In order to understand the best practices of implementing Notes Shared Login, you need to know how it works.
Notes Shared Login relies in the Windows credentials used to authenticate on the workstation. These credentials are used to unlock the Notes ID file, so when the user signs on in Windows, then launches the Notes client, there is no password prompt and no need to synchronize passwords. Once the Notes ID is unlocked, it still authenticates against Domino using the client/server certificate-based authentication, just like before. The Notes ID file itself is not altered but more protected. To protect the ID file that are Notes Shared Login-enabled, the Windows Data Protection API (DPAPI) is used.
When an ID file is configured for Notes Shared Login, a complex "secret" is generated to protect it. Then, it is encrypted with DPAPI using additional application-specific entropy. The encrypted "secret" is then saved in the Windows user’s profile directory. The Notes ID file is encrypted with a bulk key which is derived from the "secret", then saved.
Once Notes Shared Login is functional, all password management tasks are now controlled via Windows policies, and all Domino passwords policies in place are ignored.
Notes Shared Login is configured using Security policy settings, specifically under the Password Management tab, in the Notes Shared Login tab. There are four (4) combinations of configuration when you deploy Notes Shared Login:
Notes Shared Logn is
- Disabled and users cannot change Notes Shared Login state
- Enabled and users cannot change Notes Shared Login state
- Initially disabled and user can change the Notes Shared Login state vie User Security preferences
- Initially enabled and user can change the Notes Shared Login state vie User Security preferences.
Best Practices for enabling Notes Shared Login
Here are some best practices to consider if you choose to deploy Notes Shared Login.
Have an ID backup system or procedure in place to recover ID files
Because the ID file is closely integrated with the Windows credentials and the workstation used, it is strongly recommended to backup these Notes Shared Login-enabled ID files. Here are some suggestions:
- Notes ID Vault (recommended)
It is designed to work together with Notes Shared Login
It allows the provisioning of ID files and the recovery of lost/damaged ID files
Free - part of the Domino server product
- ID Recovery database
This feature exists since Domino R5 and still present in 8.5
No enhancements are planned for future releases
ID Recovery requires to be configured in every certifier (OUs, O) in order to send updated IDs to the recovery database
- Third-party or custom system
Use of third-party solutions
Scripts that copy local ID file to a network share
User maintenance process (manual)
Disable Notes server based password checking
For further details, please see IBM Technote 1367070
Carefully review limitations that might be applicable to your environment
Before you deploy Notes Shared Login, it is very important to to review the conditions under which it will work but also the ones under which it will not work.
Notes Shared Login is not supported if you have Notes IDs that are:
- Used on Mac or Linux clients
- Protected by smartcards
- Protected by multiple passwords
- Used by roaming users - roaming users who roam their IDs cannot use Notes Shared Login.
- Used with Notes on a USB drive
- Used in a Citrix environment
- With Windows mandatory profiles
- Stored on network shares - the IDs can be used only from the computers on which shared login is activated.
- Enabled for password checking/expiration (unless all servers are 8.5+) - the "Check password on Notes ID file" security setting is not supported. Domino servers ignore this setting for IDs enabled for shared login. If you use pre-8.5 Domino servers, the setting should be disabled for users with these IDs.
- Used with Notes to Internet password synchronization - If Notes users were synchronizing Internet passwords with Notes passwords in an earlier release, they must now begin managing their Internet passwords.
- Notes Shared Login enabled ID cannot be imported into mail file for DWA/Blackberry access (create password protected copy to import)
Do not install Client Single Logon component
If you plan to use Notes Shared Login, you must not select "Client Single Logon Feature" during the installation. If it's already installed, it must be uninstalled first during the upgrade process to 8.5 before enabling Notes Shared Login.
Unsupported configurations with Notes Shared Login
The following configurations are unsupported when used with Notes Shared Login:
- Using Windows Roaming Profiles and logging into an Active Directory Domain from more than one system at the same time, which is a limitation of Microsoft DPAPI
- Using Windows Roaming Profiles and logging into an Active Directory Domain from both Windows XP/2003 systems and Windows 2000 systems, which is a limitation of Microsoft DPAPI
- Using Windows NT 4.0 Domains
- Using Windows XP in a Windows Workgroup environment and resetting the user's Windows password
- Joining or leaving a Windows Domain after enabling Notes Shared Login
Enabling shared logon alters the ID file so that Shared Login will only work on the computer with which the feature is activated. You cannot do an OS copy or move of the ID file between machines.
The feature relies on a windows security infrastructure specific to that machine. If you wanted to roam to different machines, you would need to use an unaltered ID file.
Notes Shared Login-enabled IDs that are stored in a Notes ID vault can be used from more than one Microsoft Windows computer without requiring users to make copies of the ID file, because the ID file stored in the ID Vault are intact. To use an ID on more than one computer when a Notes ID vault is not used, a user clicks "Copy ID" in the User Security dialog box to make a new, Notes-password-protected copy of the ID file. When the user runs Notes using the copied ID on another computer, the user's effective policy determines if the ID will be enabled for Notes Shared Login.