New 8.5 Notes Shared Login "Gotchas" Document information Technote (FAQ) Question The Notes Administrator has enabled Notes Shared Login in a policy for users. The user's Notes IDs are now locked with the Windows password using the PC's SID and Microsoft's Data Protection API (DPAPI). This is presenting numerous issues especially in an environment where the users are mobile - they use their Notes ID on more than one PC, and more than one NOTES ID is used on a single Windows profile. Background Information: The new Notes Shared Login feature, when enabled via policy or manually by the end user, locks and encrypts the Notes ID in the current Windows Profile using the PC SID and Microsoft's Data Protection API (DPAPI). This allows for maximum security as the certificates within the ID are now locked and bound to that PC and that OS profile, eliminating any password "guesses" or any other attempts to copy the ID to another PC and try to access the user's Notes databases on the Domino Server. This is a completely different function from the older Notes Single Login feature which is still supported in Notes 8.5. More information on how the feature is enabled and what it does is available in the Lotus Notes Help database. Product categories: Software Messaging Applications Advanced Messaging Lotus Notes Security Operating system(s): Mac OS X, Windows Software version: 8.5 Reference #: 1405060 IBM Group: Software Group Modified date: 2010-08-02 Cause The Notes ID is now locked by Microsoft's DPAPI, and that PC's SID so only that Notes ID can be accessed on that PC. Answer Currently, the Help Database lists the following as limitations of the Notes Shared Login feature: You cannot use shared login if any of the following conditions is true: you use a computer that does not run Microsoft Windows you use a Smartcard to log in to Lotus Notes your User ID is protected by multiple passwords you are a roaming user that uses a roaming ID you run Notes on a USB drive you use a mandatory Windows profile you are running Notes in a Citrix environment Enhancement requests to change some functionality within this feature have been documented with Lotus Quality engineering. Copying ID files: SPR WTON7W8M6H: New Notes Shared Login feature restricts user mobility to other PCs http://www-01.ibm.com/support/docview.wss?uid=swg21405060 1/5
Because the Notes ID has been locked with the machine's SID, and that user profile's DPAPI, that Notes ID now belongs to that Machine and user profile. It will not work on another PC with Lotus Notes. In some cases, Lotus Notes will not even launch. Consequently, a user ID that was not locked on a PC with NSL will not work on that Notes Client. Workaround: There is a procedure the end user must follow in the Help Database in order to copy their ID to another PC. This must be done manually by the end user. Help Topic: Copying your ID file when you use Shared Login If you use shared login and want to make a copy of your User ID, you may need to use a special procedure to do so. The procedure assigns the copy of the ID file a new Notes password. Whether you need to use the special copy procedure depends on whether your administrator has set up shared login so that a Notes password remains on the User ID. To determine whether you must use a special procedure to copy your ID file if you use Notes shared login, and to use the procedure to copy your ID if required, perform the following steps: 1. Click File > Security > User Security. 2. Type your Microsoft Windows password and click OK. 3. Verify that Login to Notes using your operating system login is selected, which indicates that you are using Notes shared login. 4. Click Copy ID. Note: If you do not see the Copy ID button, your User ID still contains the Notes password and you should use Windows Explorer to make a copy of the User ID. You will need to remember and provide the Notes password for the User ID when starting Notes on the other computer. 5. Specify a location and file name for the copy, including the.id file name extension, and then click Save. 6. You see a prompt explaining that you are about to set a password for the ID copy, and that you will need to remember the password in order to use the ID copy on another computer. Click OK to close the prompt. 7. Type a password for the ID copy twice, and click OK. 8. Read the reminder prompt that is displayed and click OK. If you use the copied ID on another computer, it will be enabled for Notes shared login if your administrator has enabled the feature for you. NOTES ID VAULT: If a user creates a copy of the ID file with a locking windows password following the above procedure, a copy must be sent to the ID vault once that ID is used on another Notes Client. Help Topic: http://www-01.ibm.com/support/docview.wss?uid=swg21405060 2/5
How an ID vault works This topic describes common vault operations. How IDs are uploaded to a vault initially A user ID can be uploaded to a vault if a parent certifier of the user ID has issued a Vault Trust Certificate certifying its trust of the vault and if the associated user's effective policy has a Security Settings document that specifies the vault name. If these conditions are met for a new user being registered, the process of user registration uploads the ID to the vault. IBM Lotus Notes setup copies the ID file to the Notes client, as it does for non-vaulted users, that is the first time the user authenticates with the home server. Note If you do not want to keep copies of user IDs in the Domino Directory, clear the Advanced - ID File registration setting "Location for storing user ID - In Domino Directory," which is selected by default. If the above conditions are met for an existing user, a copy of the user's ID is uploaded from the Notes client to the vault automatically. For more information on the timing of this operation, see "How copies of IDs on Notes clients are kept synchronized with the vault copies." How copies of IDs on Notes clients are kept synchronized with the vault copies When a user changes the ID on a Notes client, for example changes the password or adds an Internet certificate, the change needs to be pushed to the ID copy in the vault. When a change is made to an ID copy in a vault, for example the password is reset, the change needs to be pushed to the Notes client. To synchronize a local copy of an ID with the vault copy, a client asks its home server for a list of servers that have a replica of the vault. If the home server is unavailable or does not run release 8.5 or higher, the client searches for a server in the home server cluster to provide the list. A server returns the list in random order to load balance synchronization among vault servers. The client tries each vault server in the returned list until one can satisfy its request. For better performance, the client caches the location of the first vault server that responds. This cache is cleared periodically to ensure that load balancing is maintained. When a user changes the ID file on a client, switches IDs, or provides a new password after a password reset, the client attempts synchronization immediately. Otherwise, synchronization occurs as follows: The client checks for changes periodically, generally every eight hours. To prevent a heavy demand on vault servers during client startup in the morning, a client does its first check at a random time within the first eight hours from client startup. If an attempt to check or to synchronize fails, for example, if the client is unable to connect to an 8.5 server, up to three retry attempts are made at five-minute intervals. If still not successful, checking resumes at the next eight-hour checking interval. To ensure that clients that are frequently started and stopped check the vault regularly, if a client has been started and stopped three http://www-01.ibm.com/support/docview.wss?uid=swg21405060 3/5
times and it has been more than 24 hours since it has checked for the need to synchronize, it checks about five minutes after startup. How new passwords are synchronized across multiple ID copies When the password on a user ID is changed anywhere (in the vault or on a client), the user can provide the new password from any client as long as the client can connect to the network to synchronize with the vault. The user does not have to change the password on each client workstation copy or copy the ID file from one client workstation to another. If a client does not have network connectivity, a user can continue to use the old password until a connection becomes available. How ID recovery works for an ID in a vault If the ID file on a user's computer is deleted, a copy of the ID is downloaded to the Notes client from the vault. This recovery occurs the next time the user attempts to access the ID file through Notes when the client is connected to the network. How shared-login-enabled IDs work with a vault Shared-login-enabled user IDs can be stored in a vault. In this case, the steps to recover the ID or to respond to a stolen ID are different than for non-shared-login-enabled IDs. ID file recovery If a shared-login-enabled ID is deleted from user's computer or its local file name is changed, the Notes password must be reset on the copy of the ID in the vault. After the reset, the following actions occur: 1. A user is prompted for the new password when next starting Notes. 2. After the user provides the new password, a copy of the ID file is downloaded to the client from the vault. 3. After the download, if the user policy requires the use of shared login, the local ID is re-enabled for shared login and the user is no longer prompted for the password. If the user policy makes the use of shared login optional, the user must re-enable the feature through the User Security window. Response to a stolen ID If you suspect that a non-shared-login-enabled ID is stolen, the correct response is to reset the password on the ID, roll over the keys on the ID, and ensure that server key checking is enabled. These steps help prevent unauthorized people from using the stolen ID because they won't know the new password required to obtain the new keys from the ID copy in the vault. A shared-login-enabled ID is different in that it is protected with a secret in the local ID file rather than with a Notes password that the vault understands. The ID can be used only on the computer on which it was shared-login enabled. If a computer with a shared-login-enabled ID is stolen, perform these steps: disable shared login in the user policy, force the policy to replicate to all vault servers, respond as you would for a nonshared-login-enabled ID (reset the password, roll over the keys, enable server key checking), and afterwards re-enable shared login in the user policy. http://www-01.ibm.com/support/docview.wss?uid=swg21405060 4/5
How ID renaming and key rollover work with a vault A user with a vaulted ID who requests a name change through the User Security window is not given the option to approve the change. The option to "Ask your approval before accepting name changes" is unavailable, and the change is always made on the client ID copy automatically during client-vault synchronization when the name change is detected on the server. A user with a vaulted ID cannot request a key rollover through the User Security window; only an administrator can initiate key rollover through policy configuration. The key rollover on the client ID copy happens automatically during client-vault synchronization when the key rollover is detected on the server; the user is never prompted to accept the new keys. Note If key rollover of IDs is in process, do not enable use of a vault until the key rollover is complete. In addition, when a vault is in use, always register new users with ID key sizes that conform to their effective policies. Smart Cards: There is a request to support the use of Smart Cards with Notes Shared Login: DJAG7CFLVK: NSL should support smartcard login to Windows Currently, a Notes ID can only be locked with a Smart Card OR with Notes Shared Login. Internet Password: SPR SAKI7P88GT: Enhancement request: Need synchronization between Notes Shared log-in password and DWA Currently, the Internet Password and the Notes Shared Login Notes ID password cannot be synchronized. CITRIX: SPR AJAS7PKJ3M: Request to support Notes Client Shared Logon feature for Citrix presentation server 4.5 Currently, Notes Shared Login cannot be used in a Citrix environment. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. http://www-01.ibm.com/support/docview.wss?uid=swg21405060 5/5