Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > How to configure the Windows single sign-on (SSO) in existing Domino environment with SPNEGO technologies (Tutorial)
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

How to consume a Domino Web Services from Visual Studio under Security

In this article I want explain how we can develop a Web Services Consumer, using Microsoft Visual Studio Environment, and securing it using iCredential authentication mechanism.

How to configure the Windows single sign-on (SSO) in existing Domino environment with SPNEGO technologies (Tutorial)

A few simple steps to get single sign-on between Windows and Domino
Community articleHow to configure the Windows single sign-on (SSO) in existing Domino environment with SPNEGO technologies (Tutorial)
Added by ~Lorraine Eknibergings | Edited by ~Mario Xanniverikle on November 26, 2012 | Version 15
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
A few simple steps to get single sign-on between Windows and Domino
Tags: SPNEGO, Kerberos, NTLM, SSO, Windows

From release 8.5.1 is available with Windows Integrated Authentication via SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism)
This configuration allows users to connect to Web applications without having to enter their credentials, may at this point to ensure the safety and identification of the user.
The authentication process takes place without passing credentials in the network, prevents this to ensure that even if sniffing the network, there is nothing to "sniff".
The following diagram illustrates the authentication process.

Operational Diagram


 
The steps necessary to configure are few and simple, in a few minutes we can enable SSO between Windows and Domino.
if I run the configuration described by using the "Internet Sites", by defining a virtual host environment, specific to the SSO.
Aim to have two separate domains of SSO, so as not to adversely affect existing configurations.
 Domains
 
In the example, the "domain" net2action admits the SSO with Windows, but not the domain shamrock
to do this you need to create their documents WebSSO Configuration.
 
 LTPAWin
 
 LTPANoWin 
 
 Create your Domino SSO key or importing the WebSphere LTPA Key
  WebSSO 
 

Now you must create an AD user to use to start the Domino server and to map the host of the SSO.
In the AD server with the Support Tools installed to run the command
SETSPN-a HTTP /
use the FQDN that users will use to reach the web server.

In our case
SETSPN-to HTTP/mail.net2action.com DomioStart
them with the command-SETSPN verify the correctness of the configuration, if needed, you can configure multiple-FQDN

  SPN  


 you must now add the FullName field of your user id documet person Windows format 

  <user>@<domain> 
  in our case   p.rossi@SHAMEROCK.COM
Person Document   

of course it is not difficult to create an agent that provides the mapping, but is more functional to use an assembly line of IBM Directory Integrator,

so that this configuration is dynamic and driven by changes in AD.

The configuration is complete. To verify it is sufficient to connect to a PC in the domain, open a browser and call our domino server, in the example:

  Demos

There are some flags that help us in the Notes.ini configuration testing, let's see:


CONSOLE_LOG_ENABLED=1 --->  Enables logging of all console output \ \ \ \ IBM_Technical_Support \ \ console.log
Debug_SSO_Trace_Level=2  --->allows debugging of the SSO token - after a reboot of the HTTP ("restart task http")

DEBUG_HTTP_SERVER_SPNEGO=5 ---> allows debugging of SPNEGO tokens - after a reboot of the HTTP ("restart task http")


Webauth_verbose_trace=1 ---> Enable debugging for the authentication web-resolution mapping of names and DA to external LDAP - with immediate effect
Debug_outfile=c:\tmp\Spnegonotes.log  --->enables the SPNEGO trace in a file
 

Supported browsers are:
IE 6,7,8
FF 4.5
Chrome not so explicit, but working quite, with UltraLite configuration, for mail only

 Chrome


 
A Sample of trace of the connection is as follows:

12:13:54 AM NOTES.INI contains the following *DEBUG* parameters:

08/25/2011 12:13:54 AM DEBUG_HTTP_SERVER_SPNEGO=5

08/25/2011 12:13:54 AM DEBUG_OUTFILE=c:\tmp\Spnegonotes.log

08/25/2011 12:13:54 AM DEBUG_SSO_TRACE_LEVEL=2

08/25/2011 12:13:54 AM Warning: Debug parameters could impact operation or performance.

08/25/2011 12:13:55 AM Contact your appropriate support vendor.

08/25/2011 12:13:55 AM The Console file is c:\tmp\Spnegonotes.log

08/25/2011 12:13:55 AM Console Logging is ENABLED

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine AcquireCredentialsHandleW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Security token format received is SPNEGO NegTokenInit

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine AcceptSecurityContext

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> SSPI security attributes received 0x803, but requested 0x20014

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> User p.rossi@SHAMROCK.COM authenticated by Kerberos service HTTP/mail.net2action.com@SHAMROCK.COM

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Success calling native routine QueryContextAttributesW

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SPNEGO> Authenticated user is p.rossi@SHAMROCK.COM via MSIE 6.0.

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> *** Getting Single Sign-On Config Data (SECGetSSOConfigData) ***

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> OrgName specified [net2action].

08/25/2011 12:18:54.00 AM [06A8:000B-0F3C] SSO API> ConfigName specified [LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Retrieved global static cache memory for config [net2action:LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> *** Generating Single Sign-On Token List and retrieving token info (SECTokenListGenerateAndGetTokenInfo) ***

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> OrgName specified [net2action].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> ConfigName specified [LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Retrieved global static cache memory for config [net2action:LtpaTokenWin].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Setting token domain parameter [.net2action.com]

> 08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Creation time not specified, using current time [08/25/2011 12:18:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Expiration time not specified, using current time plus config expiration [08/25/2011 12:48:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Setting token name parameter [LtpaToken]

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Encoding Domino style Single Sign-On token.

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Creation Ticks = 4E5578CE [08/25/2011 12:18:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Expiration Ticks = 4E557FD6 [08/25/2011 12:48:54 AM].

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> -Username = CN=Paolo Rossi/O=shamerock/C=IT

08/25/2011 12:18:54.01 AM [06A8:000B-0F3C] SSO API> Dumping memory of constructed token [71 bytes].

00000000: 0100 0302 4534 3535 3837 4543 4534 3535 '....4E5578CE4E55'

00000010: 4637 3644 4E43 503D 6F61 6F6C 5220 736F '7FD6CN=Paolo Ros'

00000020: 6973 4F2F 733D 6168 656D 6F72 6B63 432F 'si/O=shamerock/C'

00000030: 493D D954 8711 C966 72D9 BCDF F471 1E56 '=ITY..fIYr_

00000040: C4F7 88E4 EB05 69 'wDd..ki'

 


 

good luck.....

 


can you contact me at
 
a.fontana@net2action.com

 

 


  • Actions Show Menu▼


expanded Attachments (9)
collapsed Attachments (9)
Edit the article to add or modify attachments.
File TypeSizeFile NameCreated OnDelete file
image/jpeg 113 KB schema01.jpg 8/31/11, 9:17 AM
image/jpeg 14 KB domain.jpg 8/31/11, 9:17 AM
image/jpeg 43 KB ltpawin.jpg 8/31/11, 9:17 AM
image/jpeg 45 KB ltpanowin.jpg 8/31/11, 9:17 AM
image/jpeg 14 KB sso.jpg 8/31/11, 9:17 AM
image/jpeg 12 KB spn.jpg 8/31/11, 9:17 AM
image/jpeg 25 KB rossi.jpg 8/31/11, 9:17 AM
image/jpeg 154 KB togo.jpg 8/31/11, 9:17 AM
image/jpeg 12 KB chrome.jpg 8/31/11, 9:17 AM
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (15)Nov 26, 2012, 10:59:50 AM~Mario Xanniverikle  Corrected the filenames for the attached images so that they are showi...
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility