Designated (SPNEGO) Authentication Server
The Designated Authentication Server allows the redirection of the authentication process to another server. This is especially useful if you want to leverage Integrated Windows Authentication that comes with SPNEGO in Domino 8.5.1, but want to operate your Domino Servers on different Operating Systems than Windows or need to run Domino Servers before Domino R 8.5.1.
If you run your Domino Servers with Gateway Authentication, you may operate only one SPNEGO activated Domino Server in your domain. Once the Designated Authentication Server is activated on servers, unauthenticated HTTP requests are redirected to the central SPNGEO activated Domino server that was configured in the SecureDomino configuration database. The user authentication is performed on that machine. After a successful authentication the user is redirected back to the original server. The original request is issued for a second time then. As the user is authenticated at this point, the original server knows the requests user identity and processes the request without challenging the user for a password. As this authentication roundtrip is very fast, the user may not even realize it but enjoys the comfort of being authenticated without a password challenge even after restarting the browser or the machine.
SecureDomino supports the configuration of multiple LTPA-Domains and encrypted connections.
If you run your Domino Servers with Gateway Authentication, you may operate only one SPNEGO activated Domino Server in your domain. Once the Designated Authentication Server is activated on servers, unauthenticated HTTP requests are redirected to the central SPNGEO activated Domino server that was configured in the SecureDomino configuration database. The user authentication is performed on that machine. After a successful authentication the user is redirected back to the original server. The original request is issued for a second time then. As the user is authenticated at this point, the original server knows the requests user identity and processes the request without challenging the user for a password. As this authentication roundtrip is very fast, the user may not even realize it but enjoys the comfort of being authenticated without a password challenge even after restarting the browser or the machine.
SecureDomino supports the configuration of multiple LTPA-Domains and encrypted connections.
Screenshot: Designated Authentication Server Configuration
How SPNEGO works
SPNEGO is an acronym for Simple and Protected GSSAPI Negotiation Mechanism and essentially describes a standard that allows to access a server and being authenticated without being challenged for user name and password again after already being challenged for that information at Operating System logon. If SPNEGO is activated on a Lotus Domino Server, users that are authenticated against an Microsoft Active Directory can access Domino applications without being challenged for a user name and password as well.
The technique how it works seems mysterious but is essentially not. The graphic below shows how this is accomplished:
- The user authenticates against a Microsoft Active Directory and
- gets a Kerberos Certificate in turn.
- when using Windows Integrated Authentication in his Browser, his Machine issues a Kerberos Ticket from that certificate and hands this ticket over to the SPNEGO activated Domino Server, who
- takes that ticket and presents it to the Active Directory. As the ticked is based on the certificate of the same Directory and is valid,
- the Users identity is confirmed to the SPNEGO activated Domino Server who in response is able to authenticate the user, create a session with him and
- renders an authenticated response without having challenged the user for username and password
Screenshot: SPNEGO Communication Flow Chart
How SecureDomino leverages SPNEGO on non SPNEGO servers
Rolling out SPNEGO can become a though job when it comes to the requirements that come with it. Essentially these are Domino 8.5.1 (or newer) and Windows for the Domino Server that gets SPNEGO activated. All other servers cannot enable this feature. As this leads to a heterogenous sever version landscape with heterogenous features, many organizations still shun the rollout or simply can't use it as they run on other platforms. SecureDomino allows you for a smooth transition and the use of SPNEGO on elder Domino versions and on other platforms.All you need is one SPNEGO enabled Domino server, that can serve as the Designated Authentication Gateway. If you enable the Designated (SPNEGO) Authentication Server option in SecureDomino on any other server you can leverage the abilities of that designated server to automatically login on the server that runs SecureDomino. The authentication then works as depicted in the below picture:
- The user authenticates against a Microsoft Active Directory and
- gets a Kerberos Certificate in turn.
- When issuing a request to a Domino server that runs SecureDomino and the user is not yet authenticated,
- the user gets redirected to the SPNEGO activated Domino Server who takes the Kerberos ticket that is issued from the client with his request and hands this ticket over to the SPNEGO activated Domino Server, who
- takes that ticket and presents it to the Active Directory. As the ticked is based on the certificate of the same Directory and is valid,
- the users identity is confirmed to the SPNEGO activated Domino Server who in response is able to authenticate the user, create a session with him and
- redirects the HTTP Client back to the original server with the original request. The original server now sees an authenticated user and
- renders an authenticated response without having ever challenged the user for username and password
Screenshot: How SecureDomino enables SPNEGO on other Servers and OSes
Get in Touch
