Download   Report
  1. No category

Document 229633

Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
How to establish SSO for AD
authenticated Internet Explorer users
on Domino!
-utilizing IIS with WebSphere plug-in
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 1 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
Table of Contents
1
Introduction................................................................................................... 5
1.1
1.2
1.3
1.4
1.5
Background to this document ............................................................................5
Readers Guide ................................................................................................5
References ....................................................................................................6
Disclaimer and warning!....................................................................................7
Software versions used by me ...........................................................................9
2
About the WebSphere plug-in dlls............................................................... 10
3
Step by step instruction .............................................................................. 11
3.1 Before you begins ......................................................................................... 11
3.2 WebSphere Plugin ......................................................................................... 11
3.2.1 Files and directory’s................................................................................. 11
3.2.2 Update plugin-cfg.xml .............................................................................. 12
3.2.3 Create the Registry values of the plug-in ..................................................... 12
3.3 Configure Domino .......................................................................................... 14
3.3.1 Configure Domino to use the http port 9080................................................. 14
3.3.2 Enable Domino to trust Header information .................................................. 14
3.4 Configure IIS................................................................................................ 14
3.4.1 Create Virtual Directory ........................................................................... 14
3.4.2 Create ISAPI Filter ................................................................................... 15
3.4.3 Disable anonymous access to IIS ............................................................... 15
3.4.4 Extras for IIS 6 on windows server 2003...................................................... 15
4
Settings in Internet Explorer to make IWA work ...................................... 16
4.1 Internet/Options/Advanced/Enable Integrated Windows Authentication must be
checked.............................................................................................................. 16
4.2 Tools/Internet Options/Security/Custom Level. Make sure the setting is Automatic
logon only in Intranet zon....................................................................................... 17
4.3 Add the url of the IIS server (or the domain name of the server) to the Intranet zone.
(Tools/Internet Options/Security/Local Intranet/Sites/Advanced) .................................. 17
5 What must be done in Domino Directory to make the users AD signatures
translate into their Notes usernames .............................................................. 18
6 How to secure the Domino server behind IIS to make it impossible for
someone to access it with spoofed IP headers ............................................... 19
6.1 Security aspects of the notes.ini parameter HTTPEnableConnectHeaders=1 ............. 19
6.2 Separating the IIS server and the Domino server ................................................ 19
6.3 Recommended configurations .......................................................................... 20
6.3.1 Separate Nics for IIS and Domino ............................................................... 20
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 2 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
6.3.2
Draft
Configure Domino to only accept request from loopback adapter “localhost”...... 20
7 How to configure your Domino environment to use LTPA Token for SSO
between selected Domino servers ................................................................... 23
8 How to configure the IIS server and the first Domino server by Secure
Socket Layer, SSL ............................................................................................ 24
9
Gotchas and hints........................................................................................ 25
9.1
9.2
9.3
9.4
9.5
Logging....................................................................................................... 25
Browser wants to download nsf files ................................................................. 25
Windows login dialog...................................................................................... 25
Lotus login dialog .......................................................................................... 27
Unexpected results during testing of person document content ............................. 28
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 3 (28)
Target
Document name
Version
Domino community
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
Revision History
Date
Version
Description
Author
2005-05-20
0.7
Draft1
Ulf Stider
2005-06-09
0.9
Draft2, soon to be published!?
Ulf Stider
2005-08-26
0.91
Added Technote references
Ulf Stider
2005-10-05
0.93
Added my own step by step
instruction, some more technotes,
Domino 7 information, changed
standard method from Win2k server
to Windows server 2003 and created
*.reg files to create registry values
Ulf Stider
Missing
Chapter on how to configure
Windows/Domino to avoid Domino
to be reachable direct through http.
2005-10-13
0.94
Completely rewritten Chapter 6 and
updated chapter 5
Ulf Stider and Mats
Ekman
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 4 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
1
Draft
Introduction
1.1
Background to this document
To allow web browser user already authenticated in Windows/AD automatically be authenticated
into a Domino environment with their Domino credentials is an obvious request at many sites.
Wetter it was possible without the use of third party plug-in has not been obvious to me, that’s why
Infoware Solutions Svenska AB started an investigation resulting in this document.
The tools and methods described in this document has probably been available for many years,
however during my work to get the bits and peaces together I have spent some time finding
documentation on different aspects of the configuration. I found a lot spread all over the Internet
which I will reference in this document; another important source was talks with Magnus Åkerlind
and Johan Enefeldt from IBM Business Partner FemFemFem, Sweden. The most valuable
documents I found was The IBM Reabook “Lotus Security Handbook” and perhaps this document is
not needed at all if you have good background knowledge and read through this Redbook
thoroughly!
In short the solutions we have used are to activate an IBM WebSphere plug-in in MS IIS on a server
with a “hidden” Domino server behind the IIS server. The plug-in makes http requests “passthruu”
IIS utilizing IIS and Internet Explorers proprietary IWA (Integrated Windows Authentication) to
create IP headers containing information on AD username. The “hidden” domino server is
configured:
-
To trust the IP header information
-
With the AD usernames available in the person documents
-
To send a LTPA cookie to Internet Explorer to enable SSO to any LTPA aware web servers
in the environment
-
With automatic forward to another server containing the web site (if it not resides on the
“hidden server)
1.2
Readers Guide
My ambition has not been to rewrite any available documents, however where needed (for me) I
have commented references and for parts of the configuration I (and my colleagues) have found it
convenient for me to write step by step what I have done.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 5 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
The structure and index of the document is more a result of all my pitfalls than it should, however
from what I have read on notes.net I have not been the only one with the same problems…
The document involves some references to documents which I have not tested yet, for example how
to SSL enable your SSO environment.
Please send me a mail if you find any errors or have any comments!
1.3
References
.
Documents
Direct links
IBM knowledgebase article about the IIS plugins
http://www1.ibm.com/support/docview.wss?uid=swg24007265
The WebSphere plugins is updated regularely. My http://www1.ibm.com/support/docview.wss?rs=0&uid=swg24010188
assumption has always been to use the latest
version available, the fix lists tells me this is a
reasonable approach. The link to the right points
to a technote where you can download version
5.1.1.6 from 2005-08-12.
IBM RedBook “Lotus Security Handbook”
Authors:William Tworek, George Chiesa,
Frederic Dahm, David Hinkle, Amanda Mason,
Matthew Milza, Amy Smith
http://publibb.boulder.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg24
7017.html
Appendix C is a very good technical reference on
how to setup the plug-in and many aspects of
how it can be configured. Be careful for some
minor typos in the registry values.
Dotnsf whitepaper on how to configure the
environment to get it SSL protected (not tested
by me yet)
http://portal.dotnsf.com/mydotnsf.nsf/f3297a57a1e8622080
2569170022a437/85e43cda43b223e180256e250008e516/$FIL
E/was-plugin-extra-materials.pdf
DotNSF’s Jason Hooks presentation
http://dotnsf.com/mydotNSF.nsf/ND6WASProxy.pdf
“How to implement ND6.* Reverse (WAS)
Proxies... Securing Domino and WebSphere
with the WAS Plug-in “
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 6 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
From Notes.net by Alex Elliott. Good
explanation on how to configure the Hidden
Domino server on it’s own NIC (not tested by
me yet)
http://www10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b8525689
b005ba1c0/33bd348aab606b5785256cfb002c0ffc?OpenDoc
ument
Technote on what extra you need to do to
configure the plugin to work with IIS6 on
Windows server 2003
Reference: 1168244 in IBM Knowledgebase
Technote on how to troubleshoot your
installation
Reference: 1141702
Co-existence between Lotus Domino and
SharePoint Portal Server 2003
http://bes.xs4all.nl/blog/archive/2004/12/05/
373.aspx
IBM Technote “Installing and Configuring
Domino 6 for use with Microsoft IIS”
Reference: 1105816
Comment: Why describe how to use WebSphere
4.0.3 plugins, is there something wrong with
WebSphere 6.x or 5.x?
www-306.ibm.com/software/lotus/support/
www-306.ibm.com/software/lotus/support/
IBM Technote where they only recommend using http://wwwLPTA for Domino over HTTP
1.ibm.com/support/docview.wss?uid=swg21215
246
Isn’t this Technote incredible!!
1.4
Disclaimer and warning!
Be careful, several parts of this solution:
-
Is not obvious, at least no to me
-
Involves techniques well outside my expertise!
-
Circumvents both IIS, IE and Domino security mechanism
-
Uses proprietary technology
If something goes very wrong you might end up in situations with very low security, don’t blame me
then!
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 7 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 8 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
1.5
Draft
Software versions used by me
•
English Domino 6.5.3 and 6.5.4
•
IIS5 on Windows 2000 Server with SP4
•
IIS6 on Windows Server 2003 with SP1
•
WebSphere plugins 5.0.10 and 5.1.1.6
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 9 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
2
Draft
About the WebSphere plug-in dlls
The DLLs on the Domino-server CD are unfortunately rather old, follow the links under references
above to find updated files. The link is pointing to an IBM knowledgebase article.
I have been using the WebSphere 5 plug-in, not WebSphere 4. I don’t really know the difference but
the fixlists for 5x seams to be more updated than the 4.x dittos.
There are also WebSphere 6 directories and files available when you install a Domino 7 server. I will
definitely try those the first time I configure this on a Domino 7 server.
From the files downloaded I have used:
domino5_http.dll to replace the original oldie somewhere deep under domino\data
(domino\data\domino\plugins\was5\w32 ) . This file is also correct for Domino 6.x.
iisWASPlugin_http.dll and put it in i C:\WebSphere\AppServer\bin
I have not found any later "plugin_common.dll" compared to the one available on the server CD,
however I don’t think it is used at all if you are using the WebSphere 5 plug-in.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 10 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
3
Draft
Step by step instruction
As mentioned above you will find the very best instructions on how to configure and install
everything in appendix C in Lotus Security Handbook, please be a little cautious however on the
registry settings. I added an extra string under 'IBM' - 'WebSphere Application Server' - ‘5.0’ and gave
it the name ‘Plugin Config’
My colleagues asked me to write down my own step by step instruction to keep everything together
and here it is…be aware this instruction is not very fancy like the IBM Redbook.
3.1
Before you begins
Start of with a Windows Server 2003 box with IIS6, SP1 and a Domino server (why not the latest
build of 6.5.x or 7.x ..(I have not tried this with Domino 7)
The IIS server must be part of the same AD as you users
3.2
WebSphere Plugin
3.2.1
Files and directory’s
Download WebSphere plugin 5.1.1.6 (or later), see references above
Create:
C:\WebSphere\AppServer\bin
C:\WebSphere\AppServer\config
C:\WebSphere\AppServer\etc
C:\WebSphere\AppServer\logs
Copy:
the downloaded (5.1.1.6) domino5_http.dll to domino\data\domino\plugins\was5\w32 to replace
the original oldie
iisWASPlugin_http.dll to c:\websphere\appserver\bin
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 11 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
the original domino\data\domino\plugins\plugin-cfg.xml to c:\websphere\appserver\config
3.2.2
Update plugin-cfg.xml
Notepad c:\websphere\appserver\config\plugin-cfg.xml
If Domino server and IIS are located on the same machine you don’t have to complicate it that much
to get SSO. Of course you can do many exiting things with this xml file but I recommend you to start
of doing as little changes as possible.
Change Transport Hostname to “Localhost” and add there
<Transport Hostname="localhost" Port="81" Protocol="http"/>
</Server>
</ServerGroup>
Add these four lines beneth <UriGroup Name="default_host_URIs">
<UriGroup Name="default_host_URIs">
<Uri Name="/*.nsf*"/> NOTE: Incorrect syntax is used for this parameter in the Domino 6
Administration Help
<Uri Name="/*.NSF*"/> Note: Directives in the URIGroup section are case sensitive
<Uri Name="*/icons/*"/>
<Uri Name="*/domjava/*"/>
Note the default domino http port 9080
3.2.3
Create the Registry values of the plug-in
Unfortunately most documentation on this involves small but very annoying diversions and the
different versions of the plug-in dlls references version information in a format unclear to me.
I have created ascii *.reg files for 5.0, 5.0.0.0 and 5.1.0.0, if you get your hands on them watch out
for the drive letters in them.
Note: Wherever I have read about the version numbers in the registry setting plug-in the
recommendations have differed slightly….some claim 'IBM' - 'WebSphere Application Server' - ‘5.0’
others 'IBM' - 'WebSphere Application Server' - ‘5.0.0.0’. Until this is finally sorted I have created
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 12 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
registry “trees” for 5.0, 5.0.0.0 and 5.1.0.0. If you don’t like this approach I recommend you to start
of with 5.0, then 5.0.0.0 and then 5.1.0.0.
Below is my attempt to get this right, if you can’t get the hands on the *.reg files mentioned above…
If you are installing the WAS5.x version of the plug-ins, you need to create the following entries
(with RegEdit):
– HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'BinPath'. Set the value for this variable to the location where the plug-in is
copied to (C:\WebSphere\AppServer\bin).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'InstallLocation'. Set the value for the WAS root
(C:\WebSphere\AppServer).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'LibPath'. Set the value for this variable (C:\WebSphere\AppServer\lib).
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'MajorVersion'. Set the value for this to (5)
– 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere
Application Server' - '5.0'. Select '5.0' and create a new string value
'plug-in Config'. Set the value for this variable to the location of the
plugin-cfg.xml file (C:\WebSphere\AppServer\config\plugin-cfg.xml).
If needed, do the same for 5.0.0.0 and 5.1.0.0 and 6.0.0.0…..
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 13 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
3.3
Configure Domino
3.3.1
Configure Domino to use the http port 9080
Draft
In the Server Document
Ports->Internet Ports->Web
Change TCPIP Port number to 9080
Internet Protocols – Domino web engine tab and configure
Protocol:
http
Port number: 9080
Host name:
3.3.2
Enable Domino to trust Header information
Set the notes.ini parameter
HTTPEnableConnectHeaders=1
Warning, this is a dangerous thing and from now on you should make sure your Domino
server is not reachable from a web browser without going through IIS! For more details, read
chapter 6.
3.4
Configure IIS
Start IIS admin
3.4.1
Create Virtual Directory
Right click on your default web site,
Choose New/Virtual Directory
Alias: SePlugins
Choose c:\websphere\appserver\Execute and deselect and deselect all else
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 14 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
3.4.2
Draft
Create ISAPI Filter
Choose properties on your default web site
Select the ISAPI Filters tab. Click ADD and enter iisWASPlugin in the
Filter Name field. For the Executable field, click Browse, open the
WebSphere bin directory, and select iisWASPlugin_http.dll.
3.4.3
Disable anonymous access to IIS
Choose Properties on your Default Web Site, Directory Security/Authentication and Access
Control/Edit/Uncheck “Enable anonymous access”
3.4.4
Extras for IIS 6 on windows server 2003
(se technote above)
Properties on web sites/Service
Check Run WWW services in IIS 5.0 isolation mode
Right click Web Service Extensions
Add new Web Service extension
RESTART IIS!
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 15 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
4
Draft
Settings in Internet Explorer to make IWA work
You must check these three settings in Internet explorer to make it “login” to an IIS server with it’s
AD credentials.
4.1
Internet/Options/Advanced/Enable Integrated Windows
Authentication must be checked
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 16 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
4.2
Tools/Internet Options/Security/Custom Level. Make sure
the setting is Automatic logon only in Intranet zon.
4.3
Add the url of the IIS server (or the domain name of the
server) to the Intranet zone. (Tools/Internet
Options/Security/Local Intranet/Sites/Advanced)
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 17 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
5
Draft
What must be done in Domino Directory to
make the users AD signatures translate into
their Notes usernames
For Domino to translate the ADname\ADusername provided in the http header by IIS/WebSphere into the
user’s valid Domino credentials you must make the ADname\ADusername available to Domino. We usually
put it to the end of the Username field but you should also be able to put it (last) in the ‘Short name’ field.
Adname/ADusername is then replaced with the first name in your “User name” field. You also get the same
group credentials as if you would log in with your Domino username.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 18 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
6
6.1
Draft
How to secure the Domino server behind IIS to
make it impossible for someone to access it with
spoofed IP headers
Security aspects of the notes.ini parameter
HTTPEnableConnectHeaders=1
The downside of this terrific notes.ini parameter is that it makes Domino very stupid! Instead of
using its well proven authentication process it translates (without authentication) the username in
the http header of a request to a valid Domino username/Session/LPTA tooken. If bogeyman can
access the domino server with a spoofed http header, it would give him the opportunity to use the
Domino environment using whatever user’s credentials he would prefer! Below in this chapter we
provide two methods to disallow him from this possibility as long as you have the domino server and
the IIS server on the same machine (Windows server).
A good reference when it comes to security and the WebSphere plug-in is Jason Hooks presentation
referenced above. It explains why you must make the hidden Domino server (all servers with
notes.ini setting HTTPEnableConnectHeaders=1) inaccessible for anyone except through the
WebSphere plug-in.
6.2
Separating the IIS server and the Domino server
In the plugin-cfg.xml you can also configure IIS to forward nsf/NSF requests to a Domino server on
another Windows server. You can also configure the WebSphere 5.x IIS plug-in to use several
different Domino servers to achieve failover and possibly load balancing. It is easy to see scenarios
where separating the Domino and IIS would be useful or needed.
As we can see it, directing IIS plug-in to a Domino on a separate machine than the IIS server (for
whatever purpose) would significantly decrease the security, unless you can make the other Domino
server impossible to reach through http/https from other sources than the IIS server. The extra risk
to this approach would be an attacker with a spoofed IP header (claiming the request is sent
from/through the IIS server) and a spoofed http header.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 19 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
I guess it would be quite easy to avoid this IP header spoofing risk by configuring firewalls, Windows
server, IPSEC or some other mechanism. Until such a method is evaluated and fits into an
environment I would not recommend pointing the IIS WebSphere plug-in to a Domino server on
another Windows server!
6.3
Recommended configurations
6.3.1
Separate Nics for IIS and Domino
One way to achieve this is to follow Alex Elliots notes.net article mentioned above. In short it will
guide you to put Domino on and IIS on separate NICs on the same physical server with Dominos
NIC inaccessible from outside the server.
6.3.2
Configure Domino to only accept request from loopback adapter
“localhost”
Another approach used by us (Infoware Solutions Svenska AB) is to configure Domino to only
answer to requests from an internal loopback (soft) address, usually “localhost” / 127.0.0.1. To
achieve this we have added several settings on the IIS/Domino server.
Addition to hosts file
127.0.0.1
localhost
localhost.mydomin.com
Change in plugin-cfg.xml
<Transport Hostname="localhost.mydomain.com" Port="9080" Protocol="http"/>
Change at ports level in notes.ini
Added an extra active port
TCPIP=TCP, 0, 15, 0
zNet=TCP, 0, 15, 0
and
Ports=TCPIP,zNet
and
TCPIP_TcpipAddress=129.178.8.47
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 20 (28)
Target
Document name
Version
Domino community
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
zNet_TcpipAddress=127.0.0.1
Changes in the server document in names.nsf under Ports\Notes Network Ports:
Port
Protocol
Notes Network
Net Address
Enabled
TCPIP
TCP
TCPIP Network
hostname.mydomain.com
ENABLED
zNet
TCP
hostname
localhost..mydomain.com
ENABLED
Changes in the server document in names.nsf under Basic:
Fully qualified Internet host name:
localhost.mydomain.com
Changes in the server document in names.nsf under Internet Protocols\HTTP:
Basics
Host name(s):
localhost.mydomain.com
Bind to host name:
Enabled
Changes in the server document in names.nsf under Internet Protocols\Domino Web
Engine:
HTTP Sessions
Session authentication:
Multiple Servers (SSO)
Web SSO Configuration:
LtpaToken
Generating References
to this Server
Does this server use IIS?
Protocol:
http
Host name:
localhost.mydomain.com
Port number:
9080
Changes in the server document under Ports\Internet Ports:
Web
(HTTP/HTTPS)
TCP/IP port number:
9080
TCP/IP port status:
Enabled
Enforce server access settings:
No
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 21 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
Authentication options:
Name & password:
Yes
Anonymous:
No
SSL port number:
443
SSL port status:
Disabled
Authentication options:
Client certificate:
No
Name & password:
Yes
Anonymous:
No
Usually we also do some extra precautions
§
Remove webadmin.nsf and webadmin.ntf
§
Changed notes.ini:
ServerTasks=Update,Replica,AMgr,AdminP,HTTP
§
Only puts an empty domino directory on the domino server and Directory assistance pointing
to another server
This list could definitely be longer!!!
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 22 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
7
Draft
How to configure your Domino environment to
use LTPA Token for SSO between selected
Domino servers
How to enable LTPA for selected Domino servers is well documented in Domino Administration
From Domino 6.5.1 Multi server session authentication supports idle session timeout. This is
documented in the Domino 6.5.1 release notes and also available in lotus knowledgebase reference
“1164178” “Domino HTTP idle session timeout for SSO configurations”. The SSO idle timeout
additionally allows the administrator to control how long the user can remain idle after logging in, i.e.
how long the user is not actively accessing the SSO environment.
Be aware about the limited security LPTA tokens provide in a Domino environment not protected
by https/SSL.
dotNSF has an application which extends LTPA to an IIS environments and an application to renew
LTPA tokens.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 23 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
8
Draft
How to configure the IIS server and the first
Domino server by Secure Socket Layer, SSL
As SSL is getting more widely used in internal infrastructure it might be worth mentioning the
possibility to implement all parts of this document with the extra protection SSL provides. Under
references you will find a link to a great Whitepaper from dotNSF.
Worth mentioning again (see under References above) is IBMs recommendation not to use LPTA on
Domino without SSL!
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 24 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
9
9.1
Draft
Gotchas and hints
Logging
In the XML file of the plug-in you can change log level to TRACE, this gives very good information
on what is going on. The logging is done into a file under c:\websphere\logs\. Due to performance
reasons it has been recommended to avoid disabled when the solution is in operation.
NTs event viewer is also a valuable source on the status of the plug-in
Slide 33 in Jason Hooks presentation references above is a good scheme if the plug-in doesn’t load
9.2
Browser wants to download nsf files
One problem I experienced before getting everything (!?) together was the browser wanting to
download nsf files instead of opening them Reason was the traffic didn’t go through the plug-in to
domino, instead IIS was pointing right to the Domino\Data directory. Go back to appendix C in the
referenced Redbook!
9.3
Windows login dialog
If you get a windows login dialog when opening a URL on domino through IIS something is probably
wrong in your IE Settings, first make sure you are logged into the correct AD and secondly go
through chapter 4 above again.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 25 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
Draft
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 26 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
9.4
Draft
Lotus login dialog
I have got this two different ways
1. Something is probably wrong in your Domino configuration
- did you forget the notes.ini setting
- is your ADname/Username not available in your person document
2. When Anonymous access is not disabled in IIS (see 3.4.3 above). In this scenario I guess IIS just
lets you through without checking who you are resulting in an anonymous header!
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 27 (28)
Target
Document name
Domino community
Version
0.94
Author
Document type
Date
Ulf Stider
White paper
2005-10-13
E-mail address
Phone number
Status:
[email protected]
9.5
Draft
Unexpected results during testing of person document
content
During testing of what and where to put the ADname/ADusername in the person document this we have
experienced situations where we have added and removed the ADname\ADusername from a person document
without experiencing the expected results, the reason seam to have been caching in the domino server.
Rebooting the server should correct things but you could also try this Domino server console command a
couple of times.
Sh nlcache re
Please note, this is a very strong command with several other implications for the running Domino server, we
don’t recommend it in a production environment without very good reason.
© Copyright IBM Corp. 2004. All rights reserved.
IE-IIS-AD-Domino-LPTA-SSO.doc
© Copyright Infoware Solutions Svenska AB. 2005. All rights reserved.
Page 28 (28)
Document 212596

Document 212596

Document 204568

Document 204568

FRIDLIN W o o d e n T o...

FRIDLIN W o o d e n T o...

PERFECT IMAGE g FACIAL HAIR HATS / VISORS

PERFECT IMAGE g FACIAL HAIR HATS / VISORS

How to index IBM Connection in Portal environment

How to index IBM Connection in Portal environment

News MAKING POVERTY LESS INVISIBLE April/May 2012

News MAKING POVERTY LESS INVISIBLE April/May 2012

H P

H P

Portalizing an IBM Lotus Domino view or form

Portalizing an IBM Lotus Domino view or form

How to find us:

How to find us:

Document 216346

Document 216346

abcdocz.com

© Copyright 2024