HCL Notes and Domino wiki: Domino security: How to configure the Windows single sign-on (SSO) in existing Domino environment with SPNEGO technologies (Tutorial)

How to configure the Windows single sign-on (SSO) in existing Domino environment with SPNEGO technologies (Tutorial)

Added by ~Lorraine Eknibergings | Edited by ~Mario Xanniverikle on November 26, 2012 | Version 15

Actions ▼

Abstract

Abstract

A few simple steps to get single sign-on between Windows and Domino

Tags: SPNEGO, Kerberos, NTLM, SSO, Windows

From release 8.5.1 is available with Windows Integrated Authentication via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)
This configuration allows users to connect to Web applications without having to enter their credentials, may at this point to ensure the safety and identification of the user.
The authentication process takes place without passing credentials in the network, prevents this to ensure that even if sniffing the network, there is nothing to "sniff".
The following diagram illustrates the authentication process.

Operational Diagram

The steps necessary to configure are few and simple, in a few minutes we can enable SSO between Windows and Domino.
if I run the configuration described by using the "Internet Sites", by defining a virtual host environment, specific to the SSO.
Aim to have two separate domains of SSO, so as not to adversely affect existing configurations.
Domains

In the example, the "domain" net2action admits the SSO with Windows, but not the domain shamrock
to do this you need to create their documents WebSSO Configuration.

LTPAWin

LTPANoWin

Create your Domino SSO key or importing the WebSphere LTPA Key
WebSSO

Now you must create an AD user to use to start the Domino server and to map the host of the SSO.
In the AD server with the Support Tools installed to run the command
SETSPN-a HTTP /
use the FQDN that users will use to reach the web server.

In our case
SETSPN-to HTTP/mail.net2action.com DomioStart
them with the command-SETSPN verify the correctness of the configuration, if needed, you can configure multiple-FQDN

SPN

you must now add the FullName field of your user id documet person Windows format

  <user>@<domain>

in our case p.rossi@SHAMEROCK.COM
Person Document

of course it is not difficult to create an agent that provides the mapping, but is more functional to use an assembly line of IBM Directory Integrator,

so that this configuration is dynamic and driven by changes in AD.

The configuration is complete. To verify it is sufficient to connect to a PC in the domain, open a browser and call our domino server, in the example:

Demos

There are some flags that help us in the Notes.ini configuration testing, let's see:

CONSOLE_LOG_ENABLED=1 ---> Enables logging of all console output \ \ \ \ IBM_Technical_Support \ \ console.log
Debug_SSO_Trace_Level=2 --->allows debugging of the SSO token - after a reboot of the HTTP ("restart task http")

DEBUG_HTTP_SERVER_SPNEGO=5 ---> allows debugging of SPNEGO tokens - after a reboot of the HTTP ("restart task http")

Webauth_verbose_trace=1 ---> Enable debugging for the authentication web-resolution mapping of names and DA to external LDAP - with immediate effect
Debug_outfile=c:\tmp\Spnegonotes.log --->enables the SPNEGO trace in a file

Supported browsers are:
IE 6,7,8
FF 4.5
Chrome not so explicit, but working quite, with UltraLite configuration, for mail only

Chrome

A Sample of trace of the connection is as follows:

12:13:54 AM NOTES.INI contains the following *DEBUG* parameters:

08/25/2011 12:13:54 AM DEBUG_HTTP_SERVER_SPNEGO=5

08/25/2011 12:13:54 AM DEBUG_OUTFILE=c:\tmp\Spnegonotes.log

08/25/2011 12:13:54 AM DEBUG_SSO_TRACE_LEVEL=2

08/25/2011 12:13:54 AM Warning: Debug parameters could impact operation or performance.

08/25/2011 12:13:55 AM Contact your appropriate support vendor.

08/25/2011 12:13:55 AM The Console file is c:\tmp\Spnegonotes.log

08/25/2011 12:13:55 AM Console Logging is ENABLED

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine AcquireCredentialsHandleW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Security token format received is SPNEGO NegTokenInit

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine AcceptSecurityContext

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> SSPI security attributes received 0x803, but requested 0x20014

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> User p.rossi@SHAMROCK.COM authenticated by Kerberos service HTTP/mail.net2action.com@SHAMROCK.COM

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Authenticated user is p.rossi@SHAMROCK.COM via MSIE 6.0.

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> *** Getting Single Sign-On Config Data (SECGetSSOConfigData) ***

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> OrgName specified [net2action].

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> ConfigName specified [LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Retrieved global static cache memory for config [net2action:LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> *** Generating Single Sign-On Token List and retrieving token info (SECTokenListGenerateAndGetTokenInfo) ***

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> OrgName specified [net2action].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> ConfigName specified [LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Retrieved global static cache memory for config [net2action:LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Setting token domain parameter [.net2action.com]

> 08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Creation time not specified, using current time [08/25/2011 12:18:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Expiration time not specified, using current time plus config expiration [08/25/2011 12:48:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Setting token name parameter [LtpaToken]

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Encoding Domino style Single Sign-On token.

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Creation Ticks = 4E5578CE [08/25/2011 12:18:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Expiration Ticks = 4E557FD6 [08/25/2011 12:48:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Username = CN=Paolo Rossi/O=shamerock/C=IT

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Dumping memory of constructed token [71 bytes].

00000000: 0100 0302 4534 3535 3837 4543 4534 3535 '....4E5578CE4E55'

00000010: 4637 3644 4E43 503D 6F61 6F6C 5220 736F '7FD6CN=Paolo Ros'

00000020: 6973 4F2F 733D 6168 656D 6F72 6B63 432F 'si/O=shamerock/C'

00000030: 493D D954 8711 C966 72D9 BCDF F471 1E56 '=ITY..fIYr_

00000040: C4F7 88E4 EB05 69 'wDd..ki'

good luck.....

can you contact me at

a.fontana@net2action.com

Actions ▼

Attachments (9)

Edit the article to add or modify attachments.

File Type	Size	File Name	Created On
image/jpeg	113 KB	schema01.jpg	8/31/11, 9:17 AM
image/jpeg	14 KB	domain.jpg	8/31/11, 9:17 AM
image/jpeg	43 KB	ltpawin.jpg	8/31/11, 9:17 AM
image/jpeg	45 KB	ltpanowin.jpg	8/31/11, 9:17 AM
image/jpeg	14 KB	sso.jpg	8/31/11, 9:17 AM
image/jpeg	12 KB	spn.jpg	8/31/11, 9:17 AM
image/jpeg	25 KB	rossi.jpg	8/31/11, 9:17 AM
image/jpeg	154 KB	togo.jpg	8/31/11, 9:17 AM
image/jpeg	12 KB	chrome.jpg	8/31/11, 9:17 AM