Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?


Previous Document Next Document

Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO

Thomas Hampel
 15 February 2017

This is the third post our of a series of blog posts describing how to move from password based to seamless authentication.
In level one and two I explained how to configure Domino for LDAP / Active Directory authentication. Although there is no need to remember the Domino HTTP password anymore, users still have to provide username/password when they log into (e.g.) iNotes. The next level is to automatically authenticate users - this is what I am going to describe in this article.

Level 3 - SPNEGO

At first, some basic information:
SPNEGO is a standard specification defined in RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism, allowing authentication of browser clients.
It can be used for seamless browser authentication aka Windows Integrated Authentication (WIA). It can not be used for Notes clients, Traveler or Sametime.

Pros and Cons

+ Seamless authentication for browser clients on Windows
- It's Windows only
- Does'nt work for Traveler and Sametime
- You can not really log off or switch users anymore.

  • SPNEGO will only work for clients and Domino servers running on Windows and are member of a Windows Domain
  • Each URL must have exactly ONE ActiveDirectory object to match the Service Principle Name.
  • If you plan to run multiple internet sites on the same Domino server, you MUST run the Domino server task using a Domain user account. Image:Domino SingleSignOn - Level 3 - Seamless Kerberos authentication via SPNEGO
  • For clustered internet sites, you MUST run the Domino server task using THE VERY SAME user account.
  • Running Domino with credentials other than the local system account will make your server fully dependent on this user account.
    If its locked out, has expired, or is removed by accident, your Domino servers wont run. All of them... at once!

How to...
  • Using SPNEGO you can not really log off anymore, nor switch to another user other than by logging off/on at OS level.
    However there is a trick using a custom login form to get this done which I will describe in the next level.
  • Although highly recommended SPNEGO does not require SSL, it works with plain HTTP as well this might be useful for debugging purposes.

Frequently Asked Questions

What to do in a mixed environment?

You can use one machine on Windows as your authentication server and configure Domino Multi-Server-SSO.
Experienced admins will take a look at this OpenNTF project : SSO for Web for non Windows Servers

What to do in Non-Windows environment like Linux, AIX, or what if there is no Windows Domain?

Set up a Domino server on Windows (who wants that?) or skip this level and wait for my blog post desribing SAML authentication.

References and further reading
Tagged with: Administration Best Practice SingleSignOn SSO
No Comments Found
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.