Working Collaboration Blog

Collaboration in the Enterprise from the perspective of Anthony Holmes, an IBM Accelerated Value Program Leader (Premium Support Program).
Anthony Holmes Tags 1-2-3 8.5.2 Administration Backup bandwidth Blog Browser certification Clusters collaboration Connections connections email work messaging facebook files Daylight Saving DaylightSaving Notes Calendar Development DEVONthink Dictionary DIIOP Directories Disaster Recovery Domino Domino 8 Domino DR Domino Performance Domino_8 Peformance Domino_8.5 Domino_8.5 Domino Domino_Administration Domino_Statistics Domino_Upgrade Domino Email Email Security eProductivity Exchange Fusion Conference Lotus_Collaboration_and_Portal_Technical_University General Indexing Linux Lotus Lotusphere Macintosh Microsoft MS Office network Networking Notes Notes 8.5 Notes 8.5Roaming Notes 8.5.1 Notes Bandwidth Network ntfs_for_mac Open Office Open Source OpenOffice Outlook paragon Performance Plug-ins Programming programming domino xpages Quickr Quotas research Sametime searching spam email support Symphony Tags blog Testing TNEF Update-Sites Plug-ins Version Numbering Web Windows Word "Social Software"	Working Collaboration Blog Notes 8.5 How Notes 8.5 Shared Login is different to Shared Logon in older releases Anthony Holmes 15 December 2008 11:12:55 AM Notes 8.5 has a new feature called Shared Login that nicely preserves Notes' robust security model whilst consolidating Notes passwords into a user's Windows identity. It's quite a different model to that used with previous releases of Notes. I've been looking at how it works for one of my customers. I'll share some of that information in a couple of blog posts. Terminology (Notes) Shared Login (NSL): The new feature with Notes 8.5 described in this article which allows your Notes ID file to be used with your Windows credentials Client Single Logon (CSL): The feature used in previous releases of Notes that synchronised your Notes ID password with your Windows password if you were running the right installation Single Sign On (SSO): A completely unrelated feature that creates a cookie that allows you to switch between different web servers without being repeatedly prompted for passwords when using a browser Overview of Shared Login Lotus Notes 8.5 has a feature called Shared Login. This feature allows Windows users to log into Notes without them being prompted for a separate Notes password. In previous releases of Notes, security was entirely managed by the use of an ID file. The ID file contains things like: A user password A user's encryption keys Other information about the user: eg certificate expiry dates etc. Prior to the release of Notes 8.5, the Notes password could be synchronised with a Windows password through the use of a feature called Client Single Logon (CSL). This required a special installation of Notes to use. When the password was changed in either Notes or Windows, a service would pass that change to the other system. Although this service provided the ability to start Notes without entering the password again, it had a number of limitations: the synchronisation software needed to be installed and running, the password rules in each system needed to match, etc.. The Notes Shared Login (NSL) feature that is provided with Notes 8.5 is simpler and more robust. Instead of requiring a password to unlock the Notes ID, a user can access their ID (and thus access Lotus Notes email, Domino servers and applications) by way of their Windows credentials. If a user has authenticated to Windows (by entering their user name and password when logging in), then the Notes ID will accept those credentials as authority to use the ID file. The user starts up Notes and no Notes password is required. The Windows password can be changed repeatedly (as part of regular password changes, or when the user forgets their password). Nothing needs to change in the Notes ID. Provided the user has logged in with a valid Windows user name and password, this will be accepted by Notes. The password cannot fall “out of synch”. The Notes Shared Login feature is available with Notes 8.5 running with either the “Basic” (non Eclipse, old user interface) mode or the complete “Standard” mode (with the upgraded user interface, Eclipse functionality). (Above) With the standard use of Notes, your password gives you permission to use your Notes ID to access secured resources (like a Domino server). (Above) With Notes Shared Login, a secure token that can only be generated by the authorised Windows user provides the authority that allows you to use your Notes ID to access secured resources. Considering the Benefits and Consequences of Implementing Notes Shared Login (NSL) There are some obvious benefits from implementing Notes Shared Login. The convenience that it provides to users is obvious. Starting their Notes client will be faster, and users will no longer need to remember and manage an additional password. In some deployments of Lotus Notes there will need to be some changes to the environment to accommodate the new feature. There will also be some situations where Notes Shared Login cannot be used. Provided these situations are properly understood, a decision to implement can be made if the benefits outweigh the consequences of implementing the feature. Benefits of Implementing Notes Shared Login Password Prompts eliminated when starting Notes This allows users to start Notes more quickly. Users do not need to remember another password Users do not need to spend time changing the Notes password There's no chance that the Windows Password rules (complexity, change frequency) will be different to the Notes password rules Password Resets handled entirely within Windows/Active Directory The Notes ID security model is inherently more secure than a directory based security model such as Active Directory: Notes authentication requires: Something you know (password) Something you have (Notes ID) Windows authentication requires: Something you know (User name and password) However: the benefit of the directory model is that you can instantly re-set a password by changing it in the directory. With Notes, a password re-set needs to be pushed out to ID files on a remote PC, and if a user has IDs on more than one PC, they all need to be updated. Although there are processes for managing this, it's typically more complicated than re-setting a directory password. (Another new feature in Notes 8.5 called the ID Vault allows your Help Desk or a Password Re-set application to push out password re-sets to users immediately.) With Notes Shared Login, the password re-set occurs in Windows. For the majority of forgotten passwords, both user and their Help Desks benefit from a single process for re-setting both Windows access and Notes access. Flexibility in implementing NSL Each user ID is matched to a Windows Identity on an ID by ID, user by user basis. It's not necessary for all users to use NSL. As a result, if a user has a reason for not using NSL (for example, if they use non-Windows PCs) then they don't need to use NSL, even though it has been made available for other users. It's not necessary for the users to authenticate against the same Active Directory. In fact, it's not necessary for the users to authenticate against any Active Directory, so long as they are using a Windows password to access their PC. The Notes ID is simply matched against the credentials of the account being used at the time that NSL is first set up. Upcoming Topics Tomorrow I'll publish a blog article describing the 'considerations' behind implementing NSL. In some situations there will be some special handling required. I'll also look at how it interacts with Lotus Notes Roaming. Update: Second article: Notes 8.5 Shared Login Real World Considerations Comments [7]	Feeds Content Feed Comment Feed Recent Entries Pavlov’s Emails How Network Latency affec Who knew they tried so ha TNEF Conversion: SMTP Ser IBM Collaboration Softwar Recent Comments Pavlov’s Emails Lightbulb moment Pavlov’s Emails Two minor layout improvem How Network Latency affec Archives January 2012 (1) July 2011 (1) June 2011 (1) May 2011 (3) April 2011 (1) March 2011 (2) January 2011 (1) October 2010 (1) August 2010 (2) June 2010 (1) May 2010 (2) March 2010 (1) February 2010 (1) January 2010 (4) December 2009 (1) November 2009 (5) October 2009 (4) September 2009 (3) August 2009 (3) July 2009 (4) June 2009 (8) May 2009 (2) December 2008 (2) November 2008 (2) October 2008 (7) September 2008 (3) August 2008 (6) July 2008 (5) June 2008 (3) May 2008 (4) April 2008 (4) January 2008 (4) November 2007 (7) September 2007 (4)