Integrated Windows authentication (IWA) for Eclipse-based components within Lotus Notes

Lotus Notes and Domino 8.5.3 supports integrated Windows authentication (IWA) for supplied and third-party Eclipse-based client applications and components used within Lotus Notes, enabling SPNEGO authentication for integrated Notes application clients. IWA works with Eclipse-based features embedded in Notes such as Widgets and Live Text, Feeds, IBM Connections, and Composite Applications, as well as embedded IBM Sametime and embedded IBM Symphony. IWA also works with products that are based on Eclipse but not embedded within Notes, such as IBM WebSphere Portal with SiteMinder and stand-alone Lotus Connections 3.0 with SiteMinder.
Note: IWA cannot be used as a mechanism for authentication on Notes client startup.

IWA is an authentication protocol that allows users to achieve single sign-on using the Windows credentials of the currently logged-in user. SPNEGO is one mechanism of IWA that allows the client and server to negotiate which authentication protocol to use. These protocols are limited to NTLM and Kerberos.

The Domino administrator can either use a security settings policy to specify support for IWA, or create an account of type OS-CRED and provide it to client users by policy.

To enable IWA in the security policy:

1. In the Domino Directory, create or edit an existing security settings policy document (the 8.5.3 names.nsf design is required).
2. On the Password Management tab, select Yes for the Enable Windows single sign-on for Standard Notes Client field.

Note: Enabling IWA authentication through the security settings policy supports it only in the browser and the network layer, for components such as Feeds and Widgets. For example, if the widget catalog is on a SPNEGO-protected site, and the client user accesses the catalog through the embedded browser, the user would authenticate to the catalog without the need for an account.

Creating an OS-CRED account for a client user automatically enables IWA for the entire Notes client. Application-specific accounts such as IBM Sametime and IBM Connections can also be changed to type OS-CRED.

Details of integrated Windows authentication

Support for session management is provided by HTTP cookies.

TAM-SPNEGO support remains unchanged from earlier releases. However, TAM-SPNEGO account type users can switch their accounts to use the new SPNEGO support using the client's plugin_customization.ini file.

Note: This file is typically resident in the framework\rcp subdirectory of the Notes_install_dir , for example,

Program Files\IBM\Lotus\Notes\framework\rcp\plugin_customization.ini

Before Notes installation or upgrade, the file resides in the deploy subdirectory of the Notes install kit.

Add the following statement to specify that all existing TAM-SPNEGO accounts instead use OS-CRED authentication:

com.ibm.rcp.accounts/replace.tam.spnego=true

Note: There is no specific Domino policy for this setting, which is consumed primarily by Lotus Sametime currently. As an alternative to the plugin_customization.ini file, you can push the setting via Domino policy using the Custom Settings tab on the Domino Desktop policy settings document to define a custom name value/pair. See "Pushing Eclipse preference settings" in the IBM Lotus Notes and Domino Information Center for details.
• OS-CRED SPNEGO is not automatically enabled. To enable it, create a new account of type OS-CRED using existing Domino administrator or client preferences user interface methods or set a platform preference by adding the following statement to the client's plugin_customization.ini file:

  com.ibm.rcp.net.http/enable.spnego=true

• This capability is available for the embedded Activities sidebar application. Similar to the Accounts configuration, the Connections configuration now offers 'OS Credential' as an authentication type when configuring client preferences. It is also supported when the Connections configuration is supplied in the client's the plugin_customization.ini file as follows:

com.ibm.lconn.client.base/server= Connections_server_name
com.ibm.lconn.client.base/authtype=OS-CRED

Troubleshooting

If problems are encountered during SPNEGO authentication, you can enable settings below for the Eclipse-level logging in the rcpinstall.properties file. This provides log output from the JVM and from Notes to whatever log file your client system currently uses; by default this is C:\Program Files\IBM\Lotus\Notes\Data\workspace\logs.

com.ibm.rcp.accounts.level=FINEST
com.ibm.rcp.net.http.level=FINEST
com.ibm.rcp.security.spnego.level=FINEST


Considerations and limitations

• IWA is available only on supported Windows platforms.
• IWA is available only for Notes 8.5.3 and later.
• IWA is supported only on the IBM JVM supplied with Notes 8.5.3.
• The client function has been tested against a limited, defined set of server configurations, as follows:

  The client user must log into Windows as the domain user to take advantage of this support. The authentication that occurs when logging in to Windows causes generation of the needed TGT (ticket-granting ticket). Without the TGT, the JVM SPNEGO support will not work.

• Cross-realm and cross-forest authentication are supported only through the use of a krb5.ini file present on the system. If a krb5.ini is present in the C:\Windows directory, the values in this file will be used over the default system properties.
• On Windows 7 and Windows Vista, SPNEGO is not functional for users who are members of the Administrators group when UAC is enabled. To use SPNEGO on these platforms, advise the client user to launch Notes with elevated privileges, disable UAC, or log in as a non-admin user.

The following supported server configurations have been tested for 8.5.3:

• WebSphere Portal server with SiteMinder SPNEGO
• Connections with WebSphere TAI
• Domino SPNEGO