Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Upcomming Trips

Social Networks

Popular Articles

Winmail.dat

Who am I?

Feeds

 Content
 Comments

Recent Entries

Microsoft requires DMARC
Balkonsolar - year two in
Bug: Mail routing and mai
Dezember 2024: AcceptIT A
Welcome Domino License An

Archives

April 2025 (1)
January 2025 (1)
December 2024 (1)
November 2024 (2)
October 2024 (2)
September 2024 (1)
July 2024 (1)
May 2024 (2)
April 2024 (3)
March 2024 (1)
February 2024 (2)
January 2024 (5)
December 2023 (3)
November 2023 (2)
October 2023 (1)
September 2023 (4)
June 2023 (1)
April 2023 (3)
March 2023 (1)
February 2023 (1)
July 2022 (1)
September 2021 (1)
August 2021 (2)
May 2021 (1)
February 2021 (3)
January 2021 (1)
November 2020 (1)
October 2020 (2)
September 2020 (2)
March 2020 (1)
November 2019 (1)
August 2019 (1)
July 2019 (1)
March 2019 (1)
December 2018 (1)
November 2018 (1)
October 2018 (1)
September 2018 (1)
May 2018 (1)
January 2018 (1)
December 2017 (1)
November 2017 (1)
September 2017 (1)
March 2017 (2)
February 2017 (5)
November 2016 (1)
September 2016 (4)
April 2016 (1)
March 2016 (7)
January 2016 (1)
December 2015 (1)
November 2015 (3)
August 2015 (1)
July 2015 (2)
June 2015 (5)
May 2015 (5)
March 2015 (3)
February 2015 (2)
January 2015 (4)
December 2014 (3)
November 2014 (1)
September 2014 (4)
August 2014 (1)
May 2014 (4)
April 2014 (1)
March 2014 (2)
February 2014 (3)
January 2014 (2)
October 2013 (1)
September 2013 (1)
August 2013 (2)
July 2013 (2)
March 2013 (2)
February 2013 (4)
January 2013 (3)
December 2012 (2)
November 2012 (1)
October 2012 (2)
September 2012 (4)
August 2012 (3)
July 2012 (1)
June 2012 (6)
May 2012 (1)
February 2012 (2)
January 2012 (1)
December 2011 (4)
November 2011 (2)
September 2011 (1)
May 2011 (2)
March 2011 (1)
January 2011 (1)
November 2010 (5)
October 2010 (2)
September 2010 (2)
August 2010 (1)
July 2010 (3)
June 2010 (1)

Domino SingleSignOn - Level 1 - LDAP Authentication

Thomas Hampel
 13 February 2017
Based on a recent discussion with a customer it seems there still is not enough information on how to simplify authentication for Notes/Domino users.
This is the first post our of a series of blog posts describing how to move from password based to seamless authentication.

Level 1 – LDAP Authentication
Main goal of this level is to provide users with the ability to authenticate with Domino internet protocols such as HTTP using LDAP (e.g.Active Directory) credentials. The Notes Client authentication remains unchanged.
When using a web browser to access a Domino server, users will be prompted for username and password.
This authentication dialog looks like one of the following examples:
Image:Domino SingleSignOn - Level 1 - LDAP AuthenticationImage:Domino SingleSignOn - Level 1 - LDAP Authentication
Credentials entered here will be forwarded to Active Directory for authentication.
Within this process username and password will be sent over the network, so it is highly important to secure the transmission using SSL/TLS.

Pros and Cons
+ Lost/forgotten passwords on a monday morning are no longer your problem. The AD guys have to take care :)
+ No need to manage HTTP passwords and no need to sync HTTP and Notes passwords
- All authentication requests will be forwarded to LDAP/AD, entering wrong passwords multiple times -depending on your policy- will lock out your AD account.

Prerequisites:
In order for Active Directory authentication to work, the Notes user name must be stored within Active Directory (or the AD name must be stored in Domino). This is required to map Active Directory user name to a Notes user name.
  • Within Active Directory, each user object must have a (custom) attribute storing the Notes User name in DN format. This format is described as the full canonical user name of the Notes user (e.g. “CN=Firstname Lastname,OU=Department,O=Company”) where any slash (“/”) is replaced by a comma (“,”)
  • The name of this (custom) attribute of the user object in Active Directory can be any name of your choice, I will be using “mailNickname”, but you can use any other attribute you like.
    This attribute is recommended to be included in the AD Index for performance reasons. For details how to do this, please refer to this article which relates to an older version of AD but is still valid.
  • Synchronization from Domino Directory to Active Directory is done on a regular basis, e.g. by using TDI (which is free for Domino customers) with some AssemblyLines for Domino
  • A non-expiring Active Directory User account is required that will be used by Domino for Single SignOn purposes.
How to...
reconfigure Domino HTTP authentication to use Active Directory for authentication of browser sessions?
If not already done:
  • Import the trusted root certificate of the LDAP server into the key ring file of the Domino server.
    Please note that Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
  • Create a Directory Assistence (DA) database
  • Add the DA to your Domino server document
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication

okay, whats next:
  1. Within the Directory Assistance database, add a new document and configure it like shown below:
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
    Of course you are supposed to supply your correct Kerberos realm name. If in doubt, ask your AD admin.
  2. Set "Trusted for Credentials" to Yes
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  3. Configure how to connect to the LDAP (­) server.
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  4. Save & close

Now restart the Domino server and check if LDAP is being shown in the list of directories.
Issue the command "Show xdir" at the server console for details.

Troubleshooting:
Apache LDAP Studio is your friend. Make sure your LDAP credentials are correctly working and that your Base DN is providing the expected results before setting up Directory Assistence towards AD.
Some more hints:
  • You can specify multiple LDAP servers, they will be used one after the other based on the search order you have supplied
  • Search order in the Directory Assistance document must be unique. You can not use the same "Search order" twice.
  • Domino will be the client for the LDAP session in this case, so the *.kyr file that is being used is the one in the server document!
    If you are using Internet sites, then Edit the server document, disable internet sites (without saving) and specify the *.kyr file there. When done, switch back to the basics tab and re-enable Internet Sites.
    The file specified will still be used for all outbound connections, the kyr file specified in the internet sites is used for inbound connections only!
    Image:Domino SingleSignOn - Level 1 - LDAP Authentication
  • Thes Notes.ini variables will increase the log level for further debugging
    debug_directory_assistance=1
    debug_namelookup=1

Result:
When prompted for username/Password you can now use your Active Directory username and AD Password.
Transitioning from Domino HTTP passwords to AD passwords is seamless because users can still use the Domino HTTP password even if LDAP authentication has been configured.
Once the transition is completed you should clear the HTTP password field from the person document.
Comments [1]
Tagged with: Administration Best Practice Domino How-To TDI
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.