Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO
Thomas Hampel
15 February 2017This is the third post our of a series of blog posts describing how to move from password based to seamless authentication.
In level one and two I explained how to configure Domino for LDAP / Active Directory authentication. Although there is no need to remember the Domino HTTP password anymore, users still have to provide username/password when they log into (e.g.) iNotes. The next level is to automatically authenticate users - this is what I am going to describe in this article.
Level 3 - SPNEGO
At first, some basic information:
SPNEGO is a standard specification defined in RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism, allowing authentication of browser clients.
It can be used for seamless browser authentication aka Windows Integrated Authentication (WIA). It can not be used for Notes clients, Traveler or Sametime.
Pros and Cons
+ Seamless authentication for browser clients on Windows
- It's Windows only
- Does'nt work for Traveler and Sametime
- You can not really log off or switch users anymore.
Warning:
- SPNEGO will only work for clients and Domino servers running on Windows and are member of a Windows Domain
- Each URL must have exactly ONE ActiveDirectory object to match the Service Principle Name.
- If you plan to run multiple internet sites on the same Domino server, you MUST run the Domino server task using a Domain user account.
- For clustered internet sites, you MUST run the Domino server task using THE VERY SAME user account.
- Running Domino with credentials other than the local system account will make your server fully dependent on this user account.
If its locked out, has expired, or is removed by accident, your Domino servers wont run. All of them... at once!
Prerequisites
- You have carefully read the warning (above) and accept the consequences.
- You have successfully completed Level 1 - LDAP Authentication
- Follow this instruction : Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
- Then configure browsers as described here : Configuring Web client browsers for Windows single sign-on
Remarks:
- Using SPNEGO you can not really log off anymore, nor switch to another user other than by logging off/on at OS level.
However there is a trick using a custom login form to get this done which I will describe in the next level. - Although highly recommended SPNEGO does not require SSL, it works with plain HTTP as well this might be useful for debugging purposes.
Frequently Asked Questions
What to do in a mixed environment?
You can use one machine on Windows as your authentication server and configure Domino Multi-Server-SSO.
Experienced admins will take a look at this OpenNTF project : SSO for Web for non Windows Servers
What to do in Non-Windows environment like Linux, AIX, or what if there is no Windows Domain?
Set up a Domino server on Windows (who wants that?) or skip this level and wait for my blog post desribing SAML authentication.
References and further reading
- Technote 1394592 - Troubleshooting Windows single sign-on for Web clients (SPNEGO)
- Domino and Active Directory integration (using Domino to store AD Usernames - this is the opposite of Level 1 - LDAP Authentication )