Integrated Web Authentication (IWA) allows automatic authentication between Microsoft clients and servers. IWA uses SPNEGO to negotiate Kerberos or NTLM authentication protocols. Configuring IWA for Domino requires setting up Service Principal Names (SPNs) in Active Directory for Domino hostnames, configuring Domino to start as an Active Directory service account, and configuring browser settings for supported browsers. Troubleshooting may involve checking SPN and account configuration or debugging HTTP authentication with Domino.
2. Outline
✤ Function and use of IWA
✤ System Requirements
✤ How To Configure SPNEGO
✤ Things To Consider
3. What Is IWA
✤ Integrated Web Authentication (IWA) is an umbrella term that
represents several protocols and technologies used by Microsoft
for automatic authentication
✤ SPNEGO is an IWA service that determines which protocol the
client and server need to use to talk
✤ Microsoft uses SPNEGO for its HTTP authentication negotiation
✤ Protocols that can be used by SPNEGO for IWA include
Kerberos and NTLM
13. System Requirements
✤ Domino 8.5.1 or later as the initial authentication server
✤ Windows Active Directory with Windows 2003 or later
compatibility mode
✤ Browsers
✤ IE
✤ Firefox (Windows)
✤ Chrome 8 and higher (Windows)
14. The Lab Environment
Active Directory
Windows 2008 R2 DC
cn=dc,dc=turtletest,dc=com
Domino Server
Windows 2008 R2
9.0.1
dominoweb.turtletest.com
Swan/Turtle
cn=dominoweb,dc=computers,dc=turtletest,dc=com
Windows 7
Client Machine
cn=lihue,dc=computers,dc=turtletest,dc=com
cn=gabriella,dc=lihue
15. How Does ItWorkWith Domino
✤ There must be a relationship between Domino and AD
for the authentication “conversation” to happen
✤ Domino must run as a service under Windows
✤ Use a named AD account to run the service
✤ Create a Service Principal Name in Active Directory
for each URL hostname that will be passed to
Domino
17. Domino Configuration
✤ Internet Site Documents
✤ Web Single Sign On Document
✤ HTTP Site Document
✤ Domino start as service with named user
✤ Configuring Domino to start with a java controller
18. Internet Site Documents
✤ Ensure the Domino server document is set to use Internet Site Documents
✤ this isn’t a requirement but will make the SPNEGO configuration easier to
manage
21. Domino Start As Service
✤ Domino must be started using an AD account not a local
system account. A local system account does not support
use by multiple web servers or the user of an ip sprayer
22. Configure DominoTo StartWith
Java Controller
✤ Once you configure Domino to start as a named account you need to use the java
controller to monitor Domino on the server itself
✤ Use Windows regedit to modify the registry
✤ find the entries representing the Domino server (search for notes.ini) and add -jc -c
Consider adding to the server notes.ini file
ServerController=1
TCPIP_ControllerTcpIpAddress=<ipaddress>:2050
23. Active Directory
✤ We must create a Service Principal Name (SPN) in Active
Directory to represent any hostname the Domino web server
will use and the account running the Domino server
✤ This can be done two ways
✤ using the domspnego utility
✤ manually
✤ You will need to find and use setpspn.exe on the Domain
Controller
24. Using domspnego
✤ From the Domino program directory in a command
window type domspnego
✤ domspnego -? shows a help for the command
✤ domspnego <name of output file to generate)
✤ domspengo dominowebservice
25. Domspnego Output
✤ You will need to know
✤ The account name Domino is running under
✤ Any hostnames used for web access
✤ Any ip sprayer hostnames
✤ Answering the prompted questions will generate a .cmd file
you can edit in notepad to see the commands you will want to
run
27. Creating the SPN
✤ On the domain controller find the “setspn.exe” utility
✤ The syntax is
✤ setspn -a HTTP / <hostname> <adserviceaccount>
✤ The commands for running the SPN will be in your
output file generated by domspnego e.g.
setspn -a HTTP/dominoweb.turtletest.com dominowebservice
28. SPN Rules
✤ There can only be one SPN for a hostname
✤ If you need to change the service account bound to the
SPN you must delete the original one first and create a
new one
✤ To delete an SPN type “d” instead of “a” on the setspn
command
setspn -d HTTP/dominoweb.turtletest.com dominowebservice
30. Name Mappings
✤ To grant Domino access to a database there must be an ACL entry for the user
✤ The windows Kerberos name must be an entry in the fullname field of the user’s person document so Domino
can match the Windows logged in name to the ACL
✤ There should be 2 entries before it, the user’s hierarchical name (used in the ACL) and the user’s common
name
✤ The Windows user “Gabriella” logging into the windows domain “turtletest.com” (gabriella@turtletest.com)
will be translated by Domino into Gabriella Davis/Turtle for ACL access
✤ Use the exact case AD uses for the name part and always capitals for the domain part
31. Directory Assistance
✤ SPNEGO users do not use passwords in any way
✤ The domino http password field on the person
documents can therefore be empty
✤ Should you want non-SPNEGO users to login they can
either use the Domino HTTP Password OR you can
configure Active Directory under Directory Assistance
✤ That then authenticates users accessing Domino using
their AD names and passwords
32. Managing Users - OPTIONAL
✤ If you do want to manage users in Active Directory instead of in Domino
you can do so but the environment needs to be configured for that
✤ they must still be present in Domino person documents
✤ The Active Directory entry must have an attribute containing the
user’s hierarchical Domino name
✤ Directory Assistance must be configured for authentication to Active
Directory
✤ Keeping the user names synchronised across both environments
requires a tool such as Tivoli Directory Integrator
33. Browser Configuration
✤ SPNEGO supports Windows browsers IE, Firefox and
Chrome >8
✤ Configuration for each must be done on the client side
and is different for each browser
✤ This may change in the future if the browser versions
change
34. Internet Explorer Configuration
✤ Start IE and click Tools > Internet Options
✤ Select the Security tab
✤ Select "Local intranet" and click Sites.
✤ Ensure that the "Include all sites that bypass the proxy server" is checked.
✤ Click Advanced
✤ Add the URL for the Domino server http://dominoweb.turtlest.com and click OK twice. Or
use a wildcard to provide the ability to connect to more than one SPNEGO-enabled Domino
server in the domain *.turtletest.com
✤ Click Custom Level, scroll to the User Authentication section, select "Automatic logon only in
Intranet zone," and click OK.
✤ Click the Advanced tab, scroll to the Security section, verify the option "Enable Integrated
Windows Authentication (requires restart)" is selected.
35. Firefox Configuration
✤ Start Firefox and in the URL address box, type about:config
✤ In the Filter box, type network.n
✤ Double-click network.negotiate-auth.trusted-uris, and enter the
URL
http://dominoweb.turtletest.com or use a wildcard to provide
the ability to connect to more than one SPNEGO-enabled
Domino server in the domain http://*.turtletest.com or
separate multiple entries with commas.
✤ Click OK and restart the browser.
36. Chrome Configuration
✤ Chrome uses the configuration settings from Internet
Explorer
✤ Alternatively in Windows use Internet Options under
Control Panel
37. Non SPNEGO Behaviour
✤ Users who don’t login to the Windows AD domain cannot use
SPNEGO
✤ Once you configure the URL and web server for SPNEGO it can
only be used by SPNEGO enabled clients and browsers
✤ There are programmatic tools available including DSAPI
filters that will intercept the request and redirect it for non
SPNEGO users
✤ Alternately non-SPNEGO users can be given a different
hostname/URL to use
38. Multiple Sites / URLs
✤ For every hostname or site document that the web server
responds to a SPN needs to be created
✤ This includes any load balancers
✤ Any server aliases that will resolve in URLs must also
have SPN entries
✤ Remember only one SPN per hostname and that must
correspond to the owning account of the Domino service
39. SPNEGO Support
✤ SPNEGO is supported for Domino web applications
including iNotes
✤ but not Traveler
✤ SPNEGO is also supported inside eclipse for feeds,
sametime, connections etc
✤ but not for Notes basic
✤ SPNEGO is not supported for Notes client access
40. Troubleshooting
✤ On Windows 7 and Windows Vista, SPNEGO is not
functional for users who are members of the Administrators
group when UAC is enabled. To use SPNEGO on these
platforms, advise the client user to launch Notes with
elevated privileges, disable UAC, or log in as a non-admin
user.
✤ DEBUG_HTTP_SERVER_SPNEGO = 1
✤ http://www-01.ibm.com/support/docview.wss?
uid=swg21394592