SECURING
Note: IWA cannot be used as a mechanism for authentication on Notes client startup.
IWA is an authentication protocol that allows users to achieve single sign-on using the Windows credentials of the currently logged-in user. SPNEGO is one mechanism of IWA that allows the client and server to negotiate which authentication protocol to use. These protocols are limited to NT Lan Manager (NTLM) and Kerberos. Support for session management is provided by HTTP cookies.
The Domino® administrator can either use a security settings policy to specify support for IWA, or create an account of type OS-CRED and apply the account to client users by policy.
To enable IWA in the security policy:
1. In the Domino Directory, create or edit an existing security settings policy document (the 8.5.3 NAMES.NSF design is required).
2. On the Password Management tab, select Yes for the Enable Windows single sign-on for Standard Notes Client field.
Note: Enabling IWA authentication in the security settings policy supports it only in the browser and the network layer, for components such as Feeds and Widgets. For example, if the widget catalog is on a SPNEGO-protected site, and the client user accesses the catalog through the embedded browser, the user would authenticate to the catalog without the need for an account.
Creating an OS-CRED account for a client user automatically enables IWA for the entire Notes client. Application-specific accounts such as IBM Sametime and IBM Connections can also be changed to type OS-CRED.
IWA can also work with TAM-SPNEGO accounts. TAM-SPNEGO account type users can switch their accounts to use the new IWA-compatible SPNEGO support using the client's plugin_customization.ini file.
Note: This file is typically resident in the framework\rcp subdirectory of the Notes_install_dir, for example:
Program Files\IBM\\Notes\framework\rcp\plugin_customization.ini
Before Notes installation or upgrade, the file resides in the deploy subdirectory of the Notes install kit.
Add the following statement to specify that all existing TAM-SPNEGO accounts instead use OS-CRED authentication:
com.ibm.rcp.accounts/replace.tam.spnego=true
Note: There is no specific Domino policy for this setting, which is consumed primarily by Sametime. As an alternative to the plugin_customization.ini file, you can apply the setting by using the Custom Settings tab on the Domino Desktop policy settings document to define a custom name value/pair. For details on applying Eclipse preference settings using a policy, see the related topics.
OS-CRED SPNEGO is not automatically enabled. To enable it, create a new account of type OS-CRED using existing Domino administrator or client preferences user interface methods or set a platform preference by adding the following statement to the client's plugin_customization.ini file:
com.ibm.rcp.net.http/enable.spnego=true
This capability is available for the embedded Activities sidebar application. Similar to the Accounts configuration, the Connections configuration now offers 'OS Credential' as an authentication type when configuring client preferences. It is also supported when the Connections configuration is supplied in the client's the plugin_customization.ini file as follows:
com.ibm.lconn.client.base/server=Connections_server_namecom.ibm.lconn.client.base/authtype=OS-CRED
If problems are encountered during SPNEGO authentication, you can enable the following settings for the Eclipse-level logging in the rcpinstall.properties file. This provides log output from the JVM and from Notes to whatever log file your client system currently uses; by default this is C:\Program Files\IBM\Notes\Data\workspace\logs.
com.ibm.rcp.accounts.level=FINESTcom.ibm.rcp.net.http.level=FINESTcom.ibm.rcp.security.spnego.level=FINEST
There are several considerations and limitations to bear in mind when using integrated Windows authentication (IWA) for Eclipse-based clients:
The client user must log into Windows as the domain user to take advantage of this support. The authentication that occurs when logging in to Windows causes generation of the needed TGT (ticket-granting ticket). Without the TGT, the JVM SPNEGO support will not work.
Related tasks Assigning Eclipse preference settings using a desktop policy Using administrative accounts to manage client plug-ins