_FOR_MULTIPLE_ACTIVE_DIRECTORY_DOMAINS_STEPS.html However, it should be noted that there are limitations related to your scenario. In particular, there is a browser session cookie which is set for performance reasons (otherwise SPNEGO negotiation might take place on every HTTP request); the browser session cookie is scoped to a particular DNS domain and cannot cross DNS boundaries such as company.org and product.org. Rather than use Windows single sign-on for Web clients feature, I recommend that you investigate using Domino 9.01 SAML web authentication. This feature can leverage a Microsoft ADFS identity provider that is integrated with Active directory, and provide transparent user authentication by SPNEGO/Kerberos. There are a variety of options for achieving single sign-on across DNS boundaries. best regards, Jane Marcus
~Wei FeztumilitjipFeb 21, 2014, 6:57 AM2 Postsfound it Hi Jane, thanks, i found my mistake. I the Domain field of the LTPA Token must be the DNS Domain (product.org) and not the Windows Domain DNS company.org. I try playing with SAML, sounds interesting. Thanks Bernd