New 8.5 Notes Shared Login "Gotchas"

Similar documents
Lotus Domino Security NSL, Web SSO, Notes ID vault. Collin Murray Program Director, Lotus Domino Product Management

Lotus IBM Lotus Notes Domino 8.5 System Administration Operating Fundamentals.

Open Mic on. ID Vault Overview & Best Practices. 19th December, 2012

MANAGING LOCAL AUTHENTICATION IN WINDOWS

The Domino Certificate Authority Key Rollover Process. Author: Graham Farrell IBM Domino server Support Engineer

D8L75G IBM Lotus Domino 8.5 System Administration Fundamentals Training

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

ModeChanger

Lotus Exam IBM Lotus Notes Domino 7 Managing Servers and Users Version: 5.0 [ Total Questions: 90 ]

Ekran System v Program Overview

Release Notes. Dell SonicWALL SRA Release Notes

Lesson 3: Identifying Key Characteristics of Workgroups and Domains

VMware Horizon FLEX Client User Guide. 26 SEP 2017 Horizon FLEX 1.12

IBM Lotus Domino 8.5 System Administration Bootcamp Information Length: Ref: 5.0 Days D8L89G Delivery method: Classroom. Price: INR.

User Guide SecureLogin 8.1

SafeGuard Enterprise user help. Product version: 8.0

Information Technology Services

SafeGuard Enterprise. user help. Product Version: 8.1

Microsoft Office Groove Server Groove Manager. Domain Administrator s Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

SecureLogin 8.7 User Guide. December, 2018

Ahsay Online Backup Manager v7 Microsoft System State Backup and Restore Guide

Release Notes. Dell SonicWALL SRA Release Notes

Using the Vita Group Citrix Portal

Lotus IBM WebShere Portal 6 Deployment and Administration.

Release Notes Dell SonicWALL SRA Contents Platform Compatibility Licensing on the SRA Appliances and Virtual Appliance

LOT-983 IBM Lotus Notes Domino 8.5 Managing Servers and Users

BlackBerry Enterprise Server for IBM Lotus Domino Version: 5.0. Administration Guide

Release Notes McAfee Application Control 6.1.0

Client Installation and User's Guide

Client Installation and User's Guide

ALTIRIS SECURITY SOLUTION 6.1 FOR HANDHELDS ADMINISTRATOR GUIDE

Automated Sign-on for Mainframe Administrator Guide

User Manual. User Manual. AnyShare 1/ 16

Lotus Domino Roaming. in Lotus Notes 8.5.x. Presenter: Christian Henseler (roaming (at) henseler.org)

Configuring OneSign 4.9 Virtual Desktop Access with Horizon View HOW-TO GUIDE

The ID Vault Feature Across IBM Products

Netfinity White Paper Paul Branch Netfinity Technology Center

G/On. G/On is available for Windows, MacOS and Linux (selected distributions).

Verizon Enhanced Security Authentication

Cisco CTL Client Setup

Aventail Connect Client with Smart Tunneling

What's New in IBM Lotus Notes and Domino 8.02 and 8.5

If your Mac keeps asking for the login keychain password

Using CSE Cisco Anyconnect with 2FA

Ekran System v Program Overview

Readme RSA Authentication Manager 6.1

User Guide SecureLogin 7.0 SP3 April, 2012

DTVaultLock User s Manual

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Key File Generation. November 14, NATIONAL STUDENT CLEARINGHOUSE 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171

IBM LOT-825. IBM WebSphere Portal 6 Deployment and(r) Administration.

Integrating Password Management with Enterprise Single Sign-On

Sophos Mobile Control Administrator guide. Product version: 5.1

NetIQ SecureLogin 8.7 enhances the product capability and resolves several previous issues.

Configure advanced audit policies

Lotus Team Workplace. Version Installation and Upgrade Guide G

LastPass Enterprise Recommended Policies Guide

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

VMware Horizon FLEX Client User Guide

Copyright SolarWinds. All rights reserved worldwide. No part of this document may be reproduced by any means nor modified, decompiled,

Chime for Lync High Availability Setup

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

IBM SmartCloud Notes Security

SoftBank Wireless Assistant Desktop Assistant Client User's Guide

SETUP FOR OUTLOOK (Updated October, 2018)

Vendor: Citrix. Exam Code: 1Y Exam Name: Implementing Citrix NetScaler 10.5 for App and Desktop Solutions. Version: Demo

Securewireless Windows 7 Setup Guide

Connect to Wireless, certificate install and setup Citrix Receiver

D8L89G IBM Lotus Domino 8.5 System Administration Bootcamp

Enterprise Vault 8.0 Security Model for Lotus Domino Archiving. Rob Forgione Technical Field Enablement March 2009

Keycode Installation Guide. BCM Business Communications Manager

Administering FileVault 2 on OS X Mountain Lion with the Casper Suite. Technical Paper Casper Suite v9.0 or Later 7 January 2015

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

IBM A Assessment: IBM Lotus Notes Domino 8.5 System Administration Update.

BIG-IP System: Migrating Devices and Configurations Between Different Platforms. Version

RSA Authentication Manager 7.1 Help Desk Administrator s Guide

RSA Authentication Manager 7.1 Administrator s Guide

A. Getting Started About e-access Enrolling in e-access: Authenticating your account Login... 5

Online documentation: Novell Documentation Web site. ( documentation/securelogin70/index.html)

VMware AirWatch Android Platform Guide

Celadon Password Self-Service

Job Aid: Citrix Receiver Upgrade

Troubleshooting Policies on a Domino Server

BlackBerry Wireless Handheld Getting Started Guide

Third-Party Client (s3fs) User Guide

IBM Hyper-Scale Manager as an Application Version 1.8. User Guide IBM GC

IBM Hyper-Scale Manager as an Application Version 1.7. User Guide GC

Secure Single Sign On with FingerTec OFIS

User Guide. Version R94. English

LotusLive Notes Client Configuration

Security Enterprise Identity Mapping

Dell One Identity Manager Administration Guide for Connecting to SharePoint

Evaluation Guide Host Access Management and Security Server 12.4 SP1 ( )

Sophos Central Device Encryption. Administrator Guide

IBM XIV Storage System IBM Hyper-Scale Manager Installation as application Version 1.4. User Guide GC

Using VMware View Client for Mac

ClientNet. Portal Admin Guide

Progressive Authentication in ios

Intel Security/McAfee Endpoint Encryption

Transcription:

New 8.5 Notes Shared Login "Gotchas" Document information Technote (FAQ) Question The Notes Administrator has enabled Notes Shared Login in a policy for users. The user's Notes IDs are now locked with the Windows password using the PC's SID and Microsoft's Data Protection API (DPAPI). This is presenting numerous issues especially in an environment where the users are mobile - they use their Notes ID on more than one PC, and more than one NOTES ID is used on a single Windows profile. Background Information: The new Notes Shared Login feature, when enabled via policy or manually by the end user, locks and encrypts the Notes ID in the current Windows Profile using the PC SID and Microsoft's Data Protection API (DPAPI). This allows for maximum security as the certificates within the ID are now locked and bound to that PC and that OS profile, eliminating any password "guesses" or any other attempts to copy the ID to another PC and try to access the user's Notes databases on the Domino Server. This is a completely different function from the older Notes Single Login feature which is still supported in Notes 8.5. More information on how the feature is enabled and what it does is available in the Lotus Notes Help database. Product categories: Software Messaging Applications Advanced Messaging Lotus Notes Security Operating system(s): Mac OS X, Windows Software version: 8.5 Reference #: 1405060 IBM Group: Software Group Modified date: 2010-08-02 Cause The Notes ID is now locked by Microsoft's DPAPI, and that PC's SID so only that Notes ID can be accessed on that PC. Answer Currently, the Help Database lists the following as limitations of the Notes Shared Login feature: You cannot use shared login if any of the following conditions is true: you use a computer that does not run Microsoft Windows you use a Smartcard to log in to Lotus Notes your User ID is protected by multiple passwords you are a roaming user that uses a roaming ID you run Notes on a USB drive you use a mandatory Windows profile you are running Notes in a Citrix environment Enhancement requests to change some functionality within this feature have been documented with Lotus Quality engineering. Copying ID files: SPR WTON7W8M6H: New Notes Shared Login feature restricts user mobility to other PCs http://www-01.ibm.com/support/docview.wss?uid=swg21405060 1/5

Because the Notes ID has been locked with the machine's SID, and that user profile's DPAPI, that Notes ID now belongs to that Machine and user profile. It will not work on another PC with Lotus Notes. In some cases, Lotus Notes will not even launch. Consequently, a user ID that was not locked on a PC with NSL will not work on that Notes Client. Workaround: There is a procedure the end user must follow in the Help Database in order to copy their ID to another PC. This must be done manually by the end user. Help Topic: Copying your ID file when you use Shared Login If you use shared login and want to make a copy of your User ID, you may need to use a special procedure to do so. The procedure assigns the copy of the ID file a new Notes password. Whether you need to use the special copy procedure depends on whether your administrator has set up shared login so that a Notes password remains on the User ID. To determine whether you must use a special procedure to copy your ID file if you use Notes shared login, and to use the procedure to copy your ID if required, perform the following steps: 1. Click File > Security > User Security. 2. Type your Microsoft Windows password and click OK. 3. Verify that Login to Notes using your operating system login is selected, which indicates that you are using Notes shared login. 4. Click Copy ID. Note: If you do not see the Copy ID button, your User ID still contains the Notes password and you should use Windows Explorer to make a copy of the User ID. You will need to remember and provide the Notes password for the User ID when starting Notes on the other computer. 5. Specify a location and file name for the copy, including the.id file name extension, and then click Save. 6. You see a prompt explaining that you are about to set a password for the ID copy, and that you will need to remember the password in order to use the ID copy on another computer. Click OK to close the prompt. 7. Type a password for the ID copy twice, and click OK. 8. Read the reminder prompt that is displayed and click OK. If you use the copied ID on another computer, it will be enabled for Notes shared login if your administrator has enabled the feature for you. NOTES ID VAULT: If a user creates a copy of the ID file with a locking windows password following the above procedure, a copy must be sent to the ID vault once that ID is used on another Notes Client. Help Topic: http://www-01.ibm.com/support/docview.wss?uid=swg21405060 2/5

How an ID vault works This topic describes common vault operations. How IDs are uploaded to a vault initially A user ID can be uploaded to a vault if a parent certifier of the user ID has issued a Vault Trust Certificate certifying its trust of the vault and if the associated user's effective policy has a Security Settings document that specifies the vault name. If these conditions are met for a new user being registered, the process of user registration uploads the ID to the vault. IBM Lotus Notes setup copies the ID file to the Notes client, as it does for non-vaulted users, that is the first time the user authenticates with the home server. Note If you do not want to keep copies of user IDs in the Domino Directory, clear the Advanced - ID File registration setting "Location for storing user ID - In Domino Directory," which is selected by default. If the above conditions are met for an existing user, a copy of the user's ID is uploaded from the Notes client to the vault automatically. For more information on the timing of this operation, see "How copies of IDs on Notes clients are kept synchronized with the vault copies." How copies of IDs on Notes clients are kept synchronized with the vault copies When a user changes the ID on a Notes client, for example changes the password or adds an Internet certificate, the change needs to be pushed to the ID copy in the vault. When a change is made to an ID copy in a vault, for example the password is reset, the change needs to be pushed to the Notes client. To synchronize a local copy of an ID with the vault copy, a client asks its home server for a list of servers that have a replica of the vault. If the home server is unavailable or does not run release 8.5 or higher, the client searches for a server in the home server cluster to provide the list. A server returns the list in random order to load balance synchronization among vault servers. The client tries each vault server in the returned list until one can satisfy its request. For better performance, the client caches the location of the first vault server that responds. This cache is cleared periodically to ensure that load balancing is maintained. When a user changes the ID file on a client, switches IDs, or provides a new password after a password reset, the client attempts synchronization immediately. Otherwise, synchronization occurs as follows: The client checks for changes periodically, generally every eight hours. To prevent a heavy demand on vault servers during client startup in the morning, a client does its first check at a random time within the first eight hours from client startup. If an attempt to check or to synchronize fails, for example, if the client is unable to connect to an 8.5 server, up to three retry attempts are made at five-minute intervals. If still not successful, checking resumes at the next eight-hour checking interval. To ensure that clients that are frequently started and stopped check the vault regularly, if a client has been started and stopped three http://www-01.ibm.com/support/docview.wss?uid=swg21405060 3/5

times and it has been more than 24 hours since it has checked for the need to synchronize, it checks about five minutes after startup. How new passwords are synchronized across multiple ID copies When the password on a user ID is changed anywhere (in the vault or on a client), the user can provide the new password from any client as long as the client can connect to the network to synchronize with the vault. The user does not have to change the password on each client workstation copy or copy the ID file from one client workstation to another. If a client does not have network connectivity, a user can continue to use the old password until a connection becomes available. How ID recovery works for an ID in a vault If the ID file on a user's computer is deleted, a copy of the ID is downloaded to the Notes client from the vault. This recovery occurs the next time the user attempts to access the ID file through Notes when the client is connected to the network. How shared-login-enabled IDs work with a vault Shared-login-enabled user IDs can be stored in a vault. In this case, the steps to recover the ID or to respond to a stolen ID are different than for non-shared-login-enabled IDs. ID file recovery If a shared-login-enabled ID is deleted from user's computer or its local file name is changed, the Notes password must be reset on the copy of the ID in the vault. After the reset, the following actions occur: 1. A user is prompted for the new password when next starting Notes. 2. After the user provides the new password, a copy of the ID file is downloaded to the client from the vault. 3. After the download, if the user policy requires the use of shared login, the local ID is re-enabled for shared login and the user is no longer prompted for the password. If the user policy makes the use of shared login optional, the user must re-enable the feature through the User Security window. Response to a stolen ID If you suspect that a non-shared-login-enabled ID is stolen, the correct response is to reset the password on the ID, roll over the keys on the ID, and ensure that server key checking is enabled. These steps help prevent unauthorized people from using the stolen ID because they won't know the new password required to obtain the new keys from the ID copy in the vault. A shared-login-enabled ID is different in that it is protected with a secret in the local ID file rather than with a Notes password that the vault understands. The ID can be used only on the computer on which it was shared-login enabled. If a computer with a shared-login-enabled ID is stolen, perform these steps: disable shared login in the user policy, force the policy to replicate to all vault servers, respond as you would for a nonshared-login-enabled ID (reset the password, roll over the keys, enable server key checking), and afterwards re-enable shared login in the user policy. http://www-01.ibm.com/support/docview.wss?uid=swg21405060 4/5

How ID renaming and key rollover work with a vault A user with a vaulted ID who requests a name change through the User Security window is not given the option to approve the change. The option to "Ask your approval before accepting name changes" is unavailable, and the change is always made on the client ID copy automatically during client-vault synchronization when the name change is detected on the server. A user with a vaulted ID cannot request a key rollover through the User Security window; only an administrator can initiate key rollover through policy configuration. The key rollover on the client ID copy happens automatically during client-vault synchronization when the key rollover is detected on the server; the user is never prompted to accept the new keys. Note If key rollover of IDs is in process, do not enable use of a vault until the key rollover is complete. In addition, when a vault is in use, always register new users with ID key sizes that conform to their effective policies. Smart Cards: There is a request to support the use of Smart Cards with Notes Shared Login: DJAG7CFLVK: NSL should support smartcard login to Windows Currently, a Notes ID can only be locked with a Smart Card OR with Notes Shared Login. Internet Password: SPR SAKI7P88GT: Enhancement request: Need synchronization between Notes Shared log-in password and DWA Currently, the Internet Password and the Notes Shared Login Notes ID password cannot be synchronized. CITRIX: SPR AJAS7PKJ3M: Request to support Notes Client Shared Logon feature for Citrix presentation server 4.5 Currently, Notes Shared Login cannot be used in a Citrix environment. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. http://www-01.ibm.com/support/docview.wss?uid=swg21405060 5/5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback