AD and SSO                            Bill Buchan - HADSLTuesday, 20 September 11
Who am I?Tuesday, 20 September 11
Who am I?                   • Bill BuchanTuesday, 20 September 11
Who am I?                   • Bill Buchan                   • http://www.hadsl.comTuesday, 20 September 11
Who am I?                   • Bill Buchan                   • http://www.hadsl.com                   • A developer - be ge...
Who am I?                   • Bill Buchan                   • http://www.hadsl.com                   • A developer - be ge...
Who am I?                   • Bill Buchan                   • http://www.hadsl.com                   • A developer - be ge...
Who are you?Tuesday, 20 September 11
Who are you?                   • Lotus Domino AdministratorsTuesday, 20 September 11
Who are you?                   • Lotus Domino Administrators                   • Working for/with companies with Active   ...
Who are you?                   • Lotus Domino Administrators                   • Working for/with companies with Active   ...
Who are you?                   • Lotus Domino Administrators                   • Working for/with companies with Active   ...
So what is this about?Tuesday, 20 September 11
So what is this about?                   • Single Sign-on allows someone who is                           authenticated on...
So what is this about?                   • Single Sign-on allows someone who is                           authenticated on...
So what is this about?                   • Single Sign-on allows someone who is                           authenticated on...
How does it work?                   • It relies on your browser sending some                           information on your...
Authentication                   • We’re using ‘Windows Integrated                           Authentication’ - used to be ...
So this means...                   • The user has to be logged into an AD                           based environment     ...
Is this difficult?                   • No, but it is time consuming.                   • You should put aside some time and...
So how do we do this?                   • There are two techniques to achieve SSO                           with Domino we...
So which one is best?                   • I can’t tell you - I don’t know whats best for                           your en...
Websphere Plug In                   • Its old                   • The best instructions for installation are at           ...
How does this work?                   • We set up MS IIS as a ‘front-end’ for                           Domino hosted info...
How does this work 2                   • The Domino server then relies on all                           information coming...
How does this work 3                   • And as if by magic, the user is then                           associated with Do...
Person document             •       In this example, I have AD                     login name:                     HADSLBu...
Spot the Security Hole?                   • The two accounts are linked in the Person                           document  ...
Installation                   • I wanted to re-write Warrens document here.                   • But there is no need. Jus...
WAS Plugin v7                   • It requires an additional registry key:                   • But does contain a 64-bit ve...
Demo                   • Lets quickly run through the installation....Tuesday, 20 September 11
Test                   • We shall test this by                    • Amending an existing Person document                  ...
Demo!                   • So what does this look like?Tuesday, 20 September 11
Pros and Cons                   • Its a bitch to set up   • IIS is used as a front-                                       ...
SPNEGO                   • Simple and Protected GSS-API Negotiation                           Mechanism (SPNEGO)          ...
1. Install                   • Ensure that your web servers are running                           multi-site SSO with an S...
Install (2)Tuesday, 20 September 11
Install (3)                   • Your Domino                           Server(s) must log                           into Ac...
Install (4)                    • We now add the Domino Server DNS                           Address(es) to Active Director...
2. Configure AD Users                    • Users must be                           saved with ‘Store                       ...
3. Configure Person Documents                  • Add the users’ AD login name to the                           FULLNAME fiel...
4. Test                   • We shall test this by opening a mailboxTuesday, 20 September 11
SPNEGO Resources                   • Wiki: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Deploying_SPNEGO                 ...
Pros and Cons                   • Its easy-ish to set up   • Change to AD                   • Its very new and         • U...
But - what if I hate IE                   • Join the club. IE has to be the worst                           browser experi...
Enable Kerberos in FirefoxTuesday, 20 September 11
Conclusion                   • Neither approach is ‘easy’                   • Neither approach is ‘nice’                  ...
Upcoming SlideShare
Loading in …5
×

Admin camp 2011-domino-sso-with-ad

1,418 views

Published on

Presentation on Lotus Domino and Active Directory SSO techniques

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,418
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
48
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Admin camp 2011-domino-sso-with-ad

  1. 1. AD and SSO Bill Buchan - HADSLTuesday, 20 September 11
  2. 2. Who am I?Tuesday, 20 September 11
  3. 3. Who am I? • Bill BuchanTuesday, 20 September 11
  4. 4. Who am I? • Bill Buchan • http://www.hadsl.comTuesday, 20 September 11
  5. 5. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with meTuesday, 20 September 11
  6. 6. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too longTuesday, 20 September 11
  7. 7. Who am I? • Bill Buchan • http://www.hadsl.com • A developer - be gentle with me • Been in Notes/Domino for too long • SSO was used in a customer siteTuesday, 20 September 11
  8. 8. Who are you?Tuesday, 20 September 11
  9. 9. Who are you? • Lotus Domino AdministratorsTuesday, 20 September 11
  10. 10. Who are you? • Lotus Domino Administrators • Working for/with companies with Active DirectoryTuesday, 20 September 11
  11. 11. Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easierTuesday, 20 September 11
  12. 12. Who are you? • Lotus Domino Administrators • Working for/with companies with Active Directory • You want to make the users lives easier • No, reallyTuesday, 20 September 11
  13. 13. So what is this about?Tuesday, 20 September 11
  14. 14. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another.Tuesday, 20 September 11
  15. 15. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directoriesTuesday, 20 September 11
  16. 16. So what is this about? • Single Sign-on allows someone who is authenticated on one system, to authenticate with another. • We all deal with multiple authentication directories • We talk about using AD authentication to connect to Lotus Domino web-based applicationsTuesday, 20 September 11
  17. 17. How does it work? • It relies on your browser sending some information on your current AD session to the server • This is based on Kerberos session information • The Web server then checks this against a Domain ControllerTuesday, 20 September 11
  18. 18. Authentication • We’re using ‘Windows Integrated Authentication’ - used to be called NTLM (NT Lan Manager) • A very good article is at: http://www.inter-weavers.com/0/ robsblog.nsf/dx/DominoIISConfig.htmTuesday, 20 September 11
  19. 19. So this means... • The user has to be logged into an AD based environment • Use a browser which supports this protocol • Connects to a web server which supports thisTuesday, 20 September 11
  20. 20. Is this difficult? • No, but it is time consuming. • You should put aside some time and a test environment to make sure you understand how it works in your environment • I’m a developer - and I got this to workTuesday, 20 September 11
  21. 21. So how do we do this? • There are two techniques to achieve SSO with Domino web applications: • Websphere plug-in • Older. Works right back to 6.x • SPNEGO • New in 8.5.x.Tuesday, 20 September 11
  22. 22. So which one is best? • I can’t tell you - I don’t know whats best for your environment. • What I shall do is talk through the installation, security and operation of each • You can then decide which fits bestTuesday, 20 September 11
  23. 23. Websphere Plug In • Its old • The best instructions for installation are at Warren Elsmore’s site: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/ Configuring%20Domino%20with%20IIS.pdfTuesday, 20 September 11
  24. 24. How does this work? • We set up MS IIS as a ‘front-end’ for Domino hosted information • IIS can then consume the Kerberos information, check against a domain controller, and if successful, pass this to Domino • Kerberos: http://en.wikipedia.org/wiki/ Kerberos_(protocol)Tuesday, 20 September 11
  25. 25. How does this work 2 • The Domino server then relies on all information coming from the IIS server as being authenticated • The users’ AD login name is passed to the Domino server • We insert the users AD name in a ‘Person’ documentTuesday, 20 September 11
  26. 26. How does this work 3 • And as if by magic, the user is then associated with Domino • The Domino session sees the user using their Domino name.Tuesday, 20 September 11
  27. 27. Person document • In this example, I have AD login name: HADSLBuchanB • Once IIS has done its magic, Domino sees me as CN=Bill Buchan/O=HADSLTuesday, 20 September 11
  28. 28. Spot the Security Hole? • The two accounts are linked in the Person document • If you go down this route, MAKE SURE your Domino Directory is secure!Tuesday, 20 September 11
  29. 29. Installation • I wanted to re-write Warrens document here. • But there is no need. Just follow it: • http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/Configuring %20Domino%20with%20IIS.pdf • And: Keep an old 7.0.x kit around to get the plug-ins from.... • Or download from: http://www-01.ibm.com/support/docview.wss?uid=swg27009661Tuesday, 20 September 11
  30. 30. WAS Plugin v7 • It requires an additional registry key: • But does contain a 64-bit version tooTuesday, 20 September 11
  31. 31. Demo • Lets quickly run through the installation....Tuesday, 20 September 11
  32. 32. Test • We shall test this by • Amending an existing Person document in the Domino Directory • We shall add this persons AD Login- name to the person field • Using IE to connect to DominoTuesday, 20 September 11
  33. 33. Demo! • So what does this look like?Tuesday, 20 September 11
  34. 34. Pros and Cons • Its a bitch to set up • IIS is used as a front- end. • Its very old. Is it supported? • You can use IIS to manage SSL. • It works on old Notes versions • You can run IIS on another server if your Domino is non-WindowsTuesday, 20 September 11
  35. 35. SPNEGO • Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) • Its supported on 8.5.1 and above • It requires your AD Administrator to make a change to the directory • At least one Domino server has to be on WindowsTuesday, 20 September 11
  36. 36. 1. Install • Ensure that your web servers are running multi-site SSO with an SSO Key • Enable ‘Windows Single Sign-on’ on the SSO document • In each Internet site document, select this SSO documentTuesday, 20 September 11
  37. 37. Install (2)Tuesday, 20 September 11
  38. 38. Install (3) • Your Domino Server(s) must log into Active Directory using named accounts - not as Local Services • Remember to update NSD too!Tuesday, 20 September 11
  39. 39. Install (4) • We now add the Domino Server DNS Address(es) to Active Directory using the ‘setspn’ • setspn -a HTTP/<dns> <username> C:Program FilesSupport Tools> setspn -a HTTP/linded1.linde-test.local DominoServer Registering ServicePrincipalNames for CN=Domino Server,CN=Users,DC=linde-test,DC=local HTTP/linded1.linde-test.local Updated objectTuesday, 20 September 11
  40. 40. 2. Configure AD Users • Users must be saved with ‘Store password using reversible encryption’ • Note the user login nameTuesday, 20 September 11
  41. 41. 3. Configure Person Documents • Add the users’ AD login name to the FULLNAME field in Domino. This links the Domino user and the AD user accountsTuesday, 20 September 11
  42. 42. 4. Test • We shall test this by opening a mailboxTuesday, 20 September 11
  43. 43. SPNEGO Resources • Wiki: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Deploying_SPNEGO • SetSPN Technote: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspxTuesday, 20 September 11
  44. 44. Pros and Cons • Its easy-ish to set up • Change to AD • Its very new and • Uses Username login supported to services - other things may break • IIS is NOT used as a front-endTuesday, 20 September 11
  45. 45. But - what if I hate IE • Join the club. IE has to be the worst browser experience ever • But guess what - we don’t get to choose • IE has NTLM authentication built in. • But you can switch it on in Firefox...Tuesday, 20 September 11
  46. 46. Enable Kerberos in FirefoxTuesday, 20 September 11
  47. 47. Conclusion • Neither approach is ‘easy’ • Neither approach is ‘nice’ • Both approaches can be used • Which approach fits you best?Tuesday, 20 September 11

×