IBM Support

Preparing Microsoft ADFS for smooth integration with Notes Federated Login with Integrated Windows Authentication

How To


Summary

There are certain requirements and features that should be enabled or disabled on Microsoft Active Directory Federated Services (ADFS) in order to configure Notes Federated Login with Integrated Windows Authentication. This document is intended to provide guidance on configuration of ADFS to integrate smoothly with the Notes Federated Login configuration.

Objective

There are certain requirements and features that should be enabled or disabled on Microsoft Active Directory Federated Services (ADFS) in order to configure Notes Federated Login with Integrated Windows Authentication. This document is intended to provide guidance on configuration of ADFS to integrate smoothly with the Notes Federated Login configuration.

Environment

Notes Federated Login with Integrated Windows Authentication

Microsoft Windows 2012 R2 with Active Directory Federated Services

Assumptions:

Microsoft ADFS is already configured in your environment

Domino server is already installed and running at least version 9.0

Steps

Part 1: Checking Self-Signed Certificates

If your existing AD FS server uses self-signed certificates, the certificate may be incompatible with Notes Federated Login. This compatibility issue causes cross-certification to fail and thus the SAML authentication to fail for clients. If you are using a third party certificate (such as Verisign, Entrust, etc), these steps can be skipped and do not apply to your environment.

 

Checking your Existing Certificate for Required Fields

Access the ADFS machine using a Firefox browser by entering the URL: https://<yourserver>/adfs/ls/IdpInitiatedSignOn.aspx

 

Where <yourserver> is the fully qualified Domain name of the ADFS server.

 

Click the lock icon to the left of the URL, then the arrow to see more information.

 

image-20180723113602-1

 

Click More Information

 

image-20180723113602-2

 

On the Security tab, click the “View Certificate” icon.

 

image-20180723113602-3

 

Click the “Details” tab.

Under the “Certificate Fields” section, scroll down to “Certificate Key Usage.”

Highlight the field and look at the “Field Value”.  

The Field value needs to contain “keyCertSign” and “cRLSign”.

 If the field value does not contain “keyCertSign”(also known as “Certificate Signer”) and “cRLSign” (also known as “CRL Signer”) a new certificate needs to be implemented on the ADFS server.

 

 

image-20180723113602-4

Example: Missing the keyCertSign and cRLSign.

Reference: http://www-01.ibm.com/support/docview.wss?uid=swg1LO87877

 

Example: Certificate with keyCertSign and cRLSign:

image-20180723113602-5

 

Checking your certificate for SHA2 or higher (Required)

Certificates that only have SHA1 support will not work in this configuration. Certificates should be SHA2 or higher.

Using a Firefox browser, open an https based URL on the ADFS server.

In the address bar, click the lock icon.

Click the arrow to view more information.

 

 

image-20180723113808-6

Click “More Information”

 

Click View Certificate.

Under the fingerprint section, look for a SHA-256 Fingerprint. If you only have a SHA1 fingerprint, then a new certificate is required.

 

image-20180723113808-7

 

Part 2: Checking ADFS Properties for Required Settings

 

Viewing the ADFS Properties

 

Using a Powershell command issue the following:

Get-ADFSProperties

 

In the list, check the following:

Setting

Value

 

ExtendedProtectionTokenCheck

Allow

This needs to be disabled, see section below this table.

 

None

This is the correct setting, no changes required.

WIASupportedUserAgents

Varies – needs to include “Mozilla/5.0”

If the value already includes Mozilla/5.0, no changes are needed. If the value does not include Mozilla/5.0 please see the command in the section below this table.

 

Disabling Extended Protection Token Check:

Extended Protection Token checking breaks Integrated Windows Authentication with Notes Federated Login. Please discuss the implications of disabling this setting before implementing the steps to disable it.

Steps:

Use a Powershell command:

Set-ADFSProperties –ExtendedProtectionTokenCheck None

 

This setting requires ADFS to be restarted.

 

Setting WIASupportedUserAgents

Note: This allows certain types of browsers to authenticate. If your organization does not allow specific browser clients, they can be excluded from the list. The example below is only a guide that includes the required “Mozilla/5.0” needed by the Notes client. All allowed browsers should be part of this list. Please consult your Microsoft Active Directory administrator before making any changes, as this is a server wide setting.

 

Set-ADFSProperties –WIASupportedUserAgents @(“MSIE 6.0”, “MSIE 7.0”, “MSIE 8.0”, “MSIE 9.0”, “MSIE 10.0”, “Trident/7.0”, “MSIPC”, “Windows Rights Management Client”, “Firefox/25.0”, “Firefox/47.0”, “Mozilla/4.0”, “Mozilla/5.0”)

 

Part 3: Checking the Authentication Policies

Launch the AD FS Management console.

In the navigation pane, click “Authentication Policies”

In the Actions pane click “Edit Global Primary Authentication..”

image-20180723114312-8

 

In the Global Authentication Policy window make sure the box for “Windows Authentication” is checked. Click OK when complete.

 

image-20180723114312-9

 

This setting requires the ADFS server to be restarted.

Part 5: Confirming User Accounts contain required attributes

 

There are certain requirements for mapping user names in the Active Directory account to valid person documents in the Domino server Name and Addressbook on the ID Vault server.

 

From Server Manager, click Tools > Active Directory Users and Computers.

Expand the users section and open one of the test user accounts.

On the General tab, look for the email attribute and confirm this email address matches the email address in the user’s person document in the Name and Addressbook of your ID Vault server. The mail attribute is required.

 


Appendix A: Creating a new Certificate Using OpenSSL

 

These are the steps to create a new certificate using OpenSSL. These steps only need to be completed if the Certificate Key Usage was missing the required settings as identified above in step one.

Note: These steps require the use of a third party tool called OpenSSL. The installation steps for OpenSSL are beyond the scope of this document.

 

Install OpenSSL.

After installing OpenSSL, edit the openssl.cfg file.

Locate the keyUsage=CRLSign, keyCertSign line and remove the comment to “enable” this line.

 

image-20180723114615-10

 

From a command prompt, use “set” to confirm your environment variables contain a valid path to the openssl.cfg file.

image-20180723114615-11

 

Run the command to create the key, be sure to use a key length that complies with your organization’s security policy (longer key lengths are more secure).

 

Openssl req –x509 –nodes –days <number of days> -newkey rsa:<keylength> -keyout <filename.pem> -config openssl.cfg –extensions v3_ca

 

Where: <number of days> is the number of days the certificate should be valid.

Where: <keylength> is a number for the length of the key to be created (example 1024, 2048, 4096, etc)

 

This command will prompt you to enter details for the certificate such as the country, state, Organization name, etc.

For example:

Openssl req –x509 –nodes –days 3650 –newkey rsa:1024 –keyout adfs.pem –config openssl.cfg –extensions v3_ca

image-20180723114615-12

 

Next, export this into file that will be used on the ADFS server.

Run the command:

Openssl pkcs12 –export –out <filename_of_outfile>.pfx –in <filename>.pem –name <hostname>

Where:

<filename_of_outfile>.pfx is the file name for the new file being created. For example adfs.pfx

<filename>.pem is the name of the file that was created in the previous step. For example adfs.pem

<hostname> is the short name of the server.

 

For example:

Openssl pkcs12 –export –out adfs.pfx –in adfs.pem –name iti-adfs

 

When prompted, enter a password to be used when importing this certificate into your ADFS server. Be sure to follow your organization’s security protocols (complexity, etc) when creating the password.

 

Use the created file adfs.pfx to import into your ADFS server.

When all steps are complete, be sure to delete all .pfx and .pem files and the certificate from the computer where OpenSSL was configured. This is a good security practice.

Document information

More support for: IBM Domino

Software version: 9.0, 9.0.1

Operating system(s): Windows

Reference #: 0718435

Modified date: 03 August 2018


Translate this page: