May 13, 2016, 11:35 AM
6 Posts

Notes Shared Logon

  • Category: Security
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: NSL,Vault,shared logon
  • Replies: 3

Hi,

We are in the process of implementing SSO for our Notes clients.  Up until now we have used the Notes client logon service which synchronizes the notes password with the windows password.  This fails frequently when the new Windows password fails (not complex enough, etc) or an admin has to reset the Windows password.  Also it appears that it will not be supported on Windows 10.  We are now testing Notes Shared Logon.  We have some questions:

1.  Are the private/secret keys copied regularly to the global vault?  

2.  If a user was to have his/her laptop destroyed (run-over, stolen, submerged, etc) will the ID in the vault be sufficient to allow the user to see all encrypted emails on a new laptop?

3.  Does re-certification work the same way as before - can an admin re-certify everyone without user interaction?

Thank you in advance for any reply:-) 

May 13, 2016, 12:04 PM
94 Posts
The Notes ID vault and Notes Shared Login were designed concurrently to work well together...
Assuming that the user is configured for and synchronizing successfully with a Notes ID vault:

1.  Are the private/secret keys copied regularly to the global vault?  Yes

2.  If a user was to have his/her laptop destroyed (run-over, stolen, submerged, etc) will the ID in the vault be sufficient to allow the user to see all encrypted emails on a new laptop?  Yes

3.  Does re-certification work the same way as before - can an admin re-certify everyone without user interaction?  Yes

See the Notes/Domino wiki for more details and helpful hints:

https://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=Notes%20Shared%20Login
https://www-10.lotus.com/ldd/dominowiki.nsf/xpViewTags.xsp?categoryFilter=Notes%20ID%20Vault

May 13, 2016, 12:12 PM
122 Posts
Re: Notes Shared Logon
Hello John!

The documents below there are some key information that can help you:

> Notes Shared Login FAQ
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Notes_Shared_Login_FAQ

> Comparison between Notes Single Logon and Notes Shared Login
http://www-01.ibm.com/support/docview.wss?uid=swg21437726

> Using Notes Shared Login (NSL) to suppress password prompts
https://www.ibm.com/support/knowledgecenter/#!/SSKTMJ_9.0.1/admin/conf_usingnotessharedlogintosuppresspasswordprompts_c.dita

> ID vault and Notes shared login FAQ
https://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-and-notes-shared-login-faq

I hope it helps!

Best Regards!

Rodrigo San Vicente
IBM
Sep 9, 2016, 4:56 PM
196 Posts
Something to keep in mind regarding the ID vault

Even when a user is vaulted. it is possible that their current public key is not the same as the one stored in the Domino Directory.  Since mail sent to Jane Doe/ACME is encrypted using the public key stored in the Domino Directory, Jane Doe will only be able to read an encrypted email if the public key contained in her Notes ID is the same as the public key stored for her in her Person Record.  If you grep your server's console.log and find "Your public key does not match the one that is stored in the Address Book," then you won't be able to read encrypted mail.