Setting up session-based name-and-password authentication
Setting up session-based name-and-password authentication is a multi-step process.
To set up single-server session-based name-and-password authentication for Web clients, you must complete three procedures.
- Create a Web site document and enable it for session-based name-and-password authentication, or edit the Server document to require session authentication for Web clients.
- Create a Person document for each user in the Domino® Directory on the Domino® server and assign an Internet password to each user. It should be noted that users can be located instead in an external LDAP directory that is accessible to Domino® through Directory Assistance.
- Edit the database ACLs to give users access.
To enable single-server session-based authentication for Web Site documents
- From the Domino® Administrator, click .
- In the Internet Sites view, select the Web Site document for which you want to enable session authentication.
- In the Web Site document, click Domino Web Engine and complete the
following fields in the HTTP Sessions section of the tab.
Table 1. HTTP Sessions fields Field
Action
Session authentication
Select single server. This is disabled by default.
Idle session timeout
Enter a default time period to log an inactive Web client off the server. Default is 30 minutes.
Maximum active sessions
Enter the maximum number of user sessions allowed on the server at the same time. Default is 1000.
- Click Security, and enable name-and-password authentication for the TCP and for TLS (if using TLS).
- Save the document.
To edit the Server document for single-server session-based name-and-password authentication
- From the Domino® Administrator, click Configuration, and open the Server document.
- Click .
- Complete the following fields in the HTTP Sessions section of the tab:
Table 2. HTTP Sessions fields Field
Action
Session authentication
Select single server. This is disabled by default.
Idle session timeout
A default time period to log an inactive Web client off the server. Default is 30 minutes.
Maximum active sessions
The maximum number of user sessions allowed on the server at the same time. Default is 1000.
- Click , and enable name-and-password authentication for the TCP/IP port and for the TLS port (if using TLS).
- Save and close the Server document.
To create Person documents for Web users
- In the Domino® Directory, create a Person document for each Web user who needs to access the server. (You can also edit the Person document of an existing user.)
- In each Person document, complete these fields, and then save the document:
Table 3. Person document fields Field
Action
First name, Middle initial, Last name
Enter the user's first name, middle initial, and last name. The user's last name is required.
User name
(Required) Enter the user's full name. This is the name the user enters when trying to access a server.
This field can contain multiple names. As Domino® uses the first name in this field to validate a user in database ACLs, design access lists, groups, and File Protection documents, the first name in this field should be the user's Domino® distinguished name (DN). The second name should be the common name (CN) portion of the DN.
For example, this field can contain these names:
- Alan Jones/Sales/Renovations
- Alan Jones
- Al Jones
- AJ
When prompted for his name and password, the user can enter Al Jones as his name. However, Domino® uses Alan Jones/Sales/Renovations to validate him in database ACLs and design access lists. Therefore, the name Alan Jones must be the one that appears in ACLs and design access lists.
Note: You should always use the user's hierarchical name -- for example, Alan Jones/Renovations/US -- to help eliminate ambiguous or duplicate user names.Internet password
(Required) Specify the user's Internet password.
Making single-server session-based authentication cookies cluster-safe and sprayable
By default, single-server session-based authentication state is retained through a browser cookie named "DomAuthSessId". Unfortunately, because that cookie can only be processed by the individual Domino server that issued it, if multiple Domino systems are serving a single web site behind a sprayer or round-robin DNS then they could replace each other's stored cookies.
Starting in Domino 14.0, administers can instruct their servers to generate unique DomAuthSessId cookie names by setting a new notes.ini DominoSessionCookieUniqueNames=1. This causes Domino servers that are all serving the same internet site to choose unique cookie names starting with "DomAuthSessId" instead of overwriting each other's cookies.