SlideShare a Scribd company logo

Admin camp 2011-domino-sso-with-ad

Bill Buchan, profile picture
Bill Buchan

This document discusses two methods for implementing single sign-on (SSO) between Active Directory and Domino: the Websphere plugin method and the SPNEGO method. The Websphere plugin method uses IIS as a front-end and relies on Kerberos tickets to pass authentication to Domino. The SPNEGO method implemented directly in Domino 8.5.1 and above also relies on Kerberos but does not require IIS. The document provides high-level overviews of how each method works and their relative pros and cons.

1 of 47
Downloaded 51 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
AD and SSO Bill Buchan - HADSL Tuesday, 20 September 11
Who am I? Tuesday, 20 September 11
Who am I? • Bill Buchan Tuesday, 20 September 11
Who am I? • Bill Buchan • http://www.hadsl.com Tuesday, 20 September 11
Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me Tuesday, 20 September 11
Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too long Tuesday, 20 September 11
Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too long • SSO was used in a customer site Tuesday, 20 September 11
Who are you? Tuesday, 20 September 11
Who are you? • Lotus Domino Administrators Tuesday, 20 September 11
Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory Tuesday, 20 September 11
Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easier Tuesday, 20 September 11
Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easier • No, really Tuesday, 20 September 11
So what is this about? Tuesday, 20 September 11
So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. Tuesday, 20 September 11
So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directories Tuesday, 20 September 11
So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directories • We talk about using AD authentication to connect to Lotus Domino web-based applications Tuesday, 20 September 11
How does it work? • It relies on your browser sending some information on your current AD session to the server • This is based on Kerberos session information • The Web server then checks this against a Domain Controller Tuesday, 20 September 11
Authentication • We’re using ‘Windows Integrated Authentication’ - used to be called NTLM (NT Lan Manager) • A very good article is at: http://www.inter-weavers.com/0/ robsblog.nsf/dx/DominoIISConfig.htm Tuesday, 20 September 11
So this means... • The user has to be logged into an AD based environment • Use a browser which supports this protocol • Connects to a web server which supports this Tuesday, 20 September 11
Is this difficult? • No, but it is time consuming. • You should put aside some time and a test environment to make sure you understand how it works in your environment • I’m a developer - and I got this to work Tuesday, 20 September 11
So how do we do this? • There are two techniques to achieve SSO with Domino web applications: • Websphere plug-in • Older. Works right back to 6.x • SPNEGO • New in 8.5.x. Tuesday, 20 September 11
So which one is best? • I can’t tell you - I don’t know whats best for your environment. • What I shall do is talk through the installation, security and operation of each • You can then decide which fits best Tuesday, 20 September 11
Websphere Plug In • Its old • The best instructions for installation are at Warren Elsmore’s site: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/ Configuring%20Domino%20with%20IIS.pdf Tuesday, 20 September 11
How does this work? • We set up MS IIS as a ‘front-end’ for Domino hosted information • IIS can then consume the Kerberos information, check against a domain controller, and if successful, pass this to Domino • Kerberos: http://en.wikipedia.org/wiki/ Kerberos_(protocol) Tuesday, 20 September 11
How does this work 2 • The Domino server then relies on all information coming from the IIS server as being authenticated • The users’ AD login name is passed to the Domino server • We insert the users AD name in a ‘Person’ document Tuesday, 20 September 11
How does this work 3 • And as if by magic, the user is then associated with Domino • The Domino session sees the user using their Domino name. Tuesday, 20 September 11
Person document • In this example, I have AD login name: HADSLBuchanB • Once IIS has done its magic, Domino sees me as CN=Bill Buchan/O=HADSL Tuesday, 20 September 11
Spot the Security Hole? • The two accounts are linked in the Person document • If you go down this route, MAKE SURE your Domino Directory is secure! Tuesday, 20 September 11
Installation • I wanted to re-write Warrens document here. • But there is no need. Just follow it: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/Configuring %20Domino%20with%20IIS.pdf • And: Keep an old 7.0.x kit around to get the plug-ins from.... • Or download from: http://www-01.ibm.com/support/docview.wss?uid=swg27009661 Tuesday, 20 September 11
WAS Plugin v7 • It requires an additional registry key: • But does contain a 64-bit version too Tuesday, 20 September 11
Demo • Lets quickly run through the installation.... Tuesday, 20 September 11
Test • We shall test this by • Amending an existing Person document in the Domino Directory • We shall add this persons AD Login- name to the person field • Using IE to connect to Domino Tuesday, 20 September 11
Demo! • So what does this look like? Tuesday, 20 September 11
Pros and Cons • Its a bitch to set up • IIS is used as a front- end. • Its very old. Is it supported? • You can use IIS to manage SSL. • It works on old Notes versions • You can run IIS on another server if your Domino is non-Windows Tuesday, 20 September 11
SPNEGO • Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) • Its supported on 8.5.1 and above • It requires your AD Administrator to make a change to the directory • At least one Domino server has to be on Windows Tuesday, 20 September 11
1. Install • Ensure that your web servers are running multi-site SSO with an SSO Key • Enable ‘Windows Single Sign-on’ on the SSO document • In each Internet site document, select this SSO document Tuesday, 20 September 11
Install (2) Tuesday, 20 September 11
Install (3) • Your Domino Server(s) must log into Active Directory using named accounts - not as Local Services • Remember to update NSD too! Tuesday, 20 September 11
Install (4) • We now add the Domino Server DNS Address(es) to Active Directory using the ‘setspn’ • setspn -a HTTP/<dns> <username> C:Program FilesSupport Tools> setspn -a HTTP/linded1.linde-test.local DominoServer Registering ServicePrincipalNames for CN=Domino Server,CN=Users,DC=linde-test,DC=local HTTP/linded1.linde-test.local Updated object Tuesday, 20 September 11
2. Configure AD Users • Users must be saved with ‘Store password using reversible encryption’ • Note the user login name Tuesday, 20 September 11
3. Configure Person Documents • Add the users’ AD login name to the FULLNAME field in Domino. This links the Domino user and the AD user accounts Tuesday, 20 September 11
4. Test • We shall test this by opening a mailbox Tuesday, 20 September 11
SPNEGO Resources • Wiki: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Deploying_SPNEGO • SetSPN Technote: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx Tuesday, 20 September 11
Pros and Cons • Its easy-ish to set up • Change to AD • Its very new and • Uses Username login supported to services - other things may break • IIS is NOT used as a front-end Tuesday, 20 September 11
But - what if I hate IE • Join the club. IE has to be the worst browser experience ever • But guess what - we don’t get to choose • IE has NTLM authentication built in. • But you can switch it on in Firefox... Tuesday, 20 September 11
Enable Kerberos in Firefox Tuesday, 20 September 11
Conclusion • Neither approach is ‘easy’ • Neither approach is ‘nice’ • Both approaches can be used • Which approach fits you best? Tuesday, 20 September 11

More Related Content

PPTX
Deepweb and Darkweb
Yash Diwakar
 
PPTX
COMMON ONLINE TERMINOLOGIES
Kc Bunagan
 
PDF
Some simple tips for front-end performance in WordPress
iparr
 
PPTX
PEPY Wordpress workshop-01
Wei Peng
 
PDF
Word Press to the Rescue_Poster
NCLA2011
 
KEY
Apps and tools
Byron Mitchell
 
PDF
Telvindebnam
M Ashar Iqbal
 
PPTX
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Deepweb and Darkweb
Yash Diwakar
 
COMMON ONLINE TERMINOLOGIES
Kc Bunagan
 
Some simple tips for front-end performance in WordPress
iparr
 
PEPY Wordpress workshop-01
Wei Peng
 
Word Press to the Rescue_Poster
NCLA2011
 
Apps and tools
Byron Mitchell
 
Telvindebnam
M Ashar Iqbal
 
Active Directory Single Sign-On with IBM
Van Staub, MBA
 

Similar to Admin camp 2011-domino-sso-with-ad (20)

PDF
Kuby, ActiveDeployment for Rails Apps
Cameron Dutro
 
PDF
The Reluctant SysAdmin : 360|iDev Austin 2010
Voxilate
 
PPT
Web Development From the Ground Up, a Series for Novice ...
webhostingguy
 
PDF
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon
 
PDF
Uklug2009 Hairy Bikers Cookbook
Bill Buchan
 
PPT
Dmk neut toor
Dan Kaminsky
 
PDF
Best practises vop
Sharon James
 
PDF
A year in the life of a Grails startup
tomaslin
 
PDF
Joe Emison - 10X Product Development
ServerlessConf
 
PDF
Making Wcm Easy With Alfresco Share 3 2
Alfresco Software
 
PPTX
Velocity NY 2013 - From Slow to Fast: Improving Performance on Intuit Website...
Jay Hung
 
PDF
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
Keith Brooks
 
PDF
Lightning Intro to Serverless, GCP (2017-10-19)
Mattias Andersson
 
PDF
Tomboy Web Sync Explained
Mohan Krishnan
 
KEY
Social dev camp_2011
Craig Ulliott
 
PPT
Black opspki 2
Dan Kaminsky
 
PPTX
Testing Drupal Site Performance Across Browsers, Geographies and Networks
Acquia
 
PPTX
Confidence web
Dan Kaminsky
 
PPT
Domino testing presentation
Ari Elias-Bachrach
 
PPTX
WordPress Hosting Basics
Chris Burgess
 
Kuby, ActiveDeployment for Rails Apps
Cameron Dutro
 
The Reluctant SysAdmin : 360|iDev Austin 2010
Voxilate
 
Web Development From the Ground Up, a Series for Novice ...
webhostingguy
 
DevSecCon Boston 2018: My rage quit journey: configuring Netflix tools by Sar...
DevSecCon
 
Uklug2009 Hairy Bikers Cookbook
Bill Buchan
 
Dmk neut toor
Dan Kaminsky
 
Best practises vop
Sharon James
 
A year in the life of a Grails startup
tomaslin
 
Joe Emison - 10X Product Development
ServerlessConf
 
Making Wcm Easy With Alfresco Share 3 2
Alfresco Software
 
Velocity NY 2013 - From Slow to Fast: Improving Performance on Intuit Website...
Jay Hung
 
IBM Sametime 9 Installation Woes and Proactive Repairs by Keith Brooks
Keith Brooks
 
Lightning Intro to Serverless, GCP (2017-10-19)
Mattias Andersson
 
Tomboy Web Sync Explained
Mohan Krishnan
 
Social dev camp_2011
Craig Ulliott
 
Black opspki 2
Dan Kaminsky
 
Testing Drupal Site Performance Across Browsers, Geographies and Networks
Acquia
 
Confidence web
Dan Kaminsky
 
Domino testing presentation
Ari Elias-Bachrach
 
WordPress Hosting Basics
Chris Burgess
 
Ad

More from Bill Buchan (20)

PDF
Dummies guide to WISPS
Bill Buchan
 
PPTX
WISP for Dummies
Bill Buchan
 
PDF
WISP Worst Practices
Bill Buchan
 
PDF
Marykirk raft race presentation night 2014
Bill Buchan
 
PDF
Dev buchan best practices
Bill Buchan
 
PDF
Dev buchan leveraging
Bill Buchan
 
PDF
Dev buchan leveraging the notes c api
Bill Buchan
 
PDF
Dev buchan everything you need to know about agent design
Bill Buchan
 
PDF
Dev buchan 30 proven tips
Bill Buchan
 
PDF
Entwicker camp2007 calling-the-c-api-from-lotusscript
Bill Buchan
 
PDF
Entwicker camp2007 blackberry-workshop
Bill Buchan
 
PDF
Bp301
Bill Buchan
 
PDF
Ad507
Bill Buchan
 
PDF
Ad505 dev blast
Bill Buchan
 
PDF
Admin2012 buchan web_services-v101
Bill Buchan
 
PDF
Reporting on your domino environment v1
Bill Buchan
 
PDF
12 Step Guide to Lotuscript
Bill Buchan
 
PDF
Everything you ever wanted to know about lotus script
Bill Buchan
 
PDF
Softsphere 08 web services bootcamp
Bill Buchan
 
PDF
Connections Lotusphere Worst Practices 2013
Bill Buchan
 
Dummies guide to WISPS
Bill Buchan
 
WISP for Dummies
Bill Buchan
 
WISP Worst Practices
Bill Buchan
 
Marykirk raft race presentation night 2014
Bill Buchan
 
Dev buchan best practices
Bill Buchan
 
Dev buchan leveraging
Bill Buchan
 
Dev buchan leveraging the notes c api
Bill Buchan
 
Dev buchan everything you need to know about agent design
Bill Buchan
 
Dev buchan 30 proven tips
Bill Buchan
 
Entwicker camp2007 calling-the-c-api-from-lotusscript
Bill Buchan
 
Entwicker camp2007 blackberry-workshop
Bill Buchan
 
Bp301
Bill Buchan
 
Ad507
Bill Buchan
 
Ad505 dev blast
Bill Buchan
 
Admin2012 buchan web_services-v101
Bill Buchan
 
Reporting on your domino environment v1
Bill Buchan
 
12 Step Guide to Lotuscript
Bill Buchan
 
Everything you ever wanted to know about lotus script
Bill Buchan
 
Softsphere 08 web services bootcamp
Bill Buchan
 
Connections Lotusphere Worst Practices 2013
Bill Buchan
 
Ad

Admin camp 2011-domino-sso-with-ad

  • 1. AD and SSO Bill Buchan - HADSL Tuesday, 20 September 11
  • 2. Who am I? Tuesday, 20 September 11
  • 3. Who am I? • Bill Buchan Tuesday, 20 September 11
  • 4. Who am I? • Bill Buchan • http://www.hadsl.com Tuesday, 20 September 11
  • 5. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me Tuesday, 20 September 11
  • 6. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too long Tuesday, 20 September 11
  • 7. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too long • SSO was used in a customer site Tuesday, 20 September 11
  • 8. Who are you? Tuesday, 20 September 11
  • 9. Who are you? • Lotus Domino Administrators Tuesday, 20 September 11
  • 10. Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory Tuesday, 20 September 11
  • 11. Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easier Tuesday, 20 September 11
  • 12. Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easier • No, really Tuesday, 20 September 11
  • 13. So what is this about? Tuesday, 20 September 11
  • 14. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. Tuesday, 20 September 11
  • 15. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directories Tuesday, 20 September 11
  • 16. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directories • We talk about using AD authentication to connect to Lotus Domino web-based applications Tuesday, 20 September 11
  • 17. How does it work? • It relies on your browser sending some information on your current AD session to the server • This is based on Kerberos session information • The Web server then checks this against a Domain Controller Tuesday, 20 September 11
  • 18. Authentication • We’re using ‘Windows Integrated Authentication’ - used to be called NTLM (NT Lan Manager) • A very good article is at: http://www.inter-weavers.com/0/ robsblog.nsf/dx/DominoIISConfig.htm Tuesday, 20 September 11
  • 19. So this means... • The user has to be logged into an AD based environment • Use a browser which supports this protocol • Connects to a web server which supports this Tuesday, 20 September 11
  • 20. Is this difficult? • No, but it is time consuming. • You should put aside some time and a test environment to make sure you understand how it works in your environment • I’m a developer - and I got this to work Tuesday, 20 September 11
  • 21. So how do we do this? • There are two techniques to achieve SSO with Domino web applications: • Websphere plug-in • Older. Works right back to 6.x • SPNEGO • New in 8.5.x. Tuesday, 20 September 11
  • 22. So which one is best? • I can’t tell you - I don’t know whats best for your environment. • What I shall do is talk through the installation, security and operation of each • You can then decide which fits best Tuesday, 20 September 11
  • 23. Websphere Plug In • Its old • The best instructions for installation are at Warren Elsmore’s site: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/ Configuring%20Domino%20with%20IIS.pdf Tuesday, 20 September 11
  • 24. How does this work? • We set up MS IIS as a ‘front-end’ for Domino hosted information • IIS can then consume the Kerberos information, check against a domain controller, and if successful, pass this to Domino • Kerberos: http://en.wikipedia.org/wiki/ Kerberos_(protocol) Tuesday, 20 September 11
  • 25. How does this work 2 • The Domino server then relies on all information coming from the IIS server as being authenticated • The users’ AD login name is passed to the Domino server • We insert the users AD name in a ‘Person’ document Tuesday, 20 September 11
  • 26. How does this work 3 • And as if by magic, the user is then associated with Domino • The Domino session sees the user using their Domino name. Tuesday, 20 September 11
  • 27. Person document • In this example, I have AD login name: HADSLBuchanB • Once IIS has done its magic, Domino sees me as CN=Bill Buchan/O=HADSL Tuesday, 20 September 11
  • 28. Spot the Security Hole? • The two accounts are linked in the Person document • If you go down this route, MAKE SURE your Domino Directory is secure! Tuesday, 20 September 11
  • 29. Installation • I wanted to re-write Warrens document here. • But there is no need. Just follow it: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/Configuring %20Domino%20with%20IIS.pdf • And: Keep an old 7.0.x kit around to get the plug-ins from.... • Or download from: http://www-01.ibm.com/support/docview.wss?uid=swg27009661 Tuesday, 20 September 11
  • 30. WAS Plugin v7 • It requires an additional registry key: • But does contain a 64-bit version too Tuesday, 20 September 11
  • 31. Demo • Lets quickly run through the installation.... Tuesday, 20 September 11
  • 32. Test • We shall test this by • Amending an existing Person document in the Domino Directory • We shall add this persons AD Login- name to the person field • Using IE to connect to Domino Tuesday, 20 September 11
  • 33. Demo! • So what does this look like? Tuesday, 20 September 11
  • 34. Pros and Cons • Its a bitch to set up • IIS is used as a front- end. • Its very old. Is it supported? • You can use IIS to manage SSL. • It works on old Notes versions • You can run IIS on another server if your Domino is non-Windows Tuesday, 20 September 11
  • 35. SPNEGO • Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) • Its supported on 8.5.1 and above • It requires your AD Administrator to make a change to the directory • At least one Domino server has to be on Windows Tuesday, 20 September 11
  • 36. 1. Install • Ensure that your web servers are running multi-site SSO with an SSO Key • Enable ‘Windows Single Sign-on’ on the SSO document • In each Internet site document, select this SSO document Tuesday, 20 September 11
  • 37. Install (2) Tuesday, 20 September 11
  • 38. Install (3) • Your Domino Server(s) must log into Active Directory using named accounts - not as Local Services • Remember to update NSD too! Tuesday, 20 September 11
  • 39. Install (4) • We now add the Domino Server DNS Address(es) to Active Directory using the ‘setspn’ • setspn -a HTTP/<dns> <username> C:Program FilesSupport Tools> setspn -a HTTP/linded1.linde-test.local DominoServer Registering ServicePrincipalNames for CN=Domino Server,CN=Users,DC=linde-test,DC=local HTTP/linded1.linde-test.local Updated object Tuesday, 20 September 11
  • 40. 2. Configure AD Users • Users must be saved with ‘Store password using reversible encryption’ • Note the user login name Tuesday, 20 September 11
  • 41. 3. Configure Person Documents • Add the users’ AD login name to the FULLNAME field in Domino. This links the Domino user and the AD user accounts Tuesday, 20 September 11
  • 42. 4. Test • We shall test this by opening a mailbox Tuesday, 20 September 11
  • 43. SPNEGO Resources • Wiki: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Deploying_SPNEGO • SetSPN Technote: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx Tuesday, 20 September 11
  • 44. Pros and Cons • Its easy-ish to set up • Change to AD • Its very new and • Uses Username login supported to services - other things may break • IIS is NOT used as a front-end Tuesday, 20 September 11
  • 45. But - what if I hate IE • Join the club. IE has to be the worst browser experience ever • But guess what - we don’t get to choose • IE has NTLM authentication built in. • But you can switch it on in Firefox... Tuesday, 20 September 11
  • 46. Enable Kerberos in Firefox Tuesday, 20 September 11
  • 47. Conclusion • Neither approach is ‘easy’ • Neither approach is ‘nice’ • Both approaches can be used • Which approach fits you best? Tuesday, 20 September 11