Search This Blog

Thursday, December 1, 2011

Streamlining passwords and achieving SSO for users on Windows platforms

This article provides in-depth configuration settings for leveraging Active Directory to authenticate users, allowing elimination of Domino Internet passwords for users on Windows platform. This configuration is useful for Web only users, as well as for users who also access Domino with Notes. These settings can be used in combination with the 8.5.1 Notes shared login feature that eliminates the user's Notes password.

Single sign-on (SSO) can mean many things, but in general the goal is to reduce the number of password prompts that users must respond to. From an administrative standpoint, the goal also includes reducing the number of passwords required for users to remember, since fewer password problems will result in fewer help desk calls and lower administrative cost. In IBM Lotus Notes and Domino products, we have a variety of features which can be used together to reduce administration cost. Customers on Microsoft® Windows® platforms can take advantage of SSO features including Notes shared login, and Windows single sign-on for Web clients. For your users who are both Notes users as well as Domino Web users, you can achieve SSO and reduce administrative cost by eliminating both Notes passwords and Domino Internet passwords. For any authentication scenarios requiring password verification, you can choose to rely on Microsoft Windows Active Directory passwords already in place for all Windows users.



Eliminating Notes passwords vs. synchronizing passwords


When using Notes on Windows, the Notes shared login feature in release 8.5.1 allows users to start Notes without having to provide a Notes password. Users only need to log in to Windows using their Windows password. In this scenario, the important password for the user to remember and manage is the Windows password.

Many customers want their users to deal with the Windows password only, and historically may have deployed the old Notes 'single logon' feature that synchronized the Windows password with the Notes password, while optionally also synchronizing the Domino Internet password (if configured in the user's security policy). While it previously made sense to try to keep the three passwords (Windows, Notes, and Domino Internet password) in synch, the 8.5.1 Notes shared login feature effectively eliminates the Notes password so that there isn't a Notes password to keep synchronized with a Windows password. This is good news! Now you don't need password synchronization, which often is an administrative headache!

If your goal is to streamline the number of passwords, we recommend the Notes shared login feature that eliminates Notes passwords. Additionally you can eliminate Domino Internet passwords, so that there is no further need to synchronize any password with Windows. You can set up Web users to be authenticated directly against the Windows password managed in Microsoft Active Directory, which is described below.

This article does not cover the Notes shared login configuration itself, or Notes ID vault which can conveniently be used in conjunction to manage id synchronization and id backup. If you are deploying Notes shared login to eliminate Notes passwords, see instructions here: Using Notes shared login to eliminate Notes password prompts at the IBM Lotus Notes and Domino Information Center.



Eliminating Domino Internet passwords


The Domino 8.5.1 release included Windows single sign-on for Web clients. This feature allows a Web user to access Domino resources without providing an Internet password. The underlying technology does not use the Windows password per se, but rather leverages the user's Windows operating system login (i.e. Kerberos security) credentials. The result is that a logged in Windows user is not challenged for a password when browsing to Domino on the Web. Windows single sign-on for Web clients is targeted to your Domino server on the Windows platform. Where Windows single sign-on is operational, the Domino Internet password is unused.

Independent of whether you deploy Windows single sign-on for Web clients (or any other Domino Multi-server session authentication SSO feature), it is important to note that passwords are still needed in some Web scenarios. The Windows single sign-on for Web clients feature eliminates the need for a Domino password only for intranet access scenarios. In order to leverage the user's Windows Kerberos security credentials, the Windows single sign-on feature requires that the user's Windows machine can directly interface with the Windows domain controller. Windows single sign-on cannot be used in Internet scenarios (e.g. user login to Domino across a firewall), and obviously not in cases where a Domino server does not offer the Windows single sign-on feature, therefore in some scenarios a Web user needs to supply a password. If you prefer the user to supply the Windows password rather than a Domino Internet password, you can set up Web users to be authenticated directly against the Windows password managed in Active Directory (see below).

This article does not cover all instructions to configure Web SSO for Domino, or the Windows single sign-on for Web clients feature. See instructions here in the Notes/Domino Information Center: Setting up Windows single sign-on for Web clients



Leveraging Active Directory to authenticate users


If you prefer a Web user to supply the Windows password rather than a Domino Internet password, you can set up Web users to be authenticated directly against the Windows password managed in Microsoft Active Directory. This configuration requires setting up Directory Assistance to Active Directory, as well as an appropriate supporting directory configuration.

The configuration ensures that a user's directory record is found in Active Directory in order that the Active Directory password information can be used to authenticate the user. Also the configuration must ensure that the user's Active Directory record is associated with any corresponding Person record found for the user in Domino Directory. While the user can be authenticated against the Active Directory password, the association between Active Directory and Domino Directory allows the user's name to be mapped to the Notes name found on Domino database ACLs (Access Control Lists). To enable the user's successful authorization to access Domino resources, the Domino server must recognize the user according to the Notes name contained on the Domino ACL.

Usually the Domino server would be configured for Multi-server session authentication SSO, but SSO is not strictly required.

Follow the steps below to manage Web user authentication in Active Directory and eliminate Domino Internet passwords. This configuration requires you to add users' Notes distinguished names to Active Directory user accounts.

Step 1
The Domino server must be configured to use a directory assistance database. In the directory assistance database, create an LDAP directory assistance document to use to connect to the Active Directory server. The following table describes some of the most important fields to configure in the LDAP directory assistance document.
    Tab
    Field
    Value
    Comment
    Basics
    Make this domain available to
    Notes Clients and Internet Authentication/Authorization
  • Required
  • LDAP Clients is optional
    Basics
    Group Authorization
    Yes or No
  • Select Yes if you want to use Active Directory groups in database ACLs.
    Naming Contexts (Rules)
    Trusted for Credentials
    Yes
    --
    LDAP
    Attribute to be used as Notes Distinguished Name
  • Attribute in Active Directory that stores users' Notes distinguished names.
  • A directory administrator may need to extend the Active Directory schema to add an attribute for this name if there is no existing attribute that already contains the Notes distinguished name. Alternatively it may be feasible to use the altSecurityIdentities attribute, if not already in use for another purpose.
  • A directory synchronization tool such as IBM Tivoli Directory Integrator can be used to populate the attribute with the Notes names.
  • The value stored in the attribute must adhere to valid distinguished name syntax. In Active Directory use LDAP comma (,) separators in the Notes names rather than the Notes forward slash (/) separators; for example:
    cn=Betty Zechman,ou=Marketing,o=Renovations rather than cn=Betty Zechman/ou=Marketing/o=Renovations
    • Used to link this Active Directory record to a Notes distinguished name for determining user access to Domino resources.
    LDAP
    Type of search filter to use
    Active Directory
    --

  • If Multi-server session authentication (SSO) is deployed for Web access to your Domino server, you will also need to consider the following item in the LDAP directory assistance document:
    • Tab
      Field
      Value
      Comment
      Basics
      Attribute to be used as name in an SSO token
      $DN
    • Required only if there is an IBM SSO server authenticating users against Active Directory so that users' LTPA tokens contain their Active Directory names.
    • Requires "Map names in LTPA token" to be enabled in the Web SSO Configuration document.
  • For use within the intranet, if Windows Single Sign-on for Web clients is being deployed as a Multi-server session authentication (SSO) option on your Domino web server, the following items in the LDAP directory assistance document should also be configured:
    • Tab
      Field
      Value
      Comment
      Basics - SSO configuration
      Windows single sign-on for Web clients
      Enabled
    • Enables efficient name lookups based on users' Active Directory logon (Kerberos) names. In combination with "Attribute to be used as Notes Distinguished Name", allows the user's Kerberos identity to be associated with the Domino name.
      Basics - SSO configuration
      Kerberos realm
      Active Directory domain
    • Specify in upper case characters, for example, AD.ACME.COM.


Step 2
If a user has a Person document in the Domino Directory, make the following edits to the Person document to set up for authenticating the user for Internet access using the Active Directory password. Person documents are optional for Web users who are not LotusiNotes users.
    Tab
    Field
    Value
    Comment
    Basics
    Internet Address
    Value of the mail attribute in the user's Active Directory account
  • Used to link Web user Person document to the Active Directory user account.
    Basics
    Internet Password (HTTPPassword)
    None
  • Remove the password to use user's Active Directory passwords for Internet access that requires user password verification.
  • When password removed, you should set directory access to prevent users from adding a Domino Internet password themselves.
  • When password removed, Domino verifies user passwords in Active Directory in situations when Windows single sign-on is not available.


Step 3
If a user has a Domino Person document but you have removed the Domino Internet password, disable the following Internet password settings in users' effective Security Settings policy document:
    Tab
    Field
    Value
    Comment
    Password Management Basics
    Allow Users to Change Internet Password over HTTP
    No
  • The default behavior is Yes. If there is no Security Settings policy document specified for users, create one in order to change the default behavior.
    Password Management Basics
    Update Internet Password When Notes client Password Changes
    No
    --
    Password Management Basics
    Enforce Password Expiration
    Disabled (or Notes Only)
  • The Notes Only setting is enforceable for Windows users only if you are not deploying Notes shared login, which eliminates Notes passwords.


Step 4
Specify the following setting in the Server documents of participating Domino servers:
    Tab
    Field
    Value
    Comment
    Security - Internet Access
    Internet authentication
    Fewer name variations with higher security
    --


Step 5
If Multi-server session authentication (SSO) is deployed for Web access, additional configuration is needed in the Domino Directory Web SSO Configuration document. If the SSO servers are authenticating users against Active Directory, specify the following setting in the Web SSO Configuration document:
    Tab
    Field
    Value
    Comment
    Basics - Token Configuration
    Map names in LTPA tokens
    Enabled
  • Used to map Active Directory distinguished names in SSO LTPA tokens to Notes distinguished names for determining user access to Domino resources.
  • Used to ensure functioning SSO at servers that authenticate the user against Active Directory.

No comments:

Post a Comment