Home
IBM® Domino 10.0.1 Documentation
Welcome to the IBM® Domino 10.0.1 Administrator Help.
Securing
This section describes IBM® Domino® security features, including execution control lists, IDs, and SSL.
Multi-server session-based authentication (single sign-on)
Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino® or WebSphere® server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
Setting up Windows™ single sign-on for Web clients
You can set up a Domino® Web server to honor Microsoft™ Windows™ users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.

IBM® Domino 10.0.1 Documentation
Welcome to the IBM® Domino 10.0.1 Administrator Help.
- What's new in IBM® Domino® 10?
  Learn about all of the new features for administrators in IBM® Domino® 10.
- Overview
  Welcome to IBM® Domino® Administrator Help.
- Installing
  Use this documentation to install the IBM® Domino® server and subsequently deploy the IBM Notes® client.
- Planning
  Use this topic as an overview of planning task.
- Configuring
  Use this information to configure an IBM® Domino® network, users, servers (including Web servers), directory services, security, messaging, widgets and live text, and server clusters. Also use this information to set up IBM iNotes® on a server using Domino Off-Line Services (DOLS).
- Securing
  This section describes IBM® Domino® security features, including execution control lists, IDs, and SSL.
  - Overview of Domino security
    Setting up security for your organization is a critical task. Your security infrastructure is critical for protecting your organization's IT resources and assets. As an administrator, you need to give careful consideration to your organization's security requirements before you set up any servers or users. Up-front planning pays off later in minimizing the risks of compromised security.
  - Server access for Notes® users, Internet users, and Domino® servers
    To control user and server access to other servers, Domino® uses the settings you specify on the Security tab in the Server document as well as the rules of validation and authentication. If a server validates and authenticates the Notes® user, Internet user, or server, and the settings in the Server document allow access, the user or server is allowed access to the server.
  - The database access control list
    Every .NSF database has an access control list (ACL) that specifies the level of access that users and servers have to that database. Although the names of access levels are the same for users and servers, those assigned to users determine the tasks that they can perform in a database, while those assigned to servers determine what information within the database the servers can replicate. Only someone with Manager access can create or modify the ACL.
  - Domino® server and Notes® user IDs
    Domino® uses ID files to identify users and to control access to servers. Every Domino server, Notes® certifier, and Notes user must have an ID.
  - The execution control list
    You use an execution control list (ECL) to configure workstation data security. An ECL protects user workstations against active content from unknown or suspect sources, and can be configured to limit the action of any active content that does run on workstations.
  - Domino® server-based certification authority
    You can set up a Domino® certifier that uses the CA process server task to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes® or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.
  - SSL security
    Secure Sockets Layer (SSL) is a security protocol that provides communications privacy and authentication for Domino® server tasks that operate over TCP/IP.
  - SSL and S/MIME for clients
    Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure SSL and S/MIME communication.
  - Encryption
    Encryption protects data from unauthorized access.
  - Name-and-password authentication for Internet/intranet clients
    Name-and-password authentication, also known as basic password authentication, uses a basic challenge/response protocol to ask users for their names and passwords and then verifies the accuracy of the passwords by checking them against a secure hash of the password stored in Person documents in the Domino® Directory.
  - Multi-server session-based authentication (single sign-on)
    Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino® or WebSphere® server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
    - Creating a Web SSO configuration document
      The Web SSO configuration document is a domain-wide configuration document stored in the IBM® Domino® Directory. This document, which should be replicated to all Domino servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for verifying user credentials.
    - Enabling single sign-on and basic authentication
      This procedure ensures that a server can participate in single sign-on (SSO). An SSO-enabled server creates single sign-on cookies for users, allowing them to log in to the server and then be able to access other participating servers without having to log in again.
    - Setting up the Web SSO Configuration document for more than one Domino® domain
      You can enable servers in your current Domino® domain for single-sign on (SSO) with servers in another Domino domain, by setting up both domains to use the same key information.
    - Configuring user name mapping in the SSO LTPA token
      The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When IBM® Domino® creates an LTPA token, it places the Domino distinguished name in the token by default. If a IBM WebSphere® Application Server server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.
    - Caching Internet password changes for SSO
      When Web users change their Internet passwords, the IBM® Domino® HTTP server remembers the new Internet password in its cache. Caching is required because it can take some time for the password change to take effect, as the change must be processed by the Domino administration server and replicated throughout the Domino environment.
    - Setting up Windows™ single sign-on for Web clients
      You can set up a Domino® Web server to honor Microsoft™ Windows™ users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.
      - Windows™ single sign-on for Web clients across multiple Active Directory domains
        If your Windows™ environment includes multiple Active Directory domains, you can set up Windows single sign-on for Web clients to function across the domains. There are additional requirements and recommendations for this configuration.
      - Considerations if you deploy a DSAPI filter in a Windows™ single sign-on environment
        Windows™ single sign-on for Web clients can be used in conjunction with IBM® Domino® Web server customizations. DSAPI (Domino web server application programming interface) is a C API you can use to write your own extensions to the Domino Web server, whereby these extensions (for example filters) allow you to customize the behavior of the Web server.
      - Preparing a Domino® server for Windows™ single sign-on for Web clients
        You must prepare a Domino® server for Windows™ single sign-on for Web clients.
      - Setting up the Windows™ service for Domino®
        To enable a Domino® server to participate in Windows™ single sign-on for Web clients, an Active Directory administrator must use the Active Directory setspn utility to assign at least one service principal name (SPN) for the server to an Active Directory account. SPNs correspond to DNS names in server URLs (for example, www.renovations.com) that Web clients use to connect to the Domino server.
      - Configuring user name mapping in a Windows™ single sign-on for Web clients environment
        Web users that participate in Windows™ single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Domino® Directory too. You configure user name mapping to enable a IBM® Domino server to reconcile user names found in both directories.
      - Configuring Web client browsers for Windows™ single sign-on
        To set up Windows™ single sign-on for Web clients, you must set up browsers to authenticate to theIBM® Domino® server using SPNEGO.
      - Enabling integrated Windows™ authentication (IWA) for Eclipse-based clients
        Integrated Windows™ authentication (IWA) is available for supplied and third-party Eclipse-based client applications, enabling SPNEGO authentication for Eclipse-based features and applications within Notes® client. Examples include Widgets and Live Text and Feeds, IBM® Connections, Composite Applications, embedded IBM Sametime®, and embedded Symphony®. IWA also works with products that are based on Eclipse but not embedded within Notes, such as IBM WebSphere® Portal with SiteMinder and stand-alone Connections 3.0 with SiteMinder.
  - Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
    Federated identity is a means of achieving single sign-on, providing user convenience and helping to reduce administrative cost. In Domino® and Notes®, federated identity for user authentication uses the Security Assertion Markup Language (SAML) standard from OASIS.
  - Using a credential store to share credentials
    In this release, the on-premises Domino® server can use a credential store application (credstore.nsf). The credential store is a secure repository for document encryption keys and other tokens necessary for Notes® client users to grant access to applications that use the OAuth (open authorization) protocol. OAuth allows user credentials to be shared with compliant applications so that users avoid extra password prompts.
- Administering
  This documentation provides information about the administration tools for managing and monitoring IBM Domino® servers and databases.
- Tuning
  Use this information to improve IBM® Domino® server, Domino Web server, and messaging performance through the use of resource balancing and activity trends, Server.Load commands, advanced database properties, cluster statistics, and the Server Health Monitor.
- Troubleshooting
  This section describes how to find and solve problems with IBM® Domino® server and Administrator client.
- Glossary

Setting up Windows™ single sign-on for Web clients

You can set up a Domino® Web server to honor Microsoft™ Windows™ users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.

About this task

The Domino® Web server uses Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and the underlying Kerberos network authentication security that is provided by Active Directory to negotiate the authentication with a browser client.

Restriction: Windows single sign-on for Web clients is incompatible with SAML deployment. If the Domino Web server is configured for SAML session authentication, Windows single sign-on for Web clients must be disabled in any SSO configuration document used by the SAML-enabled Web server.

Requirements:

Microsoft™ Windows™ Server Active Directory Domain Controller.
The functional level of an Active Directory domain (or forest in the case of multiple domains) must be set to Windows™ Server 2003 or higher. Backwards compatible modes for Windows™ Server 2003 cannot be used. For example, you cannot set Windows™ Server 2003 to use Windows™ 2000 mixed mode. To check the domain and forest functional level, from the Active Directory Users and Computers snap-in utility, right-click the domain, click Properties, and look at the General tab.
Domino® server running on a Windows™ computer that is a member of an Active Directory domain.
Domino® server configured for multi-server session-based authentication (single sign-on).
Browsers that are supported by Domino® running on Windows™ clients that are logged on to the Active Directory domain and that have network access to the Active Directory server.
Web users with accounts in Active Directory.

Procedure