Document 212596

Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
How to establish SSO for AD
authenticated Internet Explorer users
on Domino!
-utilizing IIS with WebSphere plug-in
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 1 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
Table of Contents
1
Introduction ............................................................................................. 5
1.1
1.2
1.3
1.4
1.5
Background to this document .............................................................................5
Readers Guide ..................................................................................................5
References .......................................................................................................6
Disclaimer and warning! ....................................................................................7
Software versions used by me ............................................................................8
2
About the WebSphere plug-in dlls ............................................................ 9
3
Step by step instruction ......................................................................... 10
3.1 Before you begins ........................................................................................... 10
3.2 WebSphere Plugin ........................................................................................... 10
3.2.1 Files and directory’s ................................................................................... 10
3.2.2 Update plugin-cfg.xml ................................................................................ 11
3.2.3 Create the Registry values of the plug-in ...................................................... 12
3.3 Configure Domino ........................................................................................... 15
3.3.1 Configure Domino to use the http port 81 ..................................................... 15
3.3.2 Enable Domino to trust Header information ................................................... 15
3.4 Configure IIS.................................................................................................. 16
3.4.1 Create Virtual Directory .............................................................................. 16
3.4.2 Create ISAPI Filter ..................................................................................... 16
3.4.3 Disable anonymous access to IIS................................................................. 16
3.4.4 Set method for authentication and control .................................................... 16
3.4.5 Extras for IIS 6 on windows server 2003 ...................................................... 17
4
Settings in Internet Explorer to make IWA work.................................... 18
4.1 Internet/Options/Advanced/Enable Integrated Windows Authentication must be
checked ................................................................................................................. 18
4.2 Tools/Internet Options/Security/Custom Level. Make sure the setting is Automatic
logon only in Intranet zon. ....................................................................................... 19
4.3 Add the url of the IIS server (or the domain name of the server) to the Intranet zone.
(Tools/Internet Options/Security/Local Intranet/Sites/Advanced)................................... 19
5 What must be done in Domino Directory to make the users AD signatures
translate into their Notes usernames .......................................................... 20
6 How to secure the Domino server behind IIS to make it impossible for
someone to access it with spoofed IP headers ............................................ 21
6.1
6.2
6.3
Security aspects of the notes.ini parameter HTTPEnableConnectorHeaders=1 ......... 21
Separating the IIS server and the Domino server ................................................ 21
Recommended configurations ........................................................................... 22
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 2 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
6.3.1
6.3.2
Draft
Separate Nics for IIS and Domino ................................................................ 22
Configure Domino to only accept request from loopback adapter “localhost” ...... 22
7 How to configure your Domino environment to use LTPA Token for SSO
between selected Domino servers ............................................................... 25
8 How to configure the IIS server and the first Domino server by Secure
Socket Layer, SSL ........................................................................................ 26
9
Gotchas and hints................................................................................... 27
9.1 Logging ......................................................................................................... 27
9.2 Error messages in native.log and Internet Explorer.............................................. 27
9.2.1 Non matching IP configurations ................................................................... 28
9.2.2 Bad IIS security configuration ..................................................................... 28
9.2.3 Wrong path for the Virtual Directory............................................................. 28
9.3 Browser wants to download nsf files .................................................................. 28
9.4 Windows login dialog ....................................................................................... 29
9.5 Lotus login dialog............................................................................................ 30
9.6 Unexpected results during testing of person document content ............................. 31
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 3 (31)
Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
Revision History
Date
Version
Description
Author
2005-05-20
0.7
Draft1
Ulf Stider
2005-06-09
0.9
Draft2, soon to be published!?
Ulf Stider
2005-08-26
0.91
Added Technote references
Ulf Stider
2005-10-05
0.93
Added my own step by step
instruction, some more technotes,
Domino 7 information, changed
standard method from Win2k server
to Windows server 2003 and created
*.reg files to create registry values
Ulf Stider
Missing
Chapter on how to configure
Windows/Domino to avoid Domino
to be reachable direct through http.
2005-10-13
0.94
Completely rewritten Chapter 6 and
updated chapter 5
Ulf Stider and Mats
Ekman
2006-10-27
0.95
Updated with WebSphere 6.0 and
WebSphere 6.1 information
Ulf Stider and Pär
Helmersson
2007-02-08
0.96
Updated “3.4 Configure IIS” to
describe IIS6 on Win Serv 2003 SP1
Ulf Stider, Mats
Ekman and Pär
Helmersson
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 4 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
1
Draft
Introduction
1.1
Background to this document
To allow web browser user already authenticated in Windows/AD automatically be authenticated into
a Domino environment with their Domino credentials is an obvious request at many sites. Wetter it
was possible without the use of third party plug-in has not been obvious to me, that’s why Infoware
Solutions Svenska AB started an investigation resulting in this document.
The tools and methods described in this document has probably been available for many years,
however during my work to get the bits and peaces together I have spent some time finding
documentation on different aspects of the configuration. I found a lot spread all over the Internet
which I will reference in this document; another important source was talks with Magnus Åkerlind and
Johan Enefeldt from IBM Business Partner FemFemFem, Sweden. The most valuable documents I
found was The IBM Reabook “Lotus Security Handbook” and perhaps this document is not needed at
all if you have good background knowledge and read through this Redbook thoroughly!
In short the solutions we have used are to activate an IBM WebSphere plug-in in MS IIS on a server
with a “hidden” Domino server behind the IIS server. The plug-in makes http requests “passthruu”
IIS utilizing IIS and Internet Explorers proprietary IWA (Integrated Windows Authentication) to
create IP headers containing information on AD username. The “hidden” domino server is
configured:
-
To trust the IP header information
-
With the AD usernames available in the person documents
-
To send a LTPA cookie to Internet Explorer to enable SSO to any LTPA aware web servers in
the environment
-
With automatic forward to another server containing the web site (if it not resides on the
“hidden server)
1.2
Readers Guide
My ambition has not been to rewrite any available documents, however where needed (for me) I have
commented references and for parts of the configuration I (and my colleagues) have found it
convenient for me to write step by step what I have done.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 5 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
The structure and index of the document is more a result of all my pitfalls than it should, however
from what I have read on notes.net I have not been the only one with the same problems…
The document involves some references to documents which I have not tested yet, for example how
to SSL enable your SSO environment.
Please send me a mail if you find any errors or have any comments!
1.3
References
.
Documents
Direct links
IBM knowledgebase article about the IIS plugins
http://www1.ibm.com/support/docview.wss?uid=swg24007265
The WebSphere plugins is updated regularely. My
assumption has always been to use the latest
version available, the fix lists tells me this is a
reasonable approach. The link to the right points
to a technote where you can download version
5.1.1.6 from 2005-08-12. For the 6.1.0.0 dll I
know I have downloaded it from
IBM…unfortunately I cant find my way back…
http://www1.ibm.com/support/docview.wss?rs=0&uid=swg2401018
8
IBM RedBook “Lotus Security Handbook”
http://publibb.boulder.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg24
7017.html
Authors:William Tworek, George Chiesa, Frederic
Dahm, David Hinkle, Amanda Mason, Matthew
Milza, Amy Smith
Appendix C is a very good technical reference on
how to setup the plug-in and many aspects of
how it can be configured. Be careful for some
minor typos in the registry values.
http://portal.dotnsf.com/mydotnsf.nsf/f3297a57a1e86220
Dotnsf whitepaper on how to configure the
environment to get it SSL protected (not tested by 802569170022a437/85e43cda43b223e180256e250008e5
16/$FILE/was-plugin-extra-materials.pdf
me yet)
DotNSF’s Jason Hooks presentation
http://dotnsf.com/mydotNSF.nsf/ND6WASProxy.pdf
“How to implement ND6.* Reverse (WAS)
Proxies... Securing Domino and WebSphere
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 6 (31)
Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
with the WAS Plug-in “
From Notes.net by Alex Elliott. Good
explanation on how to configure the Hidden
Domino server on it’s own NIC (not tested by me
yet)
http://www10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b85256
89b005ba1c0/33bd348aab606b5785256cfb002c0ffc?Ope
nDocument
Technote on what extra you need to do to
configure the plugin to work with IIS6 on
Windows server 2003
Reference: 1168244 in IBM Knowledgebase
Technote on how to troubleshoot your
installation
Reference: 1141702
Co-existence between Lotus Domino and
SharePoint Portal Server 2003
http://bes.xs4all.nl/blog/archive/2004/12/05/3
73.aspx
IBM Technote “Installing and Configuring
Domino 6 for use with Microsoft IIS”
Reference: 1105816
www-306.ibm.com/software/lotus/support/
www-306.ibm.com/software/lotus/support/
Comment: Why describe how to use WebSphere
4.0.3 plugins, is there something wrong with
WebSphere 6.x or 5.x?
IBM Technote where they only recommend using
LPTA for Domino over HTTP
http://www1.ibm.com/support/docview.wss?uid=swg21215
246
Isn’t this Technote incredible!!
IBM Technote “How to load the WebSphere 6.0
plug-in for Microsoft IIS 6.0 on Windows 2003”
1.4
http://www.lotus.com/support
doc id 1228190
Disclaimer and warning!
Be careful, several parts of this solution:
-
Is not obvious, at least no to me
-
Involves techniques well outside my expertise!
-
Circumvents both IIS, IE and Domino security mechanism
-
Uses proprietary technology
If something goes very wrong you might end up in situations with very low security, don’t blame me
then!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 7 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
1.5
Draft
Software versions used by me
Domino 6
•
English Domino 6.5.3 and 6.5.4
•
IIS5 on Windows 2000 Server with SP4
•
IIS6 on Windows Server 2003 with SP1
•
WebSphere plugins 5.0.10 and 5.1.1.6
Domino 7
•
English Domino 7.01 and 7.02
•
IIS6 on Windows Server 2003 with SP1
•
WebSphere plugins 6.0.0.10, 6.1.0.0 and 6.1.0.5
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 8 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
2
Draft
About the WebSphere plug-in dlls
The DLLs on the Domino-server CD are unfortunately rather old, follow the links under references
above to find updated files. The link is pointing to an IBM knowledgebase article.
I have been using the WebSphere 5 plug-in, not WebSphere 4. I don’t really know the difference but
the fixlists for 5x seams to be more updated than the 4.x dittos.
There are also WebSphere 6 directories and files available when you install a Domino 7 server.
From the files downloaded I have used:
domino5_http.dll to replace the original oldie somewhere deep under domino\data
(domino\data\domino\plugins\was5\w32 ) . This file is also correct for Domino 6.x.
iisWASPlugin_http.dll and put it in i C:\WebSphere\AppServer\bin
I have not found any later "plugin_common.dll" compared to the one available on the server CD,
however I don’t think it is used at all if you are using the WebSphere 5 plug-in.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 9 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3
Draft
Step by step instruction
As mentioned above you will find the very best instructions on how to configure and install everything
in appendix C in Lotus Security Handbook, please be a little cautious however on the registry settings.
I added an extra string under 'IBM' - 'WebSphere Application Server' - ‘5.0’ and gave it the name
‘Plugin Config’
My colleagues asked me to write down my own step by step instruction to keep everything together
and here it is…be aware this instruction is not very fancy like the IBM Redbook.
3.1
Before you begins
Start of with a Windows Server 2003 box with IIS6, SP1 and a Domino server (why not the latest build
of 6.5.x or 7.x .. The IIS server must be part of the same AD as you users
3.2
WebSphere Plugin
3.2.1
Files and directory’s
Download WebSphere plugin 6.1.0.0 (or later), see references above
Create:
C:\WebSphere\AppServer\bin
C:\WebSphere\AppServer\config
C:\WebSphere\AppServer\etc
C:\WebSphere\AppServer\logs
Copy:
the downloaded (5.1.1.6) domino5_http.dll to domino\data\domino\plugins\was5\w32 to replace the
original oldie
iisWASPlugin_http.dll to c:\websphere\appserver\bin
the original domino\data\domino\plugins\plugin-cfg.xml to c:\websphere\appserver\config
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 10 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3.2.2
Draft
Update plugin-cfg.xml
Notepad c:\websphere\appserver\config\plugin-cfg.xml
If Domino server and IIS are located on the same machine you don’t have to complicate it that much
to get SSO. Of course you can do many exiting things with this xml file but I recommend you to start
of doing as little changes as possible.
3.2.2.1
Enable verbose logging
During the implementation phase you should enable verbose logging, this is a essential tool to make
sure you don’t do any basic mistakes
C:\WebSphere\AppServer\logs\native.log
Possible values are Error, Warn, and Trace. -->
<Log Name="C:/WebSphere/AppServer/logs/native.log" LogLevel="Trace"/>
When the plug-in is loaded you should be see these rows in the log file!
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Plugins loaded.
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: --------------------System Information---------------------[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Bld version: 6.1.0
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Bld date: Jul 28 2006, 04:55:39
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Webserver: IIS
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Hostname = SAVM143B
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: OS version 5.2, build 3790, 'Service Pack 1'
[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: ------------------------------------------------------------
3.2.2.2
Change Transport Hostname to “localhost.mydomain.com” and add
there
<Transport Hostname="localhost.mydomain.com" Port="81" Protocol="http"/>
</Server>
</ServerGroup>
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 11 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3.2.2.3
Draft
Add these four lines beneth <UriGroup Name="default_host_URIs">
Unfortunately IBM have not been to good at describing what these row should look like, below is an
example I have been using with good results.
<UriGroup Name="default_host_URIs">
<Uri Name="/*.nsf*"/> NOTE: Incorrect syntax is used for this parameter in the Domino 6
Administration Help
<Uri Name="/*.NSF*"/> Note: Directives in the URIGroup section are case sensitive
<Uri Name="*/icons/*"/>
<Uri Name="*/domjava/*"/>
3.2.3
Create the Registry values of the plug-in
3.2.3.1
Websphere 4.x and 5.x
Unfortunately most documentation on this involves small but very annoying diversions and the
different versions of the plug-in dlls references version information in a format unclear to me.
I have created ascii *.reg files for 5.0, 5.0.0.0 and 5.1.0.0, if you get your hands on them watch out for
the drive letters in them.
Note: Wherever I have read about the version numbers in the registry setting plug-in the
recommendations have differed slightly….some claim 'IBM' - 'WebSphere Application Server' - ‘5.0’
others 'IBM' - 'WebSphere Application Server' - ‘5.0.0.0’. Until this is finally sorted I have created
registry “trees” for 5.0, 5.0.0.0 and 5.1.0.0. If you don’t like this approach I recommend you to start of
with 5.0, then 5.0.0.0 and then 5.1.0.0.
Below is my attempt to get this right, if you can’t get the hands on the *.reg files mentioned above…
If you are installing the WAS5.x version of the plug-ins, you need to create the following entries (with
RegEdit):
– HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'BinPath'. Set the value for this variable to the location where the plug-in is
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 12 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
copied to (C:\WebSphere\AppServer\bin).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'InstallLocation'. Set the value for the WAS root
(C:\WebSphere\AppServer).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'LibPath'. Set the value for this variable (C:\WebSphere\AppServer\lib).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'MajorVersion'. Set the value for this to (5)
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'plug-in Config'. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\plugin-cfg.xml).
If needed, do the same for 5.0.0.0 and 5.1.0.0 and …..
3.2.3.2
WebSphere 6.0, 6.1
With the new WebSphere 6.0 plugins IBM made a drastic shift, now you don’t have to do anything
about the plugins in the registry. Instead you create a text file, “plugin-cfg.loc” in the same directory as
the plug-in dll (iisWASPlugin_http.dll) used by IIS, see chapter XX. Usually I have been using
C:\WebSphere\AppServer\bin. The only content of the loc file is the complete filepath to the plugincfg.xml
Example content of C:\WebSphere\AppServer\bin\plugin-cfg.loc
C:\WebSphere\AppServer\config\plugin-cfg.xml
Strange error!
After implementing the WebSphere 6.1 with the help of the loc file we have seen these rows in the
verbose native.log file
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 13 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Plugins loaded.
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: --------------------System Information---------------------[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Bld version: 6.1.0
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Bld date: Jul 28 2006, 04:55:39
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Webserver: IIS
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Hostname = SAVM143B
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: OS version 5.2, build 3790, 'Service Pack 1'
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: -------------------------------------------------------------[Fri Oct 27 14:13:59 2006] 00000570 0000057c - ERROR: ws_common: GetIISErrorLocation: Failed to
open registry: SOFTWARE\IBM\Web server Plug-ins for IBM WebSphere Application Server\6.1.0.0
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - TRACE: iis_plugin: GetFilterVersion: get error when
load error location.
[Fri Oct 27 14:13:59 2006] 00000570 0000057c - TRACE: iis_plugin: GetFilterVersion: Filter priority
set to HIGH
We have not identified any real problems because of this but perhaps you should create the same
registry values as mentioned in 3.2.3.1 but with this path
SOFTWARE\IBM\Web server Plug-ins for IBM WebSphere Application Server\6.1.0.0
Until I have noticed any real problems I will avoid doing anything to the registry!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 14 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3.3
Configure Domino
3.3.1
Configure Domino to use the http port 81
Draft
In the Server Document
Ports->Internet Ports->Web
Change TCPIP Port number to 81
Internet Protocols – Domino web engine tab and configure
Protocol:
http
Port number: 81
Host name:
3.3.2
Enable Domino to trust Header information
Set the notes.ini parameter
HTTPEnableConnectorHeaders=1
Warning, this is a dangerous thing and from now on you should make sure your Domino
server is not reachable from a web browser without going through IIS! For more details, read
chapter 6.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 15 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3.4
Draft
Configure IIS
Please Note, this chapter is only tested with IIS6 on Windows Server 2003 SP1
Start IIS Manager
3.4.1
Create Virtual Directory
Right click on your default web site,
Choose New/Virtual Directory
Alias: SePlugins
Choose c:\websphere\appserver\Bin
Next
Choose Execute and deselect all else
Next
3.4.2
Create ISAPI Filter
Choose properties on your default web site
Select the ISAPI Filters tab. Click ADD and enter iisWASPlugin in the
Filter Name field. For the Executable field, click Browse, open the
WebSphere bin directory, and select iisWASPlugin_http.dll.
3.4.3
Disable anonymous access to IIS
In Default Web Site/ Properties/Directory Security/Authentication and Access
Control/Edit/Uncheck “Enable anonymous access”
3.4.4
Set method for authentication and control
In Default Web Site/Properties/Directory Security setting/ Authentication and Control/Edit
Make sure anonymous access is unchecked and Integrated Windows Authentication checked!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 16 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
3.4.5
Draft
Extras for IIS 6 on windows server 2003
(se technote above)
Properties on Web Sites, click on Service and check
the box, “Run WWW services in IIS 5.0 isolation mode”
OK
Right click Web Service Extensions
Add new Web Service extension
Extension name Domino
Check Execution status to allow
Required files add and browse to the location of the iisWASPlugin_http.dll
RESTART IIS!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 17 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
4
Draft
Settings in Internet Explorer to make IWA work
You must check these three settings in Internet explorer to make it “login” to an IIS server with it’s
AD credentials.
4.1
Internet/Options/Advanced/Enable Integrated Windows
Authentication must be checked
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 18 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
4.2
Tools/Internet Options/Security/Custom Level. Make sure
the setting is Automatic logon only in Intranet zon.
4.3
Add the url of the IIS server (or the domain name of the
server) to the Intranet zone. (Tools/Internet
Options/Security/Local Intranet/Sites/Advanced)
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 19 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
5
Draft
What must be done in Domino Directory to
make the users AD signatures translate into
their Notes usernames
For Domino to translate the ADname\ADusername provided in the http header by IIS/WebSphere into the
user’s valid Domino credentials you must make the ADname\ADusername available to Domino. We usually
put it to the end of the Username field but you should also be able to put it (last) in the ‘Short name’ field.
Adname/ADusername is then replaced with the first name in your “User name” field. You also get the same
group credentials as if you would log in with your Domino username.
All Domino configurations in this document is written assuming you have not configured Internet Sites,
however we have tested to enable Internet Sites without finding any caveats. Hopefully you will be able to
use this document anyhow, the settings are the same. Note that Internet site is the preferred way to
configure web access since Domino 6.0.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 20 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
6
6.1
Draft
How to secure the Domino server behind IIS to
make it impossible for someone to access it
with spoofed IP headers
Security aspects of the notes.ini parameter
HTTPEnableConnectorHeaders=1
The downside of this terrific notes.ini parameter is that it makes Domino very stupid! Instead of using
its well proven authentication process it translates (without authentication) the username in the http
header of a request to a valid Domino username/Session/LPTA tooken. If bogeyman can access the
domino server with a spoofed http header, it would give him the opportunity to use the Domino
environment using whatever user’s credentials he would prefer! Below in this chapter we provide two
methods to disallow him from this possibility as long as you have the domino server and the IIS server
on the same machine (Windows server).
A good reference when it comes to security and the WebSphere plug-in is Jason Hooks presentation
referenced above. It explains why you must make the hidden Domino server (all servers with notes.ini
setting HTTPEnableConnectorHeaders=1) inaccessible for anyone except through the WebSphere
plug-in.
6.2
Separating the IIS server and the Domino server
In the plugin-cfg.xml you can also configure IIS to forward nsf/NSF requests to a Domino server on
another Windows server. You can also configure the WebSphere 5.x IIS plug-in to use several
different Domino servers to achieve failover and possibly load balancing. It is easy to see scenarios
where separating the Domino and IIS would be useful or needed.
As we can see it, directing IIS plug-in to a Domino on a separate machine than the IIS server (for
whatever purpose) would significantly decrease the security, unless you can make the other Domino
server impossible to reach through http/https from other sources than the IIS server. The extra risk to
this approach would be an attacker with a spoofed IP header (claiming the request is sent
from/through the IIS server) and a spoofed http header.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 21 (31)
Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
I guess it would be quite easy to avoid this IP header spoofing risk by configuring firewalls, Windows
server, IPSEC or some other mechanism. Until such a method is evaluated and fits into an
environment I would not recommend pointing the IIS WebSphere plug-in to a Domino server on
another Windows server!
6.3
Recommended configurations
6.3.1
Separate Nics for IIS and Domino
One way to achieve this is to follow Alex Elliots notes.net article mentioned above. In short it will
guide you to put Domino on and IIS on separate NICs on the same physical server with Dominos
NIC inaccessible from outside the server.
6.3.2
Configure Domino to only accept request from loopback adapter
“localhost”
Another approach used by us (Infoware Solutions Svenska AB) is to configure Domino to only answer
to requests from an internal loopback (soft) address, usually “localhost” / 127.0.0.1. To achieve this we
have added several settings on the IIS/Domino server.
Addition to hosts file
IMPORTANT!!!
127.0.0.1
localhost
localhost.mydomin.com
Your IP
Common Domino Name Abbreviated Domino name
Change in plugin-cfg.xml
<Transport Hostname="localhost.mydomain.com" Port="81" Protocol="http"/>
Change at ports level in notes.ini
Added an extra active port
TCPIP=TCP, 0, 15, 0
zNet=TCP, 0, 15, 0
and
Ports=TCPIP,zNet
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 22 (31)
Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
and
TCPIP_TcpipAddress=129.178.8.47
zNet_TcpipAddress=127.0.0.1
Changes in the server document in names.nsf under Ports\Notes Network Ports:
Port
Protocol
Notes Network
Net Address
Enabled
TCPIP
TCP
TCPIP Network
hostname.mydomain.com
ENABLED
zNet
TCP
hostname
localhost..mydomain.com
ENABLED
Changes in the server document in names.nsf under Basic:
Fully qualified Internet host name:
localhost.mydomain.com
Changes in the server document in names.nsf under Internet Protocols\HTTP:
Basics
Host name(s):
localhost.mydomain.com
Bind to host name:
Enabled
Changes in the server document in names.nsf under Internet Protocols\Domino Web Engine:
HTTP Sessions
Session authentication:
Multiple Servers (SSO)
Web SSO Configuration:
LtpaToken
Generating References
to this Server
Does this server use IIS?
Protocol:
http
Host name:
localhost.mydomain.com
Port number:
81
Changes in the server document under Ports\Internet Ports:
Web
(HTTP/HTTPS)
TCP/IP port number:
81
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 23 (31)
Target
Document name
Version
Document type
Date
Domino community
0.96
Author
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
TCP/IP port status:
Enabled
Enforce server access settings:
No
Authentication options:
Name & password:
Yes
Anonymous:
No
SSL port number:
443
SSL port status:
Disabled
Authentication options:
Client certificate:
No
Name & password:
Yes
Anonymous:
No
Usually we also do some extra precautions
Remove webadmin.nsf and webadmin.ntf
Changed notes.ini:
ServerTasks=Update,Replica,AMgr,AdminP,HTTP
Only puts an empty domino directory on the domino server and Directory assistance pointing
to another server
This list could definitely be longer!!!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 24 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
7
Draft
How to configure your Domino environment to
use LTPA Token for SSO between selected
Domino servers
How to enable LTPA for selected Domino servers is well documented in Domino Administration
From Domino 6.5.1 Multi server session authentication supports idle session timeout. This is
documented in the Domino 6.5.1 release notes and also available in lotus knowledgebase reference
“1164178” “Domino HTTP idle session timeout for SSO configurations”. The SSO idle timeout
additionally allows the administrator to control how long the user can remain idle after logging in, i.e.
how long the user is not actively accessing the SSO environment.
Be aware about the limited security LPTA tokens provide in a Domino environment not protected by
https/SSL.
dotNSF has an application which extends LTPA to an IIS environments and an application to renew
LTPA tokens.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 25 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
8
Draft
How to configure the IIS server and the first
Domino server by Secure Socket Layer, SSL
As SSL is getting more widely used in internal infrastructure it might be worth mentioning the
possibility to implement all parts of this document with the extra protection SSL provides. Under
references you will find a link to a great Whitepaper from dotNSF.
Worth mentioning again (see under References above) is IBMs recommendation not to use LPTA on
Domino without SSL!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 26 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
9
9.1
Draft
Gotchas and hints
Logging
In the XML file of the plug-in you can change log level to TRACE, this gives very good information
on what is going on. The logging is done into a file under c:\websphere\logs\. Due to performance
reasons it has been recommended to avoid disabled when the solution is in operation.
NTs event viewer is also a valuable source on the status of the plug-in
Slide 33 in Jason Hooks presentation references above is a good scheme if the plug-in doesn’t load
To verify your WebSphere dll has loaded well within IIS, look for this passage in the native.log
XXX. Until you get this working
9.2
Error messages in native.log and Internet Explorer
Assuming you have activated verbose logging and got the dlls running (see in 3.2.2.1 what it should
look like in native.log) you can still get other errors in the native.log and internet explorer, for example
“bad request” or authentication . Example of an error in Internet Explorer
You are not authorized to view this page
You do not have permission to view this directory or page using the credentials that you supplied
because your Web browser is sending a WWW-Authenticate header field that the Web server is not
configured to accept.
Please try the following:
• Contact the Web site administrator if you believe you should be able to view this directory
or page.
• Click the Refresh button to try again with different credentials.
HTTP Error 401.2 - Unauthorized: Access is denied due to
server configuration.
Internet Information Services (IIS).
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 27 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
Draft
When we have got these kind of errors they seams to have been related to
9.2.1
Non matching IP configurations
Please check your hosts file and domino configuration to verify correct hostnames to match your xml
file. In particular we have got problems when we have used localhost and localhost.mydomain.com at
the same time but in different place
9.2.2
Bad IIS security configuration
Start IIS Manager and verify your settings. See Default Web Site/Properties/Directory Security
setting/ Authentication and Control/Edit
Make sure anonymous access is unchecked and Integrated Windows Authentication checked!
9.2.3
Wrong path for the Virtual Directory
See 3.4.1 and make sure your directory for SePlugins points to c:\websphere\appserver\Bin
9.3
Browser wants to download nsf files
One problem I experienced before getting everything (!?) together was the browser wanting to
download nsf files instead of opening them Reason was the traffic didn’t go through the plug-in to
domino, instead IIS was pointing right to the Domino\Data directory. Go back to appendix C in the
referenced Redbook!
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 28 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
9.4
Draft
Windows login dialog
Did you try a database on the server, for example server.localdomain.com/names.nsf
If you get a windows login dialog when opening a URL on domino through IIS something is probably
wrong in your IE Settings, first make sure you are logged into the correct AD and secondly go through
chapter 4 above again.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 29 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
9.5
Draft
Lotus login dialog
I have got this two different ways
1. Something is probably wrong in your Domino configuration
- did you forget the notes.ini setting
- is your ADname/Username not available in your person document
2. When Anonymous access is not disabled in IIS (see 3.4.3 above). In this scenario I guess IIS just lets
you through without checking who you are resulting in an anonymous header!
3. Wrong ini parameter, the correct syntax is HTTPEnableConnectorHeaders=
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 30 (31)
Target
Document name
Version
Document type
Date
Domino community
Author
0.96
Ulf Stider
White paper
2007-02-08
E-mail address
Phone number
Status:
[email protected]
9.6
Draft
Unexpected results during testing of person document
content
During testing of what and where to put the ADname/ADusername in the person document this we have
experienced situations where we have added and removed the ADname\ADusername from a person
document without experiencing the expected results, the reason seam to have been caching in the domino
server. Rebooting the server should correct things but you could also try this Domino server console
command a couple of times.
Sh nlcache re
Please note, this is a very strong command with several other implications for the running Domino server,
we don’t recommend it in a production environment without very good reason.
© Copyright IBM Corp. 2004. All rights reserved.
IE-IIS-AD-Domino-LPTA-SSO-20070208.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 31 (31)