SecureDomino 7 brings SPNEGO to all Domino Operating Systems

TIMETOACT has released SecureDomino 7

With this release the following features and enhancements have been added:

• Designated Authentication Server - leverage SPNEGO for access to all your Domino Servers
• Logon Hours definition - control when users are able to log on
• Password Request Encryption - increase compliance and secrecy on reset password notifications

SPNEGO is a Single Sign On mechanism that allows a Domino server to authenticate a user without asking for username and password, using the users Microsoft Active Directory. Based on industry standards it provides a secure way to interconnect Lotus Domino with Microsoft Active Directory. By automatically authenticating users from their first HTTP request on, it provides a means to safely increase user convenience in your intranet. By centralizing the password store to MSAD it helps to implement a consistent password policy in your company. It furthermore helps to reduce helpdesk requests because of forgotten passwords. This feature was introduced with Lotus Domino 8.5.1 and is currently restricted to Domino Servers running on Windows. With the newly added authentication feature Designated Authentication Server, SecureDomino can help you to use this mechanism on Domino servers that are running on other Operating Systems and on Lotus Domino Servers prior to R8.5.1.

SecureDomino 7 furthermore improves the Logon Hours Module. The Logon Hours Definition module allows to restrict authentication to a certain time corridor for each day. With SecureDomino 8, the administrator is now able to chose between generally restricting or allowing the users access to a server based on hours. It is now possible to either generally allow server access at any time but restrict certain users at particular times, or generally disallow the servers access except on defined times. This handy feature allows the administrator to adjust the security to the special needs of his Domino server.

A further improvement was made to the Forgotten Password Handling feature that enables a user who has been locked out to request and retrieve a new password without the need to call the administrator or helpdesk. With SecureDomino 7 the newly generated password can now be sent encrypted to the user, so that only the requesting user is able to read the new password phrase with his Lotus Notes Client, Blackberry or Lotus Traveller device.

With the new features, SecureDomino consequently follows its goal to offer superior Domino Web Server protection and to reduce the cost of operating a Domino server in real live scenarios.

How SPNEGO works

SPNEGO is an acronym for Simple and Protected GSSAPI Negotiation Mechanism and essentially describes a standard that allows to access a server and being authenticated without being challenged for user name and password again after already being challenged for that information at Operating System logon. If SPNEGO is activated on a Lotus Domino Server, users that are authenticated against an Microsoft Active Directory can access Domino applications without being challenged for a user name and password as well.
The technique how it works seems mysterious but is essentially not. The graphic below shows how this is accomplished:

1. The user authenticates against a Microsoft Active Directory and
2. gets a Kerberos Certificate in turn.
3. when using Windows Integrated Authentication in his Browser, his Machine issues a Kerberos Ticket from that certificate and hands this ticket over to the SPNEGO activated Domino Server, who
4. takes that ticket and presents it to the Active Directory. As the ticked is based on the certificate of the same Directory and is valid,
5. the Users identity is confirmed to the SPNEGO activated Domino Server who in response is able to authenticate the user, create a session with him and
6. renders an authenticated response without having challenged the user for username and password

All you need is one SPNEGO enabled Domino server, that can serve as the Designated Authentication Gateway. If you enable the Designated (SPNEGO) Authentication Server option in SecureDomino on any other server you can leverage the abilities of that designated server to automatically login on the server that runs SecureDomino. The authentication then works as depicted in the below picture:

1. The user authenticates against a Microsoft Active Directory and
2. gets a Kerberos Certificate in turn.
3. When issuing a request to a Domino server that runs SecureDomino and the user is not yet authenticated,
4. the user gets redirected to the SPNEGO activated Domino Server who takes the Kerberos ticket that is issued from the client with his request and hands this ticket over to the SPNEGO activated Domino Server, who
5. takes that ticket and presents it to the Active Directory. As the ticked is based on the certificate of the same Directory and is valid,
6. the users identity is confirmed to the SPNEGO activated Domino Server who in response is able to authenticate the user, create a session with him and
7. redirects the HTTP Client back to the original server with the original request. The original server now sees an authenticated user and
8. renders an authenticated response without having ever challenged the user for username and password

TIMETOACT is a Domino web application and DSAPI specialist

Some other work of TIMETOACT includes:

• The Lotus Domino HTTP-Toolkit that allows further tweaking of your Lotus Domino Web Server configuration in respect of content type mappings, XHTML-Generation and improved HTTP redirection abilities.
• FireNotes a Mozilla Firefox, Opera, Safari and Chrome plugin solution that connects with Lotus Notes 6 and higher.
• TIMETOWEB a Domino based Web content management system, facilitating, simplifying and accelerating the creation and management of highly dynamic Intranet, Extranet and Internet Sites.

TIMETOACT GROUP provides services for IBM software. The group consists of the companies edcom, TIMETOACT and X-INTEGRATE located in Cologne and Munich, Germany. EDCOM provides infrastructure services for Lotus and WebSphere Portal. TIMETOACT consults and builds line-of-business applications on the basis of Lotus and WebSphere software, Eclipse Rich Client Platform and open standards. X-INTEGRATE is focused on business integration software based on an established methodology, open standards and IBM middleware. Together TIMETOACT GROUP has over 80 employees and over 700 years of professional experience with IBM software.