You can set up an IBM Lotus Domino Web server to honor Microsoft Windows users' Active Directory logon credentials.
Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a username or password.

The Domino Web server uses Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and the underlying Kerberos network authentication security that is provided by Active Directory to negotiate the authentication with a browser client.

Requirements

  • Microsoft Windows Server Active Directory Domain Controller.
     
  • The functional level of an Active Directory domain (or forest in the case of multiple domains) must be set to Windows Server 2003 or higher.
     
  • Domino server running on a Windows computer that is a member of an Active Directory domain.
     
  • Domino server configured for multi-server session-based authentication (single sign-on).
     
  • Browsers that are supported by Domino running on Windows clients that are logged on to the Active Directory domain and that have network access to the Active Directory server.
     
  • Web users with accounts in Active Directory.

To set up Windows single sign-on for Web clients, perform the following steps

  1. Prepare the Domino server for Windows single sign-on for Web clients
  2. Set up the Windows service for Domino
  3. Configure user name mapping
  4. Configure Web client browsers

 

Prepare the Domino server for Windows single sign-on for Web clients

Perform the following steps to prepare an IBM Lotus Domino server for Windows single sign-on for Web clients.

  1. Run the HTTP task on the Domino server.
     
  2. If you have not done so already, set up the Domino server to use multi-server session-based authentication (single sign-on).

    The Idle Session Timeout option available for a Domino-only Web SSO configuration, which prompts users to log in again after HTTP sessions are idle for a specified period, does not apply in an environment that uses Windows single sign-on.
     
  3. Enable the Windows single sign-on integration (if available) field in the Web SSO Configuration document that you administer.

    If your SSO configuration is done through Web Sites, edit the Web SSO Configuration document located in the Configuration - Web - Internet Sites view of the Domino Directory.

    If your SSO configuration is done through Server documents, edit the Web SSO Configuration document located in the Configuration - Web - Web Configurations view of the Domino Directory.

 

Set up the Windows service for Domino

To enable an IBM Lotus Domino server to participate in Windows single sign-on for Web clients, an Active Directory administrator must use the Active Directory setspn utility to assign at least one service principal name (SPN) for the server to an Active Directory account. SPNs correspond to DNS names in server URLs (eg www.d-pit.local) that Web clients use to connect to the Domino server.

An SPN is a required part of the Domino server's identity in the Active Directory domain and is formatted as follows:

HTTP/<DNS_name>@<Active_Directory_Kerberos_realm>


eg   HTTP/This email address is being protected from spambots. You need JavaScript enabled to view it.


When you assign an SPN, you are telling the Windows Kerberos Key Distribution Center (KDC) that Kerberos service tickets can be issued to Domino. On behalf of the Web user, a Web browser client can then send a Kerberos service ticket to Domino which is used to authenticate the Web user.

You must assign an SPN for each DNS name found in a URL used to connect to a Domino server. The following steps demonstrate how an SPN is used during the process of authenticating a Web user in a Windows single sign-on environment:

  1. A Web user enters a URL in a browser to connect to a Domino server participating in Windows single sign-on.

    eg: http://www.d-pit.local/names.nsf
     
  2. The Web browser extracts the DNS name contained in the URL and constructs an SPN from it.

    eg: HTTP/This email address is being protected from spambots. You need JavaScript enabled to view it.

    The DNS name is www.d-pit.local
    The Active Directory domain that the Domino server machine belongs to is AD.D-PIT.COM
     
  3. The Web browser requests a service ticket for the SPN from Active Directory.
     
  4. The Web browser receives the service ticket and sends it to the Domino server.
     
  5. The Domino server accepts the service ticket and authenticates the user.

Steps to set up the Windows service for Domino server

  1. Decide which Active Directory account to assign the SPNs to.
     
  2. Assign the SPNs to the account. Optionally use the domspnego.cmd utility provided with Domino to help with this step.
     
  3. Verify that the Domino server Windows service is logged on under the account.

 

Configure user name mapping

Configure Web client browsers

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.