Dec 14, 2016, 11:02 PM
36 Posts

IMSMO - how to force login via AD

  • Category: Mail
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: IMSMO
  • Replies: 5

We have IMSMO running v2.0.1.0 server and 2.0.1.1. client with Outlook 2010.  It seems that Outlook is using the native Domino directory and the HTTP password for login credentials. 

We'd like to force the IMSMO server / client to use AD for the credentials in outlook (we have setup DA to access our AD server). This is because we have Symantec Enterprise Vault archiving and the links in emails to retrieve the archived content require authentication and we wanted to use SAML for this however it doesn't work as we suspect the credentials passed to ADFS from the Domino EV server contain the Domino HTTP password, not the AD password therefore it fails. Users get presented with a login dialogue box to ADFS.  SAML is correctly configured on the server. 

So, is there a way to force the Domino server to ignore the Domino Directory and only use the directory listed in DA? I suspect not but it never hurts to ask. 

 

Dec 15, 2016, 8:24 AM
105 Posts
Should work

I've not tried it with IMSMO yet but I have used AD to authenticate Traveler devices.

 

First, get DA configured to use AD (which you've done, this is for others) http://www-01.ibm.com/support/docview.wss?uid=swg21293255.  Choose an AD attribute to contain the Domino CN and populate.

Second, fill in the person document fields LTPA user name (this is the AD CN) and Active Directory (kerberos) logon name (this is LogonName@DOMAIN.NAME format).

Third, create Web SSO config doc and enable Windows single sign-on integration and enable Map names in LTPA tokens.

Forth, add the SSO config to your website doc and set the session authentication to Multiple Servers (SSO)

 

Dec 15, 2016, 5:23 PM
36 Posts
looks like its not supported

IMSMO uses the email address as the username which in our case is already in AD - its also the attribute used by SAML / ADFS.

I did a test by removing my person doc from the directory on the IMSMO server, thereby forcing it to look to DA for login. Login in Outlook failed.

IBM Mail Sync error dialogue box says "Configuration error. An unsupported authentication method was detected on your server". 

So I'd say it won't work. Anyone from IBM lurking? 

 

Dec 22, 2016, 12:28 AM
36 Posts
Blanking out the password didn't work

I should said I also tried blanking out the HTTP password at the same time as I tried removing my person doc as I'd read that document. Didn't work. 

Dec 22, 2016, 6:17 PM
36 Posts
Issue with EV resolved using SAML

So enabling SAML on all the mail servers has then meant that when a user clicks on the link to an archived email in Outlook it now opens a browser and displays the email along with normal operation buttons like reply, forward etc. Problem solved.