0307. Use SPNEGO for Domino and AD single-point Logon

ArticleDirectory

• 3.1 create a running account in AD
• 3.2 generate an SPNs
• 3.3 Add parameters for the Domino server involved in single-point Logon
• 3.4 modify Domino service settings
• 3.5 configure Domino single-point Logon
• 3.6 map AD Accounts in the Domino Directory

1. application background

With Domino 8.5.1 (or later)'s support for SPNEGO (simple and protected gssapi negotiation mechanism) single-point logon, SPNEGO is used for single-point logon, you only need to log on to the Windows domain on your client, and then you can directly access the Domino server resources in a browser without providing the user name and password again. This article describes how to configure SPNEGO single-point logon in Domino.

The SPNEGO protocol can be used to negotiate which security mechanism is used. Windows allows multiple authentication mechanisms, so it also uses the SPNEGO protocol to negotiate the authentication mechanism between the client and the server. It is commonly used in Microsoft's HTTP authentication, including NTLM (nt lan Manager) and Kerberos, both of which are used in the Active Directory. For more information about SPNEGO, refer: http://en.wikipedia.org/wiki/SPNEGO

Note:

• This document does not involve any SSO, nor details the detailed procedure of Domino SSO configuration. It only focuses on how to enable SPNEGO in Domino.
• This document is only applicable to single-point Logon of Domino and AD, and does not involve unified account management and synchronization. It is not applicable to WebSphere/Domino hybrid environments and ad for single-point logon.

2. environment requirements

• A Microsoft Windows Active Directory domain server is required to provide the Kerberos Key Distribution Center Service and LDAP service.
• You must use a Windows 2003 Server or a Windows 2003 or later server. If you are using a Windows 2003 Domain Server, you cannot use backward compatibility mode.

Note: you cannot set Windows 2003 Domain Server to use Windows 2000 hybrid mode.

• The Domino 8.5.1 (or later) server runs on a Windows machine and is added to the domain of the Active Directory.
• The Domino 8.5.1 (or later) server is configured with the "multi-server authentication" Single Sign-On authorization mechanism (msso ).
• You need a Windows client that has been added to the Active Directory domain. This machine runs a domino-supported browser.
• Web users have accounts in the Active Directory domain server.
• Known ad network domain name, such as: ad network domain name is called Acme. com, NetBIOS name is Acme

3. Specific configuration 3.1 create a running account in ad to run the Domino service and create an account in AD, for example, sys_domino

3.2 generate SPNEGO for the Lotus Domino Server. The Active Directory Server administrator must use Setspns The tool assigns a service principal name (SPN) to the Domino server ), DNS name of the Domino server corresponding to SPNs (for example, domino.acme.com) . Install the Windows s 2003 support kit on the Windows 2003 Active Directory Server, which provides the setspns tool on the Windows 2003 installation CD. On the Windows 2003 Active Directory Server, the format is as follows: Setsps-a HTTP/ Note: Hostname: Domino Host Name Account_name: Account name for the domino operation

Run the following command in the command line:

Setsps-a HTTP/domino.acme.com sys_domino

We can see that HTTP/domino.acme.com has been successfully created:

Registering serviceprincipalnames for Cn = Domino, Cn = computers, Dc = Acme, Dc = com HTTP/oa.acme.com updated object

In addition, make sure that the KDC (Kerberos Key Distribution Center) service has been started on the Active Directory Server. If multiple Domino servers need to allocate SPNs, execute the setspns command again.

3.3 Add the following parameters to the notes. ini file of each Domino server: Wide_search_for_kerberos_names = 1 Of course, you can also make a unified change through the configuration document, such as: 3.4 modifying the Domino service settings to enable Windows 2008 Server Manager -> Configuration -> Service , Modify Lotus Domino diagnostics And Lotus Domino Server Service, set to 3.1 The domain account created to run these two services, for example: 3.5 configure Domino Single Sign-On through Domino administrator in the Lotus Domino Application Program Create a web SSO configuration document on the server. The web SSO configuration document is a configuration document that is stored in the network domain range in the Domino Directory. This document (which should be copied to all servers involved in a logon network domain) will encrypt the participating servers and administrators and contain a shared key for the server to verify the user certificate. In Domino administrator, select the configuration tab. In the navigation bar, select "all server documents" from the "Web..." drop-down menu and select "Create web SSO configuration document. Complete the remaining part of the document, for example:

In Web SSO Configuration Document, click Key . Select create Domino SSO key To save this document. Use Domino administrator, select Configuration Label. In the navigation bar, select All servers Document, open the Domino server document, and select Internet Protocol Label, and then select Domino web engine Tag, in Session Verification Select Multi-server session , Select ltpatoken as the Web SSO configuration to save the Domino server document. For example, if multiple Domino servers exist, repeat the server documentation and synchronize names. nsf to each Domino server. After the settings are complete, restart the Domino server. 3.6 map the ad account in the Domino Directory to the personal document management tab of names. nsf and associate the domino user with the ad account. The format of the active account name is as follows: <Ad Account Name> @ <ad network name> , Where: All account names in AD are in lowercase, All ad network domain names are in uppercase; Such as: squallzhong@ACME.COM such:

Save the personal document after modification.

4. Client settings

After the preceding settings, the server has configured integration with AD. If the operating system XP or Windows 7 of the client is added to the domain, the IE settings enable Windows integration verification, for example:

The user name and password are not required to access the Domino Web Service. The system automatically sends the domain account information to the Domino Web Service for verification. If you do not log on using a domain, the domain account logon box appears when you access the Domino Web service, as shown in the following: Enter the domain account, such as the squallzhong@ACME.COM, to complete the login. If you use Mozilla Firefox, open the Firefox browser, enter about: config in the URL address bar, enter network N in the filter bar, and double-click Network negotiate-auth trusted-Uris, enter the URL of the mail server, for example: http://mail.acme.com, click OK and restart the browser Note: This method currently does not support Google Chrome

5. Related Links

• Http://www-10.lotus.com/ldd/dominowiki.nsf/dx/How_to_configure_the_Windows_single_sign-on_ (SSO) _ for_web_clients _ (SPNEGO) _ in_an_existing_domino_environment _ (Tutorial)
• Http://www.ibm.com/developerworks/cn/lotus/quickr-domino85-sso/index.html
• Http://www-900.ibm.com/cn/support/faqhtmlfaq/1847660C24000.htm