SECURING
You can set up a Domino® Web server to honor Microsoft™ Windows™ users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.
About this task
The Domino Web server uses Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and the underlying Kerberos network authentication security that is provided by Active Directory to negotiate the authentication with a browser client.
Restriction: Windows single sign-on for Web clients is incompatible with SAML deployment. If the Domino Web server is configured for SAML session authentication, Windows single sign-on for Web clients must be disabled in any SSO configuration document used by the SAML-enabled Web server.
Requirements:
1. Prepare the Domino server for Windows single sign-on for Web clients.
2. Set up the Windows service for Domino.
3. Configure user name mapping.
4. Configure Web client browsers.
Considerations if you deploy a DSAPI filter in a Windows single sign-on environment Windows single sign-on for Web clients can be used in conjunction with HCL Domino Web server customizations. DSAPI (Domino web server application programming interface) is a C API you can use to write your own extensions to the Domino Web server, whereby these extensions (for example filters) allow you to customize the behavior of the Web server.
Preparing a Domino server for Windows single sign-on for Web clients You must prepare a Domino server for Windows single sign-on for Web clients.
Setting up the Windows service for Domino To enable a Domino server to participate in Windows single sign-on for Web clients, an Active Directory administrator must use the Active Directory setspn utility to assign at least one service principal name (SPN) for the server to an Active Directory account. SPNs correspond to DNS names in server URLs (for example, www.renovations.com) that Web clients use to connect to the Domino server.
Configuring user name mapping in a Windows single sign-on for Web clients environment Web users that participate in Windows single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Domino Directory too. You configure user name mapping to enable a HCL Domino server to reconcile user names found in both directories.
Configuring Web client browsers for Windows single sign-on To set up Windows single sign-on for Web clients, you must set up browsers to authenticate to theHCL Domino server using SPNEGO.
Enabling integrated Windows authentication (IWA) for Eclipse-based clients Integrated Windows authentication (IWA) is available for supplied and third-party Eclipse-based client applications, enabling SPNEGO authentication for Eclipse-based features and applications within the Notes® client, for example, embedded HCL Sametime®.
Related concepts Considerations if you deploy a DSAPI filter in a Windows single sign-on environment
Related tasks Windows single sign-on for Web clients across multiple Active Directory domains
Related information Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment Troubleshooting Windows single sign-on for Web clients (SPNEGO)