Skip to main content link. Accesskey S
  • Anonymous
  • Log on
  • Help
  • IBM logo
  • Lotus Notes and Domino wiki
  • All Wikis
  • Home
  • Community Articles
  • Product Documentation
  • Learning Center
Search
Advanced Search

Categories

Tag Cloud

  • 6.0
  • 6.5
  • 6.5.4
  • 6.x
  • 7.0
  • 7.0.2
  • 7.5
  • 7.x
  • 8.0
  • 8.0.1
  • 8.0.2
  • 8.5
  • 8.5.1
  • 8.5.2
  • 8.5.3
  • 8.5.x
  • 8.x
  • address
  • admin
  • administering
  • administration
  • administrator
  • attachment
  • best practice
  • Blackberry
  • cache
  • calendar
  • Client deployment
  • contacts
  • DAOS
  • database
  • database properties
  • db2
  • DCT
  • demo
  • deployment
  • deployment Notes
  • directory
  • document
  • documents
  • Domino
  • Domino Server
  • Domino Web Access
  • dwa
  • email
  • getting started
  • http
  • IMAP
  • inotes
  • install
  • iPhone
  • LDAP
  • logging
  • Lotus iNotes
  • Lotus Notes
  • Lotus Notes Traveler
  • Lotus Traveler
  • mail
  • mail file
  • max
  • media_notes
  • memory
  • message
  • messaging
  • MIME
  • moving_advanced
  • moving_cal
  • moving_mail
  • ND6
  • notes
  • Notes ID Vault
  • notes.ini
  • NotesBench
  • performance
  • plug-ins
  • Policies
  • preferences
  • R5
  • reference card
  • replication
  • router
  • Sametime
  • search
  • Security
  • server
  • smtp
  • table
  • text
  • tips
  • to do
  • Traveler
  • troubleshooting
  • upgrade
  • user
  • using
  • video
  • videofest
  • web
  • Widgets and Live Text
  • Windows
InformationInformation
You are currently viewing machine translated content. IBM translation might be available. Click IBM Translated Product Documentation to see what is available.X


Home > IBM Redbooks: Lotus Notes and Domino version 8.5 Deployment Guide > Admin Shared Login
Rate this article 1 starRate this article 2 starsRate this article 3 starsRate this article 4 starsRate this article 5 stars

Admin Shared Login 
expanded Abstract
collapsed Abstract
No abstract provided.
ShowTable of Contents
HideTable of Contents
  • 1 Best Practices for enabling Notes Shared Login
    • 1.1 Have an ID backup system or procedure in place to recover ID files
    • 1.2 Disable Notes server based password checking
    • 1.3 Carefully review limitations that might be applicable to your environment
    • 1.4 Do not install Client Single Logon component
    • 1.5 Unsupported configurations with Notes Shared Login
  • 2 Security
Table of Contents | Previous Page | Next Page

In order to understand the best practices of implementing Notes Shared Login, you need to know how it works.

Notes Shared Login relies in the Windows credentials used to authenticate on the workstation. These credentials are used to unlock the Notes ID file, so when the user signs on in Windows, then launches the Notes client, there is no password prompt and no need to synchronize passwords. Once the Notes ID is unlocked, it still authenticates against Domino using the client/server certificate-based authentication, just like before. The Notes ID file itself is not altered but more protected. To protect the ID file that are Notes Shared Login-enabled, the Windows Data Protection API (DPAPI) is used.

When an ID file is configured for Notes Shared Login, a complex "secret" is generated to protect it. Then, it is encrypted with DPAPI using additional application-specific entropy. The encrypted "secret" is then saved in the Windows user’s profile directory. The Notes ID file is encrypted with a bulk key which is derived from the "secret", then saved.

Once Notes Shared Login is functional, all password management tasks are now controlled via Windows policies, and all Domino passwords policies in place are ignored.

Notes Shared Login is configured using Security policy settings, specifically under the Password Management tab, in the Notes Shared Login tab. There are four (4) combinations of configuration when you deploy Notes Shared Login:

Notes Shared Logn is

  • Disabled and users cannot change Notes Shared Login state
  • Enabled and users cannot change Notes Shared Login state
  • Initially disabled and user can change the Notes Shared Login state vie User Security preferences
  • Initially enabled and user can change the Notes Shared Login state vie User Security preferences.


Best Practices for enabling Notes Shared Login


Here are some best practices to consider if you choose to deploy Notes Shared Login.

Have an ID backup system or procedure in place to recover ID files


Because the ID file is closely integrated with the Windows credentials and the workstation used, it is strongly recommended to backup these Notes Shared Login-enabled ID files. Here are some suggestions:
  • Notes ID Vault (recommended)
    It is designed to work together with Notes Shared Login
    It allows the provisioning of ID files and the recovery of lost/damaged ID files
    Free - part of the Domino server product
  • ID Recovery database
    This feature exists since Domino R5 and still present in 8.5
    No enhancements are planned for future releases
    ID Recovery requires to be configured in every certifier (OUs, O) in order to send updated IDs to the recovery database
  • Third-party or custom system
    Use of third-party solutions
    Scripts that copy local ID file to a network share
    User maintenance process (manual)

Disable Notes server based password checking


For further details, please see IBM Technote 1367070

Carefully review limitations that might be applicable to your environment


Before you deploy Notes Shared Login, it is very important to to review the conditions under which it will work but also the ones under which it will not work.

Notes Shared Login is not supported if you have Notes IDs that are:
  • Used on Mac or Linux clients
  • Protected by smartcards
  • Protected by multiple passwords
  • Used by roaming users - roaming users who roam their IDs cannot use Notes Shared Login.
  • Used with Notes on a USB drive
  • Used in a Citrix environment
  • With Windows mandatory profiles
  • Stored on network shares - the IDs can be used only from the computers on which shared login is activated.
  • Enabled for password checking/expiration (unless all servers are 8.5+) - the "Check password on Notes ID file" security setting is not supported. Domino servers ignore this setting for IDs enabled for shared login. If you use pre-8.5 Domino servers, the setting should be disabled for users with these IDs.
  • Used with Notes to Internet password synchronization - If Notes users were synchronizing Internet passwords with Notes passwords in an earlier release, they must now begin managing their Internet passwords.
  • Notes Shared Login enabled ID cannot be imported into mail file for DWA/Blackberry access (create password protected copy to import)


Do not install Client Single Logon component


If you plan to use Notes Shared Login, you must not select "Client Single Logon Feature" during the installation. If it's already installed, it must be uninstalled first during the upgrade process to 8.5 before enabling Notes Shared Login.

Unsupported configurations with Notes Shared Login

The following configurations are unsupported when used with Notes Shared Login:

  • Using Windows Roaming Profiles and logging into an Active Directory Domain from more than one system at the same time, which is a limitation of Microsoft DPAPI
  • Using Windows Roaming Profiles and logging into an Active Directory Domain from both Windows XP/2003 systems and Windows 2000 systems, which is a limitation of Microsoft DPAPI
  • Using Windows NT 4.0 Domains
  • Using Windows XP in a Windows Workgroup environment and resetting the user's Windows password
  • Joining or leaving a Windows Domain after enabling Notes Shared Login

Security

Enabling shared logon alters the ID file so that Shared Login will only work on the computer with which the feature is activated. You cannot do an OS copy or move of the ID file between machines.

The feature relies on a windows security infrastructure specific to that machine. If you wanted to roam to different machines, you would need to use an unaltered ID file.

Notes Shared Login-enabled IDs that are stored in a Notes ID vault can be used from more than one Microsoft Windows computer without requiring users to make copies of the ID file, because the ID file stored in the ID Vault are intact. To use an ID on more than one computer when a Notes ID vault is not used, a user clicks "Copy ID" in the User Security dialog box to make a new, Notes-password-protected copy of the ID file. When the user runs Notes using the copied ID on another computer, the user's effective policy determines if the ID will be enabled for Notes Shared Login.

Table of Contents | Previous Page | Next Page


expanded Article information
collapsed Article information
Category:
IBM Redbooks: Lotus Notes and Domino version 8.5 Deployment Guide
Tags:

This Version: Version 6 November 1, 2009 6:05:57 PM by Bart Jacob  IBMer

expanded Attachments (0)
collapsed Attachments (0)

 
expanded Versions (6)
collapsed Versions (6)
Version Comparison     
Version Date Changed by               Summary of changes
This version (6) Nov 1, 2009 6:05:57 PM Bart Jacob  
5 Nov 1, 2009 5:55:58 PM Bart Jacob  
4 Nov 1, 2009 5:54:38 PM Bart Jacob  
3 Nov 1, 2009 5:53:30 PM Bart Jacob  
2 Nov 1, 2009 5:52:20 PM Bart Jacob  
1 Nov 1, 2009 4:54:58 PM Bart Jacob  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedSubscribe to RSSHelpAbout
  • All Lotus and WebSphere Portal wikis
  • IBM developerWorks
  • IBM Software support
  • IBM Social Business User Experience Blog
  • IBMSocialBizUX on Twitter
  • IBMSocialBizUX on Facebook
  • Lotus product forums
  • IBMSocialBizUX blog
  • IBM Collaboration Solutions
  • Recently added feedRecently added
  • Recently edited feedRecently edited
  • Recently added comments feedRecently Added Comments
  • Wiki Help
  • Forgot user name/password
  • Wiki design feedback
  • Content feedback
  • About the wiki
  • About IBM
  • Privacy
  • Contact IBM
  • IBM Terms of use
  • Wiki terms of use