ShowTable of Contents
Table of Contents
This article describes the Domino authentication options to help you determine which option best suits your environment.
Choosing the Domino Authentication Options
Traditionally, Lotus Notes use USER.ID file for authentication. Release 8.5.x added some new options for authenticating as well as a great feature that significantly reduces time for ID management – ID VAULT. Authentication using SmartCards is another option.
The following flowchart helps you understand which Domino authentication option is best suited for your environment.
Each authentication option listed and numbered in the flowchart is described in the following sections.
SmartCards (1)
SmartCards provide high security for Lotus Notes access. Regular Lotus Notes USER.ID files can be stored on SmartCards and be protected with a PIN number. Every time you log into Lotus Notes, you need to enter the PIN number, so the SmartCards can unlock the protected USER.ID. You can also protect SERVER.ID files with SmartCards as well. In that case, every time a server is started you need to enter the PIN number to unlock the SERVER.ID.
If you decide to use SmartCards with Lotus Notes ID, you need to know how to configure Lotus Notes/Domino for SmartCards usage. Keep in mind that SmartCards users may require a separate policy. This is because periodic password changes and some other options are not applicable for SmartCards protected USER.ID files.
For more information, see the following articles:
If you have many Domino Web servers, then Single-Sign-On (SSO) based on LTPAToken can be used. When a user connects and authenticates to the first server, the browser receives a secret ticket (token) that is stored in the browser. If you need to authenticate to a new server, the browser will pass this ticket to the server (limited to servers inside your Domain) and you will be authenticated without an additional password prompt. For example, you have 5 servers (3 mail servers in a cluster, and two applications servers, one of which is an internal application server and the other one is an external application server). In this case, if you do not use (SSO), you have to enter your password several times on each server. If SSO using a LTPAToken is used, you log in only once.
Be cautious when you configure your server. If you use Internet Sites, then you use one LTPAToken definition. If do not use Internet Sites, then you may use another LTPAToken definition, which is stored in another document. It is recommended that you check the ($WebSSOConfigs) view for duplicated documents and that on all servers you use or not use Internet Sites documents. This may save you time while deploying SSO.
You may also later use LTPA SSO during deployment of an Instant Messaging (Sametime Entry) or Sametime Meeting Server. For example, you can configure the Lotus Notes embedded Sametime client to log into Sametime using the SSO token. Thus, you can eliminate the need for Lotus Notes users to enter an HTTP password to log into Lotus Sametime.
For more information, see the following articles:
Lotus Notes and HTTP Password Synchronization (3)
Lotus Notes provides an option for users to set the HTTP password same as the Lotus Notes password. The advantage of setting the same password is that the user has one less password to remember. If the user uses the same password for both systems (Lotus Notes and HTTP access), there is no need to spend time to set the HTTP password. It happens automatically if it is set in Security Settings and added to Domino policy. When needed, user can submit request to change the user's HTTP password.
Lotus Notes and HTTP password synchronization can be the first step to make authentication easier for the users. This also helps reduce the number of help desk calls.
Lotus Notes and HTTP synchronization is available in Release 6.x, 6.5, 7.x, 8.x, 8.5.
For more information,
refer to Security Setting help for enabling Lotus Notes and HTTP password sync
Note, password synchronization does not work with Shared Login.
LDAP (4 and 5)
Lotus Domino users are registered in NAMES.NSF - the Domino directory. If you deploy one more system, you may need to maintain multiple user accounts for single user in your environment. User and password management can be a costly task in each system.
You can use Lotus Domino server for authenticating other users with the help of LDAP protocol. Other systems may use Domino users for authentication with LDAP. The benefit of this approach is if something is changed, e.g. password is changed or a new user is added, all systems that use Domino for authentication automatically reflect the changes and and see changes. You do not need to register or remove the user from different systems.
For more information, see
IBM Infocenter, Planning LDAP Features
SPNEGO (6)
Lotus Domino 8.5.1 introduced a new way for user authentication: Users can authenticate in Domino web server with their Windows credentials. The benefit of the SPNEGO authentication is that users are not asked to enter passwords. According to research, password management in systems is rather expensive. Reducing the number of passwords users need to have helps decrease the number of help desk calls.
If you currently use pre 8.5.x Release of Lotus Notes and plan to upgrade, consider migrating from Single-Sign-On service to 8.5 so you can use Shared Login because this solution does not synchronize password, thus it is easier to administer.
SPNEGO means
Simple and
Protected GSSAPI
Negotiation Mechanism. The client’s browser and server can negotiate and the server can get information from Windows Active Directory regarding which user is trying to access the system. In this way the server will map the Windows user to the Domino users. If you consider adding SPNEGO authentication to products such as Microsoft Quickr, Sametime, consult IBM Consultants.
Check requirements for Windows Active Directory and the Domino version before you decide to deploy this.
For more information, see
Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
Lotus Notes and Operating System Single-Sign On (7)
Lotus Notes prior to 8.5.x offered an option that enabled users to not enter their Lotus Notes password. Lotus Notes Single-Sign-On service was synchronizing the password between Lotus Notes and the Windows operating system.
If you currently use pre 8.5.x Release of Lotus Notes and plan to upgrade, consider migrating from Single-Sign-On service to Shared Login because this solution does not synchronize password, thus it is easier to administer.
For more information, see
Does Notes support Single Logon with Novell?
Shared Login (8)
Notes Shared Login (NSL) is a feature introduced in Release 8.5. It allows you to unlock your Lotus Notes ID with your Windows credentials. If the person is logged into the Windows operating system, a special Windows service is responsible for unlocking Lotus Notes USER.ID and the user can log into Lotus Notes without a password prompt. If the user forgot his/her password, you need to reset his/her Windows Domain password.
Lotus Notes policy security settings in Release 8.5 has options on how to notify and enable Shared Login for users. If you have enabled Lotus Notes and HTTP password synchronization and you later enable Shared Login, users will now have to manage their HTTP password separately. If needed, for some users, you can enable Shared Login in the security preferences of the Lotus Notes client (grayed out by default).
Tips: Do not mix Shared Login with Single-Sign-On from Release 6.x-7.x. Single Sign-On from old versions of Lotus Notes was synchronizing the Lotus Notes and Windows passwords, Shared Login in 8.5 does not have to synchronize the passwords. A special Windows Service
UNLOCKs the USER.ID of the user. If you are upgrading from an environment which used operating system Single-Sign-On, it is recommended to move to the Shared Login feature. Operating system Single-Sign-On is maintained for backward compatibility.
For more information, see
Using Notes shared log in to eliminate Notes password prompts
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.notes85.help.doc/sec_nsl_desc_t.html
Tivoli Directory Integrator (9)
Users who have purchased Lotus Domino 8.5.x are entitled to use Tivoli Directory Integrator to synchronize data with Domino. For more information, see
TDI Entitlement
If Tivoli Directory Integrator (TDI) is used to synchronize data with Domino, you do not need to buy additional licenses. If TDI is used to synchronize non-Domino data, you need to buy additional licenses.
TDI allows integration of different systems and synchronization of data. For example, it enables you to integrate Lotus Domino directory and Windows Active directory as well as export or import users to and from textfiles or CSV files. TDI is a very powerful tool. You will need to take some time to learn its architecture before getting started with it.
Additional Resources
For more information, see: