Upload
bill-buchan
View
1.048
Download
0
Embed Size (px)
DESCRIPTION
Presentation on Lotus Domino and Active Directory SSO techniques
Citation preview
AD and SSOBill Buchan - HADSL
Tuesday, 20 September 11
Who am I?
Tuesday, 20 September 11
Who am I?
• Bill Buchan
Tuesday, 20 September 11
Who am I?
• Bill Buchan
• http://www.hadsl.com
Tuesday, 20 September 11
Who am I?
• Bill Buchan
• http://www.hadsl.com
• A developer - be gentle with me
Tuesday, 20 September 11
Who am I?
• Bill Buchan
• http://www.hadsl.com
• A developer - be gentle with me
• Been in Notes/Domino for too long
Tuesday, 20 September 11
Who am I?
• Bill Buchan
• http://www.hadsl.com
• A developer - be gentle with me
• Been in Notes/Domino for too long
• SSO was used in a customer site
Tuesday, 20 September 11
Who are you?
Tuesday, 20 September 11
Who are you?
• Lotus Domino Administrators
Tuesday, 20 September 11
Who are you?
• Lotus Domino Administrators
• Working for/with companies with Active Directory
Tuesday, 20 September 11
Who are you?
• Lotus Domino Administrators
• Working for/with companies with Active Directory
• You want to make the users lives easier
Tuesday, 20 September 11
Who are you?
• Lotus Domino Administrators
• Working for/with companies with Active Directory
• You want to make the users lives easier
• No, really
Tuesday, 20 September 11
So what is this about?
Tuesday, 20 September 11
So what is this about?
• Single Sign-on allows someone who is authenticated on one system, to authenticate with another.
Tuesday, 20 September 11
So what is this about?
• Single Sign-on allows someone who is authenticated on one system, to authenticate with another.
• We all deal with multiple authentication directories
Tuesday, 20 September 11
So what is this about?
• Single Sign-on allows someone who is authenticated on one system, to authenticate with another.
• We all deal with multiple authentication directories
• We talk about using AD authentication to connect to Lotus Domino web-based applications
Tuesday, 20 September 11
How does it work?
• It relies on your browser sending some information on your current AD session to the server
• This is based on Kerberos session information
• The Web server then checks this against a Domain Controller
Tuesday, 20 September 11
Authentication
• We’re using ‘Windows Integrated Authentication’ - used to be called NTLM (NT Lan Manager)
• A very good article is at:http://www.inter-weavers.com/0/robsblog.nsf/dx/DominoIISConfig.htm
Tuesday, 20 September 11
So this means...
• The user has to be logged into an AD based environment
• Use a browser which supports this protocol
• Connects to a web server which supports this
Tuesday, 20 September 11
Is this difficult?
• No, but it is time consuming.
• You should put aside some time and a test environment to make sure you understand how it works in your environment
• I’m a developer - and I got this to work
Tuesday, 20 September 11
So how do we do this?
• There are two techniques to achieve SSO with Domino web applications:
• Websphere plug-in
• Older. Works right back to 6.x
• SPNEGO
• New in 8.5.x.
Tuesday, 20 September 11
So which one is best?
• I can’t tell you - I don’t know whats best for your environment.
• What I shall do is talk through the installation, security and operation of each
• You can then decide which fits best
Tuesday, 20 September 11
Websphere Plug In
• Its old
• The best instructions for installation are at Warren Elsmore’s site:
• http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/Configuring%20Domino%20with%20IIS.pdf
Tuesday, 20 September 11
How does this work?
• We set up MS IIS as a ‘front-end’ for Domino hosted information
• IIS can then consume the Kerberos information, check against a domain controller, and if successful, pass this to Domino
• Kerberos: http://en.wikipedia.org/wiki/Kerberos_(protocol)
Tuesday, 20 September 11
How does this work 2
• The Domino server then relies on all information coming from the IIS server as being authenticated
• The users’ AD login name is passed to the Domino server
• We insert the users AD name in a ‘Person’ document
Tuesday, 20 September 11
How does this work 3
• And as if by magic, the user is then associated with Domino
• The Domino session sees the user using their Domino name.
Tuesday, 20 September 11
Person document
• In this example, I have AD login name: HADSL\BuchanB
• Once IIS has done its magic, Domino sees me asCN=Bill Buchan/O=HADSL
Tuesday, 20 September 11
Spot the Security Hole?
• The two accounts are linked in the Person document
• If you go down this route, MAKE SURE your Domino Directory is secure!
Tuesday, 20 September 11
Installation
• I wanted to re-write Warrens document here.
• But there is no need. Just follow it:
• http://www.elsmore.net/warren/blog.nsf/Downloads/DominoIIS/$File/Configuring%20Domino%20with%20IIS.pdf
• And: Keep an old 7.0.x kit around to get the plug-ins from....
• Or download from:http://www-01.ibm.com/support/docview.wss?uid=swg27009661
Tuesday, 20 September 11
WAS Plugin v7
• It requires an additional registry key:
• But does contain a 64-bit version too
Tuesday, 20 September 11
Demo
• Lets quickly run through the installation....
Tuesday, 20 September 11
Test
• We shall test this by
• Amending an existing Person document in the Domino Directory
• We shall add this persons AD Login-name to the person field
• Using IE to connect to Domino
Tuesday, 20 September 11
Demo!
• So what does this look like?
Tuesday, 20 September 11
Pros and Cons• Its a bitch to set up
• Its very old. Is it supported?
• It works on old Notes versions
• IIS is used as a front-end.
• You can use IIS to manage SSL.
• You can run IIS on another server if your Domino is non-Windows
Tuesday, 20 September 11
SPNEGO
• Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)
• Its supported on 8.5.1 and above
• It requires your AD Administrator to make a change to the directory
• At least one Domino server has to be on Windows
Tuesday, 20 September 11
1. Install
• Ensure that your web servers are running multi-site SSO with an SSO Key
• Enable ‘Windows Single Sign-on’ on the SSO document
• In each Internet site document, select this SSO document
Tuesday, 20 September 11
Install (2)
Tuesday, 20 September 11
Install (3)
• Your Domino Server(s) must log into Active Directory using named accounts - not as Local Services
• Remember to update NSD too!
Tuesday, 20 September 11
Install (4)
• We now add the Domino Server DNS Address(es) to Active Directory using the ‘setspn’
• setspn -a HTTP/<dns> <username>
C:\Program Files\Support Tools>setspn -a HTTP/linded1.linde-test.local DominoServer
Registering ServicePrincipalNames for CN=Domino Server,CN=Users,DC=linde-test,DC=local HTTP/linded1.linde-test.localUpdated object
Tuesday, 20 September 11
2. Configure AD Users• Users must be
saved with ‘Store password using reversible encryption’
• Note the user login name
Tuesday, 20 September 11
3. Configure Person Documents
• Add the users’ AD login name to the FULLNAME field in Domino. This links the Domino user and the AD user accounts
Tuesday, 20 September 11
4. Test
• We shall test this by opening a mailbox
Tuesday, 20 September 11
SPNEGO Resources
• Wiki: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Deploying_SPNEGO
• SetSPN Technote: http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx
Tuesday, 20 September 11
Pros and Cons• Its easy-ish to set up
• Its very new and supported
• IIS is NOT used as a front-end
• Change to AD
• Uses Username login to services - other things may break
Tuesday, 20 September 11
But - what if I hate IE
• Join the club. IE has to be the worst browser experience ever
• But guess what - we don’t get to choose
• IE has NTLM authentication built in.
• But you can switch it on in Firefox...
Tuesday, 20 September 11
Enable Kerberos in Firefox
Tuesday, 20 September 11
Conclusion
• Neither approach is ‘easy’
• Neither approach is ‘nice’
• Both approaches can be used
• Which approach fits you best?
Tuesday, 20 September 11