For SPNEGO configuration on Quickr Domino, my colleague ever published one DW wiki:SPNEGO SSO Deployment in Lotus Quickr 8.5 Services for Lotus Domino
. Nothing is wrong in the document. But some readers can't get SPNEGO work in their environment. In this paper, I will try to provide more explanation and snapshot on every step, try my best to make the guide clear.
Actually, Quickr Domino SPNEGO is based on Domino SPNEGO. So if SPNEGO doesn't work on Quickr Domino, it's impossible to make SPNEGO work on Quickr Domino. So please make sure SPNEGO works on Domino firstly. I will give verification point in following content.
Before setup environment
Make sure all products are supported by Quickr Domino 8.5.1, please refer here for the requirement:IBM Lotus Quickr detailed system requirements
- AD Directory functional level
The functional level of an Active Directory domain (or forest in the case of multiple domains) must be set to Windows Server 2003 or higher. Backwards compatible modes for Windows Server 2003 cannot be used. For example, you cannot set Windows Server 2003 to use Windows 2000 mixed mode. To check the domain and forest functional level, from the Active Directory Users and Computers snap-in utility (From the Active Directory server, Select "Start-->All Programs-->Administrative Tools-->Active Directory Users and Computers"), right-click the domain, click Properties, and look at the General tab.
- Both Quickr Domino server and client must be in the same domain.
If client are not in the domain, users can't access Quickr Domino server by SPNEGO. This is a limitation. Domino provide a work around with "Internet Site document", please refer to Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
. But unfortunately, Quickr Domino doesn't support "Internet Site document", we are still working on it.
My test environment
- Domain user must access Quickr Domino server through client in the domain.
|Quickr Domino server||Windows 2003||Domino 8.5.1 FP5|
Quickr Domino 8.5.1 Gold
I also tried Quickr Domino on Windows 2008
|Client||Windows XP||IE 8 and FireFox 3.5.18|
|AD directory||Windows 2003||AD 2003 domain server|
1, Quickr Domino server joins AD domain
2, Install and configure Domino by domain user
3, Install and configure Quickr by domain user
4, Enable SPNEGO on Domino
5, Enable SPNEGO on Quickr
6, Enable settings for IE and Connector
Above is recommended steps, different people may have different steps, that's fine. If you have already installed Domino and Quickr before joining Windows domain. That's not a problem. After joining a Windows domain, that's acceptable as long as the domain user has access to launch Domino server.
Step 1, Quickr Domino server joins AD domain
Form Quickr server, click Start -> My Computer, then right click, select Properties to open System Properties Window, lick Change on Computer Name tab.
Check Domain in "Member of" section, input the Domain name. It should refer to your environment. The Domain name is "cn.ibm.com" in my test environment.
Input LDAP user name and password existed on AD directory, then click OK.
Confirm your computer join the domain successfully, then click OK.
Click OK on the change, then click OK again on System Properties Window.
Click Yes on System Setting Change Window to restart server
After join the domain, you should log in by domain user.
There are two approaches to log in the server: username@domain or domain/username.
After log in the server, following window shows the domain user name. Which means the Quickr Domino server has joined the AD domain.
Now, let log in AD 2003 Domain server. Setup servicePrincipalName (SPN) for Quickr Domino server. For more, please refer to Setspn Overview
Here my Quickr Domino server is QDserver.cn.ibm.com. The command is: setspn -a HTTP/QDServer.cn.ibm.com QDServer
Please make user Quickr Domino server is up.
You can use "setspn -l QDServer" to verify if it's successful.
Step 2, Install and configure Domino by domain user
How to install and configure Domino, please refer to Lotus Domino information center
Please keep in mind, to enable SPNEGO, Domino must start as a Windows service. And Domino server must be launched by domain user.
My Domino version is 8.5.1 FP5
Step 3, Install and configure Quickr by domain user
Please refer to Lotus Quickr Wiki
for Quickr installation. Please enabled Domino Servlet on Domino configuration document to get Quickr work.
After Quickr is installed. Multi SSO should enabled to setup Quickr Directory.
Create "domcfg.nsf" database on Quickr Domino server.
Add following mapping in domcfg.nsf database. This controls Login Form.
Create LtpaToken for Web SSO configuration. Now I disable Windows single sign-on integration. After setup Quickr User Directory, I will enable it.
Enable Multiple Server(SSO) on configuration document. It must be "Multiple Server(SSO). Quickr doesn't support "Single Server" SSO even if there is only one Quickr Domino server.
After finishing above configuration, restart Domino server to take them effect.
Then log in to Quickr Administrator page: http://QDServer.cn.ibm.com/LotusQuickr
by Administrator. User directory should be enabled on Quickr User Directory page. Please check "Disallow new users" option because local user can't log in the Quickr server any more after SPNEGO is enabled.
Then click "Next" to make sure the setup is fine.
Then I recommend granting a couple of AD LDAP users as Quickr Administer because local user have no chance to log in Quickr server anymore after SPNEGO is enabled. If you are admin, you can grant Administer role to you. I also recommend granting Administrator role to a specific AD LDAP group. Then you can maintain the LDAP group instead of granting Administrator role in Quickr.
Step 4, Enable SPNEGO on Domino
Once you get Quickr work. Let's start to enable SPNEGO on Domino side. Create a directory assistance database. I usually name it as "da.nsf"
Add Directory Assistance on the database. Here is my setting on "Basics" tab. Please pay more attention on setting on red rectangle.
Settings on "Naming Contexts(Rules)" tab
My settings on "LDAP" tab, please fill in all files in red rectangle. I didn't enable SSL in this case.
Please click Verify button to make sure your settings are correct.
Once settings on DA works. Fill in the Directory assistance database name on Domino configuration document as below:
Then back to "Web SSO Configuration" to enable "Windows single sign-on".
After that, Domino server must be restarted to take them effect. From now, Domino side SPNEGO settings are ready.
Enable settings on client Firefox
Let's log in a client machine. Make sure the machine has joined AD domain and log in as domain user. SPNEGO support both IE and FireFox browser. Here I recommend starting configuration from Firefox, because configuration is more simply on Firefox than on IE browser.
My Firefox version is 3.5.18
Launch Firefox, and input "about:config" on address box. Click "I'll be careful, I promise!" on warning dialog. Then input "network.negotiate-auth.trusted-uris" in Filter field.
Double click the item, then fill in your Quickr Domino server URL: http://QDServer.cn.ibm.com
. It also supports wildcard character. You can just fill in http://cn.ibm.com
. Click OK, then restart Firefox
To verify if SPNEGO works on Domino, you can access http://qdserver.cn.ibm.com/names.nsf
from FireFox without login challenge. Even if end user log in, you may not know who the user is. So I recommend that you grand Default user as "Reader" access for Webadmin.nsf database. Please don't forget change it back when you finish your verification.
Type URL: http://qdserver.cn.ibm.com/webadmin.nsf
on Firefox address bar. If there is no login challenge, and you can see the user is "test user1". It approves you have enabled SPNEGO successfully on Domino.
Step 5, Enable SPNEGO on Quickr
After SPNEGO works on Domino, then it's time to enable SPNEGO on Quickr.
a) add "Anonymous" on LotusQuickr/lotusquickr/main.nsf.
Before Domino Administrator has access to edit ACL. You should crate a group named as "QuickPlaceAdministratorsSUGroup", and add Domino Administrator into the group. Because there is the group in all Quickr places database. After joining the group, users have Administrator access on these database. Restart Domino server to take it effect.
Then open ACL of LotusQuickr/lotusquickr/main.nsf. Add "Anonymous", then check User type as "Unspecified" and Access as "No Access". Otherwise, SPNEGO doesn't work on Quickr because web user will log in as an anonymous user, not the domain user.
b) Setting on Notes.ini
Add "QuickPlaceSPNEGO=1" in notes.ini, then restart to take it effect. This parameter will disable prompt user name and password when end user create a place from browser.
a) Setting on qpocnfig.xml
Once SPNEGO is enabled, log in and log out are unnecessary. Users will log in Quickr Domino automatically when they access Quickr Domino server. So let's disable sign_in and sign_out
On section, please pay more attention bold text. Modify them to meet your environment settings.
user_directory on qpconfig.xml
user_directory on qpconfig.xml
( enter last name, first name)
Now, SPNEGO should works on Quickr Domino. To verify if SPNEGO works on Quickr Domino, please access Quickr homepage: http://qdserver.cn.ibm.com/LotusQuickr. If there is no log in challenge, which means SPNEGO works on Quickr Domino, then create a place to do further verification.
Step 6, Enable settings for IE and Connector
SPNEGO on Quickr Domino supports IE and Connector as well.
Now Let's get IE browser works. Here is my IE version:
Launch IE browser and click Tools > Internet Options, click the Security tab, select "Local intranet" and click Sites.
Ensure that the “Include all sites that bypass the proxy server” is checked. Then click Advanced button.
Add the URL for the Domino server, and click OK twice. For example, here my Domino server name is qdserver.cn.ibm.com, specify:
Or use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino server in the domain, for example:
Click Custom Level, scroll to the User Authentication section, select "Automatic logon only in Intranet zone," and click OK.
Click the Advanced tab, scroll to the Security section, verify the option “Enable Integrated Windows Authentication” is selected.
If your proxy server configuration is done manually rather than via automatic configuration script:
* Click the Connections tab.
* Click LAN Settings
* Click Advanced.
* Add the Domino server URL to the list “Do not use proxy server for addresses beginning with," and click OK.
Click OK and restart the browser.
Now, IE browser should access Quickr Domino by SPNEGO.
To make Connector work for Quickr Domino SPNEGO.
a) Enable Enable Integrated Windows Authentication o IE browser. It has been down on above steps.
b)Add registry string HKEY_LOCAL_MACHINE\SOFTWARE\IBM\Lotus Quickr\Desktop Integration\Settings\EnableSSO
0 – disable
1 – enable
Restart the machine, then launch Connector Explorer. Now the Authentication type is changed, and no need input User ID and password. See following snapshot:
Then domain user can access Quickr Domino through SPNEGO.
Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
SPNEGO SSO Deployment in Lotus Quickr 8.5 Services for Lotus Domino
Troubleshooting Windows single sign-on for Web clients (SPNEGO)