Working Collaboration Blog

Collaboration in the Enterprise from the perspective of Anthony Holmes, an IBM Accelerated Value Program Leader (Premium Support Program).
Anthony Holmes Tags 1-2-3 Administration Blog Browser Clusters Connections Daylight Saving DaylightSaving Notes Calendar Development Dictionary DIIOP Directories Disaster Recovery Domino Domino 8 Domino Performance Domino_8 Peformance Domino_8.5 Domino_8.5 Domino Domino_Administration Domino_Statistics Domino_Upgrade Domino Email Email Security eProductivity Exchange Fusion Conference Lotus_Collaboration_and_Portal_Technical_University General Indexing Linux Lotus Lotusphere Macintosh Microsoft MS Office Networking Notes Notes 8.5 Notes 8.5Roaming Notes 8.5.1 Notes Bandwidth Network Open Office Open Source Outlook Performance Programming Quickr Quotas Sametime spam email Symphony Tags blog Testing Update-Sites Plug-ins Version Numbering Web Windows	Working Collaboration Blog Sametime Windows Notes Shared Login and Sametime Login Options Anthony Holmes 30 June 2009 10:33:20 PM A while ago I blogged on the using Notes Shared Login to eliminate the need to enter a password when you start Notes after logging in to Windows. This mechanism is a great way to use the strengths of the Notes ID model for security whilst making life simpler for users. One of my colleagues recently queried me about how this relates to Sametime authentication. Sametime doesn't use an ID, so the model there is a little different. There are five scenarios. 1. Standard Notes Shared Login (without Sametime) User Logs into Windows, ---> Enabled ID can then be used with Windows credentials to start Notes ---> Access allowed via NRPC to Domino servers for mail and applications called from the Notes client 2. Standard Sametime Login via LDAP/HTTP Password (with either Sametime Connect or Sametime embedded in Notes) LDAP or HTTP password is stored on PC using the Sametime option to save the password. Sametime started ---> Cached LDAP/HTTP password credentials provided to Sametime server. The user isn't prompted for a password unless their LDAP/HTTP password is changed elsewhere. 3. Notes Authentication to Sametime (using Sametime embedded in Notes) The person's User.id is (after the user enters their Notes password) used to login to Notes. Sametime is configured to use Notes credentials. When Sametime starts (with Notes) is started and the Notes password used ---> Sametime embedded in Notes (without user realising it) silently authenticates against the Sametime server via Notes protocols. LTPA token provided to embedded Sametime client that is then used to allow the user to authenticate against Sametime server by way of the Notes ID and its password. 4. Notes Authentication to Sametime combined with Notes Shared Login (using Sametime embedded in Notes) User Logs into Windows, ---> Notes starts without prompting for the Notes password (through Notes Shared Login) and then Sametime embedded in Notes (without user realising it) also silently authenticates against the Sametime server via Notes protocols using the NSL enabled ID. LTPA token provided to embedded Sametime client that is then used to allow the user to authenticate against Sametime without being prompted for a password. This is documented here: `http://www-10.lotus.com/ldd/stwiki.nsf/dx/notes-client-integration-with-sametime` 5. Log in to Sametime using SPNEGO (with Sametime Connect) SPNEGO is a standard that has Windows "extensions". It's designed to let Windows credentials be shared with other applications and with some other technologies gets called Integrated Windows Authentication. The SPNEGO service allows the credentials supplied at the Windows user login to subsequently be used by other applications (without requiring the user to re-enter their user name and password). Sametime 8 can be configured to use SPNEGO. Sametime embedded in Notes is not documented as having this capability. If Windows credentials are being used then it would make more sense to use Option 4 for Sametime embedded in the Notes client. User Logs into Windows ---> Sametime Connect client can then be used with Windows credentials (by using Token based single sign on) ---> Access allowed using Active Directory (LDAP) credentials. Configuring Sametime Server and Sametime Connect for login via SPNEGO is documented in the Sametime 8 Information Center. For example: http://publib.boulder.ibm.com/infocenter/sametime/v8r0/topic/com.ibm.help.sametime.802.doc/IMLU/st_adm_security_sso_spnego_t.html Comments [1]	Feeds Content Feed Comment Feed Recent Entries Why I like Symphony 3 (Be Information about cluster Waiting for the Lotuspher Fixing a problem: When on Hybrid PDF Documents Recent Comments Keep the text box open al Why I like Symphony 3 (Be Why I like Symphony 3 (Be Email Compression Fixing a problem: When on Archives February 2010 (1) January 2010 (4) December 2009 (1) November 2009 (5) October 2009 (4) September 2009 (3) August 2009 (3) July 2009 (4) June 2009 (8) May 2009 (2) December 2008 (2) November 2008 (2) October 2008 (7) September 2008 (3) August 2008 (6) July 2008 (5) June 2008 (3) May 2008 (4) April 2008 (4) January 2008 (4) November 2007 (7) September 2007 (4)