Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?

Feeds

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)
Query results for : SSO

Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO- 15 February 2017 - (0) Comments

Thomas Hampel
 15 February 2017

This is the third post our of a series of blog posts describing how to move from password based to seamless authentication.
In level one and two I explained how to configure Domino for LDAP / Active Directory authentication. Although there is no need to remember the Domino HTTP password anymore, users still have to provide username/password when they log into (e.g.) iNotes. The next level is to automatically authenticate users - this is what I am going to describe in this article.

Level 3 - SPNEGO

At first, some basic information:
SPNEGO is a standard specification defined in RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism, allowing authentication of browser clients.
It can be used for seamless browser authentication aka Windows Integrated Authentication (WIA). It can not be used for Notes clients, Traveler or Sametime.

Pros and Cons

+ Seamless authentication for browser clients on Windows
- It's Windows only
- Does'nt work for Traveler and Sametime
- You can not really log off or switch users anymore.

Warning:
  • SPNEGO will only work for clients and Domino servers running on Windows and are member of a Windows Domain
  • Each URL must have exactly ONE ActiveDirectory object to match the Service Principle Name.
  • If you plan to run multiple internet sites on the same Domino server, you MUST run the Domino server task using a Domain user account. Image:Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO
  • For clustered internet sites, you MUST run the Domino server task using THE VERY SAME user account.
  • Running Domino with credentials other than the local system account will make your server fully dependent on this user account.
    If its locked out, has expired, or is removed by accident, your Domino servers wont run. All of them... at once!

Prerequisites
How to...
Remarks:
  • Using SPNEGO you can not really log off anymore, nor switch to another user other than by logging off/on at OS level.
    However there is a trick using a custom login form to get this done which I will describe in the next level.
  • Although highly recommended SPNEGO does not require SSL, it works with plain HTTP as well this might be useful for debugging purposes.

Frequently Asked Questions

What to do in a mixed environment?

You can use one machine on Windows as your authentication server and configure Domino Multi-Server-SSO.
Experienced admins will take a look at this OpenNTF project : SSO for Web for non Windows Servers

What to do in Non-Windows environment like Linux, AIX, or what if there is no Windows Domain?

Set up a Domino server on Windows (who wants that?) or skip this level and wait for my blog post desribing SAML authentication.

References and further reading

Domino SingleSignOn - Level 2 - Self Service Password Reset Application - 14 February 2017 - (0) Comments

Thomas Hampel
 14 February 2017

Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the second post our of a series of blog posts describing how to move from password based to seamless authentication.
Once you have established LDAP Authentication you can approach the next stage:

Level 2 - Self Service Password Reset Application

Combined with a Self Service Password Request HTTP application (or this fancy one ) users can reset Notes password without the help of an administrator just by using a web browser.
Users must be authenticated in order to reset their own password, but due to the configuration done in level 1 they can use Active Directory credentials to log in.
Once authenitcated a user can just define a new password which is applied immediately in the IDVault. And just seconds later the password can be used to log into the Notes Client.
Image:Domino SingleSignOn - Level 2 - Self Service Password Reset Application

Pros and Cons

+ Lost/forgotten passwords on a monday morning are no longer your problem. Users can handle this problem alone.
+ You don't need to distribute NotesID passwords for newly created users.
- There still is a NotesID password to remember
- There still is a password prompt every time you start the Notes client and/or every time you open an encrypted mail in iNotes
- The Self Service Password Request HTTP application does not apply any feedback on password quality or strength.

Prerequisites:
  • Notes ID Vault has been established and contains the NotesID’s of all users
  • User must be authenticated, preferably using Active Directory authentication as described in the previous post level 1
  • Custom Password Reset application template,
    Please note the template provided by IBM as part of the Domino server is not officially supported and is provided as example only. See Technote 1330905

Configuration

Setup instructions have already been provided by IBM, so I'm not describing those steps again.
Once completed you should have a functioning PW reset application. However, I would like to highlight a few important details
  • The agent and the form needs to be signed with an ID which has IDVault Password Reset authority
  • The ACL of this database must have an Administration server defined, the Admin server specified there must be the one that hosts the IDVault.

For improved usability I do recommend a little tuning:
  • Create a URL which users can remember, e.g. by creating a web redirect rule
    http://yourserver.domain.com/passwordreset ==> /pwreset.nsf
  • Modify the form “fmPasswordReset” to display your corporate password rules, e.g.
    “The new password must have a minimum of 8 characters. It must contain a mixture of lowercase alphabetic, uppercase alphabetic, numbers and special characters. Three of these four conditions must be met.”
  • Modify the source code to confirm the password change request has been submitted and to verify if password rules have been followed.
    Without this modification users will not get any feedback if the new password has been applied or not.
    so update the source code of the Form “Password Change” , Sub “OnSubmit” as follows:
var i = 0;
var k = 0;
var h = 0;
var have = [0, 0, 0, 0];
var characters = ["abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "0123456789"];
var minLen = 8;
var minDif = 3;
var pw1 = document.forms[0].pw1.value;
var pw2 = document.forms[0].pw2.value;
for (i=0; i {
       h = 3;
       for (k=0; k        {
               if(characters[k].indexOf(pw1.substr(i,1)) >= 0)
               {
                       h = k;
               }
       }
       have[h] = 1;
}

if ( pw1.length < minLen )
{
       alert("You must enter a password with at least " + minLen + " characters");
       return false
}
else if( pw1 != pw2 )
{
       alert("Entered password don't match");
       return false
}
else if( have[0] + have[1] + have[2] + have[3] < minDif )
{
       alert("Password must be more complex,  use Numbers, Lower-, Upper-, Special-Characters");
       return false
}
else
{
       alert("Thank you, your request has been submitted. The new password can be used now.");
       return true
}
  • In order to support clustered environments the source code of the agent “User Password Reset” needs to be updated as follows:
Set Doc = Session.DocumentContext
Call
Session.ResetUserPassword( session.Currentdatabase.Acl .Administrationserver,"",Doc.GetItemValue("pw1")(0))


Conclusion

Self Service Password Reset application combined with LDAP authentication will eliminate the need to distribute Notes ID passwords to end users.
Administrators can register new NotesID's with completely random passwords that they do not need to remember nor need to distribute to end users.
Notes client setup instructions can be simplified so that end users have to define the password themselfes before they can start Notes for the first time.

References:

Thomas Hampel, All rights reserved.