SECURING


Configuring user name mapping in a Windows single sign-on for Web clients environment
Web users that participate in Windows™ single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Domino® Directory too. You configure user name mapping to enable a IBM® Domino server to reconcile user names found in both directories.

User name mapping achieves three goals. First, when a Domino server finds a user's LDAP distinguished name in Active Directory as well as the user's IBM Notes® Distinguished Name (DN) in the Domino directory, it enables the server to verify that the two names belong to that one user. To link the two names, the server verifies that the value of the user's mail attribute in the Active Directory user account is the same as the value of the Internet Address in the Person document.

Second, name mapping may be needed to determine a user's Notes distinguished name. In an SSO environment in which some servers do not use the Domino Directory but use Active Directory exclusively, a user's LTPA token contains the user's Active Directory distinguished name. For example, an IBM WebSphere® Application Server server or IBM Lotus® Quickr® server might be configured to use Active Directory for the user repository. In this environment, LTPA tokens typically contain the Active Directory distinguished names of web users. Because ACLs on Domino databases usually refer to the Notes distinguished names of web users, you must map the Active Directory distinguished names in the LTPA tokens to the Notes distinguished names so that a Domino server can determine Web user access to its databases. This step is not necessary if LTPA tokens have been configured to contain users' Notes distinguished names (the default when Domino SSO keys are used) rather than SSO keys imported from WebSphere.

Finally, user name mapping specifies which directory to use to verify user passwords when Windows single sign-on is not available and Web users must initially log on when connecting to a server in the SSO domain. Windows single sign-on is not available to:


Ways to configure name mapping

How you configure user name mapping depends on whether you manage users primarily through Active Directory or the Domino Directory. You should consider which directory is easier for you to modify and maintain. You can also minimize directory modifications if you use a separate IBM authentication application to authenticate Internet users.

Related concepts
Access levels in the ACL

Related tasks
Configuring user name mapping when you manage Domino users through Domino Directory
Configuring user name mapping when you manage Domino users through Active Directory
Setting up Windows single sign-on for Web clients

Related information
Troubleshooting Windows single sign-on for Web clients (SPNEGO)