SECURING
Web users that participate in Windows™ single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Domino® Directory too. You configure user name mapping to enable a HCL Domino server to reconcile user names found in both directories.
User name mapping achieves three goals. First, when a Domino server finds a user's LDAP distinguished name in Active Directory as well as the user's HCL Notes® Distinguished Name (DN) in the Domino directory, it enables the server to verify that the two names belong to that one user. To link the two names, the server verifies that the value of the user's mail attribute in the Active Directory user account is the same as the value of the Internet Address in the Person document.
Second, name mapping may be needed to determine a user's Notes distinguished name. In an SSO environment in which some servers do not use the Domino Directory but use Active Directory exclusively, a user's LTPA token contains the user's Active Directory distinguished name. For example, an IBM® WebSphere® Application Server server might be configured to use Active Directory for the user repository. In this environment, LTPA tokens typically contain the Active Directory distinguished names of web users. Because ACLs on Domino databases usually refer to the Notes distinguished names of web users, you must map the Active Directory distinguished names in the LTPA tokens to the Notes distinguished names so that a Domino server can determine Web user access to its databases. This step is not necessary if LTPA tokens have been configured to contain users' Notes distinguished names (the default when Domino SSO keys are used) rather than SSO keys imported from WebSphere.
Finally, user name mapping specifies which directory to use to verify user passwords when Windows single sign-on is not available and Web users must initially log on when connecting to a server in the SSO domain. Windows single sign-on is not available to:
How you configure user name mapping depends on whether you manage users primarily through Active Directory or the Domino Directory. You should consider which directory is easier for you to modify and maintain. You can also minimize directory modifications if you use a separate authentication application to authenticate Internet users.
Configuring user name mapping when you manage Domino users through Active Directory Follow the steps in this topic to configure user name mapping for a Windows single sign-on environment if you manage HCL Domino user information primarily through Active Directory. This configuration requires you to add users' HCL Notes distinguished names to Active Directory user accounts.
Related concepts Access levels in the ACL
Related tasks Configuring user name mapping when you manage Domino users through Domino Directory Configuring user name mapping when you manage Domino users through Active Directory Setting up Windows single sign-on for Web clients
Related information Troubleshooting Windows single sign-on for Web clients (SPNEGO)