Document 6508203
Transcription
Document 6508203
Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft How to establish SSO for AD authenticated Internet Explorer users on Domino! -utilizing IIS with WebSphere plug-in IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 1 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft Table of Contents 1 Introduction ............................................................................................. 5 1.1 1.2 1.3 1.4 1.5 Background to this document .............................................................................5 Readers Guide ..................................................................................................5 References .......................................................................................................6 Disclaimer and warning! ....................................................................................7 Software versions used by me ............................................................................8 2 About the WebSphere plug-in dlls ............................................................ 9 3 Step by step instruction ......................................................................... 10 3.1 Before you begins ........................................................................................... 10 3.2 WebSphere Plugin ........................................................................................... 10 3.2.1 Files and directory’s ................................................................................... 10 3.2.2 Update plugin-cfg.xml ................................................................................ 11 3.2.3 Create the Registry values of the plug-in ...................................................... 12 3.3 Configure Domino ........................................................................................... 15 3.3.1 Configure Domino to use the http port 81 ..................................................... 15 3.3.2 Enable Domino to trust Header information ................................................... 15 3.4 Configure IIS.................................................................................................. 16 3.4.1 Create Virtual Directory .............................................................................. 16 3.4.2 Create ISAPI Filter ..................................................................................... 16 3.4.3 Disable anonymous access to IIS................................................................. 16 3.4.4 Set method for authentication and control .................................................... 16 3.4.5 Extras for IIS 6 on windows server 2003 ...................................................... 17 4 Settings in Internet Explorer to make IWA work.................................... 18 4.1 Internet/Options/Advanced/Enable Integrated Windows Authentication must be checked ................................................................................................................. 18 4.2 Tools/Internet Options/Security/Custom Level. Make sure the setting is Automatic logon only in Intranet zon. ....................................................................................... 19 4.3 Add the url of the IIS server (or the domain name of the server) to the Intranet zone. (Tools/Internet Options/Security/Local Intranet/Sites/Advanced)................................... 19 5 What must be done in Domino Directory to make the users AD signatures translate into their Notes usernames .......................................................... 20 6 How to secure the Domino server behind IIS to make it impossible for someone to access it with spoofed IP headers ............................................ 21 6.1 6.2 6.3 Security aspects of the notes.ini parameter HTTPEnableConnectorHeaders=1 ......... 21 Separating the IIS server and the Domino server ................................................ 21 Recommended configurations ........................................................................... 22 IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 2 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 6.3.1 6.3.2 Draft Separate Nics for IIS and Domino ................................................................ 22 Configure Domino to only accept request from loopback adapter “localhost” ...... 22 7 How to configure your Domino environment to use LTPA Token for SSO between selected Domino servers ............................................................... 25 8 How to configure the IIS server and the first Domino server by Secure Socket Layer, SSL ........................................................................................ 26 9 Gotchas and hints................................................................................... 27 9.1 Logging ......................................................................................................... 27 9.2 Error messages in native.log and Internet Explorer.............................................. 27 9.2.1 Non matching IP configurations ................................................................... 28 9.2.2 Bad IIS security configuration ..................................................................... 28 9.2.3 Wrong path for the Virtual Directory............................................................. 28 9.3 Browser wants to download nsf files .................................................................. 28 9.4 Windows login dialog ....................................................................................... 29 9.5 Lotus login dialog............................................................................................ 30 9.6 Unexpected results during testing of person document content ............................. 31 IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 3 (31) Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft Revision History Date Version Description Author 2005-05-20 0.7 Draft1 Ulf Stider 2005-06-09 0.9 Draft2, soon to be published!? Ulf Stider 2005-08-26 0.91 Added Technote references Ulf Stider 2005-10-05 0.93 Added my own step by step instruction, some more technotes, Domino 7 information, changed standard method from Win2k server to Windows server 2003 and created *.reg files to create registry values Ulf Stider Missing Chapter on how to configure Windows/Domino to avoid Domino to be reachable direct through http. 2005-10-13 0.94 Completely rewritten Chapter 6 and updated chapter 5 Ulf Stider and Mats Ekman 2006-10-27 0.95 Updated with WebSphere 6.0 and WebSphere 6.1 information Ulf Stider and Pär Helmersson 2007-02-08 0.96 Updated “3.4 Configure IIS” to describe IIS6 on Win Serv 2003 SP1 Ulf Stider, Mats Ekman and Pär Helmersson IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 4 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 1 Draft Introduction 1.1 Background to this document To allow web browser user already authenticated in Windows/AD automatically be authenticated into a Domino environment with their Domino credentials is an obvious request at many sites. Wetter it was possible without the use of third party plug-in has not been obvious to me, that’s why Infoware Solutions Svenska AB started an investigation resulting in this document. The tools and methods described in this document has probably been available for many years, however during my work to get the bits and peaces together I have spent some time finding documentation on different aspects of the configuration. I found a lot spread all over the Internet which I will reference in this document; another important source was talks with Magnus Åkerlind and Johan Enefeldt from IBM Business Partner FemFemFem, Sweden. The most valuable documents I found was The IBM Reabook “Lotus Security Handbook” and perhaps this document is not needed at all if you have good background knowledge and read through this Redbook thoroughly! In short the solutions we have used are to activate an IBM WebSphere plug-in in MS IIS on a server with a “hidden” Domino server behind the IIS server. The plug-in makes http requests “passthruu” IIS utilizing IIS and Internet Explorers proprietary IWA (Integrated Windows Authentication) to create IP headers containing information on AD username. The “hidden” domino server is configured: - To trust the IP header information - With the AD usernames available in the person documents - To send a LTPA cookie to Internet Explorer to enable SSO to any LTPA aware web servers in the environment - With automatic forward to another server containing the web site (if it not resides on the “hidden server) 1.2 Readers Guide My ambition has not been to rewrite any available documents, however where needed (for me) I have commented references and for parts of the configuration I (and my colleagues) have found it convenient for me to write step by step what I have done. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 5 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft The structure and index of the document is more a result of all my pitfalls than it should, however from what I have read on notes.net I have not been the only one with the same problems… The document involves some references to documents which I have not tested yet, for example how to SSL enable your SSO environment. Please send me a mail if you find any errors or have any comments! 1.3 References . Documents Direct links IBM knowledgebase article about the IIS plugins http://www1.ibm.com/support/docview.wss?uid=swg24007265 The WebSphere plugins is updated regularely. My assumption has always been to use the latest version available, the fix lists tells me this is a reasonable approach. The link to the right points to a technote where you can download version 5.1.1.6 from 2005-08-12. For the 6.1.0.0 dll I know I have downloaded it from IBM…unfortunately I cant find my way back… http://www1.ibm.com/support/docview.wss?rs=0&uid=swg2401018 8 IBM RedBook “Lotus Security Handbook” http://publibb.boulder.ibm.com/Redbooks.nsf/RedpieceAbstracts/sg24 7017.html Authors:William Tworek, George Chiesa, Frederic Dahm, David Hinkle, Amanda Mason, Matthew Milza, Amy Smith Appendix C is a very good technical reference on how to setup the plug-in and many aspects of how it can be configured. Be careful for some minor typos in the registry values. http://portal.dotnsf.com/mydotnsf.nsf/f3297a57a1e86220 Dotnsf whitepaper on how to configure the environment to get it SSL protected (not tested by 802569170022a437/85e43cda43b223e180256e250008e5 16/$FILE/was-plugin-extra-materials.pdf me yet) DotNSF’s Jason Hooks presentation http://dotnsf.com/mydotNSF.nsf/ND6WASProxy.pdf “How to implement ND6.* Reverse (WAS) Proxies... Securing Domino and WebSphere IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 6 (31) Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft with the WAS Plug-in “ From Notes.net by Alex Elliott. Good explanation on how to configure the Hidden Domino server on it’s own NIC (not tested by me yet) http://www10.lotus.com/ldd/nd6forum.nsf/55c38d716d632d9b85256 89b005ba1c0/33bd348aab606b5785256cfb002c0ffc?Ope nDocument Technote on what extra you need to do to configure the plugin to work with IIS6 on Windows server 2003 Reference: 1168244 in IBM Knowledgebase Technote on how to troubleshoot your installation Reference: 1141702 Co-existence between Lotus Domino and SharePoint Portal Server 2003 http://bes.xs4all.nl/blog/archive/2004/12/05/3 73.aspx IBM Technote “Installing and Configuring Domino 6 for use with Microsoft IIS” Reference: 1105816 www-306.ibm.com/software/lotus/support/ www-306.ibm.com/software/lotus/support/ Comment: Why describe how to use WebSphere 4.0.3 plugins, is there something wrong with WebSphere 6.x or 5.x? IBM Technote where they only recommend using LPTA for Domino over HTTP http://www1.ibm.com/support/docview.wss?uid=swg21215 246 Isn’t this Technote incredible!! IBM Technote “How to load the WebSphere 6.0 plug-in for Microsoft IIS 6.0 on Windows 2003” 1.4 http://www.lotus.com/support doc id 1228190 Disclaimer and warning! Be careful, several parts of this solution: - Is not obvious, at least no to me - Involves techniques well outside my expertise! - Circumvents both IIS, IE and Domino security mechanism - Uses proprietary technology If something goes very wrong you might end up in situations with very low security, don’t blame me then! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 7 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 1.5 Draft Software versions used by me Domino 6 • English Domino 6.5.3 and 6.5.4 • IIS5 on Windows 2000 Server with SP4 • IIS6 on Windows Server 2003 with SP1 • WebSphere plugins 5.0.10 and 5.1.1.6 Domino 7 • English Domino 7.01 and 7.02 • IIS6 on Windows Server 2003 with SP1 • WebSphere plugins 6.0.0.10, 6.1.0.0 and 6.1.0.5 IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 8 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 2 Draft About the WebSphere plug-in dlls The DLLs on the Domino-server CD are unfortunately rather old, follow the links under references above to find updated files. The link is pointing to an IBM knowledgebase article. I have been using the WebSphere 5 plug-in, not WebSphere 4. I don’t really know the difference but the fixlists for 5x seams to be more updated than the 4.x dittos. There are also WebSphere 6 directories and files available when you install a Domino 7 server. From the files downloaded I have used: domino5_http.dll to replace the original oldie somewhere deep under domino\data (domino\data\domino\plugins\was5\w32 ) . This file is also correct for Domino 6.x. iisWASPlugin_http.dll and put it in i C:\WebSphere\AppServer\bin I have not found any later "plugin_common.dll" compared to the one available on the server CD, however I don’t think it is used at all if you are using the WebSphere 5 plug-in. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 9 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3 Draft Step by step instruction As mentioned above you will find the very best instructions on how to configure and install everything in appendix C in Lotus Security Handbook, please be a little cautious however on the registry settings. I added an extra string under 'IBM' - 'WebSphere Application Server' - ‘5.0’ and gave it the name ‘Plugin Config’ My colleagues asked me to write down my own step by step instruction to keep everything together and here it is…be aware this instruction is not very fancy like the IBM Redbook. 3.1 Before you begins Start of with a Windows Server 2003 box with IIS6, SP1 and a Domino server (why not the latest build of 6.5.x or 7.x .. The IIS server must be part of the same AD as you users 3.2 WebSphere Plugin 3.2.1 Files and directory’s Download WebSphere plugin 6.1.0.0 (or later), see references above Create: C:\WebSphere\AppServer\bin C:\WebSphere\AppServer\config C:\WebSphere\AppServer\etc C:\WebSphere\AppServer\logs Copy: the downloaded (5.1.1.6) domino5_http.dll to domino\data\domino\plugins\was5\w32 to replace the original oldie iisWASPlugin_http.dll to c:\websphere\appserver\bin the original domino\data\domino\plugins\plugin-cfg.xml to c:\websphere\appserver\config IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 10 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3.2.2 Draft Update plugin-cfg.xml Notepad c:\websphere\appserver\config\plugin-cfg.xml If Domino server and IIS are located on the same machine you don’t have to complicate it that much to get SSO. Of course you can do many exiting things with this xml file but I recommend you to start of doing as little changes as possible. 3.2.2.1 Enable verbose logging During the implementation phase you should enable verbose logging, this is a essential tool to make sure you don’t do any basic mistakes C:\WebSphere\AppServer\logs\native.log Possible values are Error, Warn, and Trace. --> <Log Name="C:/WebSphere/AppServer/logs/native.log" LogLevel="Trace"/> When the plug-in is loaded you should be see these rows in the log file! [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Plugins loaded. [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: --------------------System Information---------------------[Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Bld version: 6.1.0 [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Bld date: Jul 28 2006, 04:55:39 [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Webserver: IIS [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: Hostname = SAVM143B [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: OS version 5.2, build 3790, 'Service Pack 1' [Wed Oct 25 08:36:13 2006] 00000564 00000570 - PLUGIN: ------------------------------------------------------------ 3.2.2.2 Change Transport Hostname to “localhost.mydomain.com” and add there <Transport Hostname="localhost.mydomain.com" Port="81" Protocol="http"/> </Server> </ServerGroup> IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 11 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3.2.2.3 Draft Add these four lines beneth <UriGroup Name="default_host_URIs"> Unfortunately IBM have not been to good at describing what these row should look like, below is an example I have been using with good results. <UriGroup Name="default_host_URIs"> <Uri Name="/*.nsf*"/> NOTE: Incorrect syntax is used for this parameter in the Domino 6 Administration Help <Uri Name="/*.NSF*"/> Note: Directives in the URIGroup section are case sensitive <Uri Name="*/icons/*"/> <Uri Name="*/domjava/*"/> 3.2.3 Create the Registry values of the plug-in 3.2.3.1 Websphere 4.x and 5.x Unfortunately most documentation on this involves small but very annoying diversions and the different versions of the plug-in dlls references version information in a format unclear to me. I have created ascii *.reg files for 5.0, 5.0.0.0 and 5.1.0.0, if you get your hands on them watch out for the drive letters in them. Note: Wherever I have read about the version numbers in the registry setting plug-in the recommendations have differed slightly….some claim 'IBM' - 'WebSphere Application Server' - ‘5.0’ others 'IBM' - 'WebSphere Application Server' - ‘5.0.0.0’. Until this is finally sorted I have created registry “trees” for 5.0, 5.0.0.0 and 5.1.0.0. If you don’t like this approach I recommend you to start of with 5.0, then 5.0.0.0 and then 5.1.0.0. Below is my attempt to get this right, if you can’t get the hands on the *.reg files mentioned above… If you are installing the WAS5.x version of the plug-ins, you need to create the following entries (with RegEdit): – HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' - '5.0'. Select '5.0' and create a new string value 'BinPath'. Set the value for this variable to the location where the plug-in is IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 12 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft copied to (C:\WebSphere\AppServer\bin). – 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' - '5.0'. Select '5.0' and create a new string value 'InstallLocation'. Set the value for the WAS root (C:\WebSphere\AppServer). – 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' - '5.0'. Select '5.0' and create a new string value 'LibPath'. Set the value for this variable (C:\WebSphere\AppServer\lib). – 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' - '5.0'. Select '5.0' and create a new string value 'MajorVersion'. Set the value for this to (5) – 'HKEY_LOCAL_MACHINE' - 'SOFTWARE' - 'IBM' - 'WebSphere Application Server' - '5.0'. Select '5.0' and create a new string value 'plug-in Config'. Set the value for this variable to the location of the plugin-cfg.xml file (C:\WebSphere\AppServer\config\plugin-cfg.xml). If needed, do the same for 5.0.0.0 and 5.1.0.0 and ….. 3.2.3.2 WebSphere 6.0, 6.1 With the new WebSphere 6.0 plugins IBM made a drastic shift, now you don’t have to do anything about the plugins in the registry. Instead you create a text file, “plugin-cfg.loc” in the same directory as the plug-in dll (iisWASPlugin_http.dll) used by IIS, see chapter XX. Usually I have been using C:\WebSphere\AppServer\bin. The only content of the loc file is the complete filepath to the plugincfg.xml Example content of C:\WebSphere\AppServer\bin\plugin-cfg.loc C:\WebSphere\AppServer\config\plugin-cfg.xml Strange error! After implementing the WebSphere 6.1 with the help of the loc file we have seen these rows in the verbose native.log file IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 13 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Plugins loaded. [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: --------------------System Information---------------------[Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Bld version: 6.1.0 [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Bld date: Jul 28 2006, 04:55:39 [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Webserver: IIS [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: Hostname = SAVM143B [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: OS version 5.2, build 3790, 'Service Pack 1' [Fri Oct 27 14:13:59 2006] 00000570 0000057c - PLUGIN: -------------------------------------------------------------[Fri Oct 27 14:13:59 2006] 00000570 0000057c - ERROR: ws_common: GetIISErrorLocation: Failed to open registry: SOFTWARE\IBM\Web server Plug-ins for IBM WebSphere Application Server\6.1.0.0 [Fri Oct 27 14:13:59 2006] 00000570 0000057c - TRACE: iis_plugin: GetFilterVersion: get error when load error location. [Fri Oct 27 14:13:59 2006] 00000570 0000057c - TRACE: iis_plugin: GetFilterVersion: Filter priority set to HIGH We have not identified any real problems because of this but perhaps you should create the same registry values as mentioned in 3.2.3.1 but with this path SOFTWARE\IBM\Web server Plug-ins for IBM WebSphere Application Server\6.1.0.0 Until I have noticed any real problems I will avoid doing anything to the registry! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 14 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3.3 Configure Domino 3.3.1 Configure Domino to use the http port 81 Draft In the Server Document Ports->Internet Ports->Web Change TCPIP Port number to 81 Internet Protocols – Domino web engine tab and configure Protocol: http Port number: 81 Host name: 3.3.2 Enable Domino to trust Header information Set the notes.ini parameter HTTPEnableConnectorHeaders=1 Warning, this is a dangerous thing and from now on you should make sure your Domino server is not reachable from a web browser without going through IIS! For more details, read chapter 6. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 15 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3.4 Draft Configure IIS Please Note, this chapter is only tested with IIS6 on Windows Server 2003 SP1 Start IIS Manager 3.4.1 Create Virtual Directory Right click on your default web site, Choose New/Virtual Directory Alias: SePlugins Choose c:\websphere\appserver\Bin Next Choose Execute and deselect all else Next 3.4.2 Create ISAPI Filter Choose properties on your default web site Select the ISAPI Filters tab. Click ADD and enter iisWASPlugin in the Filter Name field. For the Executable field, click Browse, open the WebSphere bin directory, and select iisWASPlugin_http.dll. 3.4.3 Disable anonymous access to IIS In Default Web Site/ Properties/Directory Security/Authentication and Access Control/Edit/Uncheck “Enable anonymous access” 3.4.4 Set method for authentication and control In Default Web Site/Properties/Directory Security setting/ Authentication and Control/Edit Make sure anonymous access is unchecked and Integrated Windows Authentication checked! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 16 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 3.4.5 Draft Extras for IIS 6 on windows server 2003 (se technote above) Properties on Web Sites, click on Service and check the box, “Run WWW services in IIS 5.0 isolation mode” OK Right click Web Service Extensions Add new Web Service extension Extension name Domino Check Execution status to allow Required files add and browse to the location of the iisWASPlugin_http.dll RESTART IIS! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 17 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 4 Draft Settings in Internet Explorer to make IWA work You must check these three settings in Internet explorer to make it “login” to an IIS server with it’s AD credentials. 4.1 Internet/Options/Advanced/Enable Integrated Windows Authentication must be checked IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 18 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft 4.2 Tools/Internet Options/Security/Custom Level. Make sure the setting is Automatic logon only in Intranet zon. 4.3 Add the url of the IIS server (or the domain name of the server) to the Intranet zone. (Tools/Internet Options/Security/Local Intranet/Sites/Advanced) IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 19 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 5 Draft What must be done in Domino Directory to make the users AD signatures translate into their Notes usernames For Domino to translate the ADname\ADusername provided in the http header by IIS/WebSphere into the user’s valid Domino credentials you must make the ADname\ADusername available to Domino. We usually put it to the end of the Username field but you should also be able to put it (last) in the ‘Short name’ field. Adname/ADusername is then replaced with the first name in your “User name” field. You also get the same group credentials as if you would log in with your Domino username. All Domino configurations in this document is written assuming you have not configured Internet Sites, however we have tested to enable Internet Sites without finding any caveats. Hopefully you will be able to use this document anyhow, the settings are the same. Note that Internet site is the preferred way to configure web access since Domino 6.0. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 20 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 6 6.1 Draft How to secure the Domino server behind IIS to make it impossible for someone to access it with spoofed IP headers Security aspects of the notes.ini parameter HTTPEnableConnectorHeaders=1 The downside of this terrific notes.ini parameter is that it makes Domino very stupid! Instead of using its well proven authentication process it translates (without authentication) the username in the http header of a request to a valid Domino username/Session/LPTA tooken. If bogeyman can access the domino server with a spoofed http header, it would give him the opportunity to use the Domino environment using whatever user’s credentials he would prefer! Below in this chapter we provide two methods to disallow him from this possibility as long as you have the domino server and the IIS server on the same machine (Windows server). A good reference when it comes to security and the WebSphere plug-in is Jason Hooks presentation referenced above. It explains why you must make the hidden Domino server (all servers with notes.ini setting HTTPEnableConnectorHeaders=1) inaccessible for anyone except through the WebSphere plug-in. 6.2 Separating the IIS server and the Domino server In the plugin-cfg.xml you can also configure IIS to forward nsf/NSF requests to a Domino server on another Windows server. You can also configure the WebSphere 5.x IIS plug-in to use several different Domino servers to achieve failover and possibly load balancing. It is easy to see scenarios where separating the Domino and IIS would be useful or needed. As we can see it, directing IIS plug-in to a Domino on a separate machine than the IIS server (for whatever purpose) would significantly decrease the security, unless you can make the other Domino server impossible to reach through http/https from other sources than the IIS server. The extra risk to this approach would be an attacker with a spoofed IP header (claiming the request is sent from/through the IIS server) and a spoofed http header. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 21 (31) Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft I guess it would be quite easy to avoid this IP header spoofing risk by configuring firewalls, Windows server, IPSEC or some other mechanism. Until such a method is evaluated and fits into an environment I would not recommend pointing the IIS WebSphere plug-in to a Domino server on another Windows server! 6.3 Recommended configurations 6.3.1 Separate Nics for IIS and Domino One way to achieve this is to follow Alex Elliots notes.net article mentioned above. In short it will guide you to put Domino on and IIS on separate NICs on the same physical server with Dominos NIC inaccessible from outside the server. 6.3.2 Configure Domino to only accept request from loopback adapter “localhost” Another approach used by us (Infoware Solutions Svenska AB) is to configure Domino to only answer to requests from an internal loopback (soft) address, usually “localhost” / 127.0.0.1. To achieve this we have added several settings on the IIS/Domino server. Addition to hosts file IMPORTANT!!! 127.0.0.1 localhost localhost.mydomin.com Your IP Common Domino Name Abbreviated Domino name Change in plugin-cfg.xml <Transport Hostname="localhost.mydomain.com" Port="81" Protocol="http"/> Change at ports level in notes.ini Added an extra active port TCPIP=TCP, 0, 15, 0 zNet=TCP, 0, 15, 0 and Ports=TCPIP,zNet IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 22 (31) Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft and TCPIP_TcpipAddress=129.178.8.47 zNet_TcpipAddress=127.0.0.1 Changes in the server document in names.nsf under Ports\Notes Network Ports: Port Protocol Notes Network Net Address Enabled TCPIP TCP TCPIP Network hostname.mydomain.com ENABLED zNet TCP hostname localhost..mydomain.com ENABLED Changes in the server document in names.nsf under Basic: Fully qualified Internet host name: localhost.mydomain.com Changes in the server document in names.nsf under Internet Protocols\HTTP: Basics Host name(s): localhost.mydomain.com Bind to host name: Enabled Changes in the server document in names.nsf under Internet Protocols\Domino Web Engine: HTTP Sessions Session authentication: Multiple Servers (SSO) Web SSO Configuration: LtpaToken Generating References to this Server Does this server use IIS? Protocol: http Host name: localhost.mydomain.com Port number: 81 Changes in the server document under Ports\Internet Ports: Web (HTTP/HTTPS) TCP/IP port number: 81 IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 23 (31) Target Document name Version Document type Date Domino community 0.96 Author Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft TCP/IP port status: Enabled Enforce server access settings: No Authentication options: Name & password: Yes Anonymous: No SSL port number: 443 SSL port status: Disabled Authentication options: Client certificate: No Name & password: Yes Anonymous: No Usually we also do some extra precautions Remove webadmin.nsf and webadmin.ntf Changed notes.ini: ServerTasks=Update,Replica,AMgr,AdminP,HTTP Only puts an empty domino directory on the domino server and Directory assistance pointing to another server This list could definitely be longer!!! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 24 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 7 Draft How to configure your Domino environment to use LTPA Token for SSO between selected Domino servers How to enable LTPA for selected Domino servers is well documented in Domino Administration From Domino 6.5.1 Multi server session authentication supports idle session timeout. This is documented in the Domino 6.5.1 release notes and also available in lotus knowledgebase reference “1164178” “Domino HTTP idle session timeout for SSO configurations”. The SSO idle timeout additionally allows the administrator to control how long the user can remain idle after logging in, i.e. how long the user is not actively accessing the SSO environment. Be aware about the limited security LPTA tokens provide in a Domino environment not protected by https/SSL. dotNSF has an application which extends LTPA to an IIS environments and an application to renew LTPA tokens. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 25 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 8 Draft How to configure the IIS server and the first Domino server by Secure Socket Layer, SSL As SSL is getting more widely used in internal infrastructure it might be worth mentioning the possibility to implement all parts of this document with the extra protection SSL provides. Under references you will find a link to a great Whitepaper from dotNSF. Worth mentioning again (see under References above) is IBMs recommendation not to use LPTA on Domino without SSL! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 26 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 9 9.1 Draft Gotchas and hints Logging In the XML file of the plug-in you can change log level to TRACE, this gives very good information on what is going on. The logging is done into a file under c:\websphere\logs\. Due to performance reasons it has been recommended to avoid disabled when the solution is in operation. NTs event viewer is also a valuable source on the status of the plug-in Slide 33 in Jason Hooks presentation references above is a good scheme if the plug-in doesn’t load To verify your WebSphere dll has loaded well within IIS, look for this passage in the native.log XXX. Until you get this working 9.2 Error messages in native.log and Internet Explorer Assuming you have activated verbose logging and got the dlls running (see in 3.2.2.1 what it should look like in native.log) you can still get other errors in the native.log and internet explorer, for example “bad request” or authentication . Example of an error in Internet Explorer You are not authorized to view this page You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept. Please try the following: • Contact the Web site administrator if you believe you should be able to view this directory or page. • Click the Refresh button to try again with different credentials. HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS). IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 27 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se Draft When we have got these kind of errors they seams to have been related to 9.2.1 Non matching IP configurations Please check your hosts file and domino configuration to verify correct hostnames to match your xml file. In particular we have got problems when we have used localhost and localhost.mydomain.com at the same time but in different place 9.2.2 Bad IIS security configuration Start IIS Manager and verify your settings. See Default Web Site/Properties/Directory Security setting/ Authentication and Control/Edit Make sure anonymous access is unchecked and Integrated Windows Authentication checked! 9.2.3 Wrong path for the Virtual Directory See 3.4.1 and make sure your directory for SePlugins points to c:\websphere\appserver\Bin 9.3 Browser wants to download nsf files One problem I experienced before getting everything (!?) together was the browser wanting to download nsf files instead of opening them Reason was the traffic didn’t go through the plug-in to domino, instead IIS was pointing right to the Domino\Data directory. Go back to appendix C in the referenced Redbook! IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 28 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 9.4 Draft Windows login dialog Did you try a database on the server, for example server.localdomain.com/names.nsf If you get a windows login dialog when opening a URL on domino through IIS something is probably wrong in your IE Settings, first make sure you are logged into the correct AD and secondly go through chapter 4 above again. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 29 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 9.5 Draft Lotus login dialog I have got this two different ways 1. Something is probably wrong in your Domino configuration - did you forget the notes.ini setting - is your ADname/Username not available in your person document 2. When Anonymous access is not disabled in IIS (see 3.4.3 above). In this scenario I guess IIS just lets you through without checking who you are resulting in an anonymous header! 3. Wrong ini parameter, the correct syntax is HTTPEnableConnectorHeaders= IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 30 (31) Target Document name Version Document type Date Domino community Author 0.96 Ulf Stider White paper 2007-02-08 E-mail address Phone number Status: ulf.stider@infoware.se 9.6 Draft Unexpected results during testing of person document content During testing of what and where to put the ADname/ADusername in the person document this we have experienced situations where we have added and removed the ADname\ADusername from a person document without experiencing the expected results, the reason seam to have been caching in the domino server. Rebooting the server should correct things but you could also try this Domino server console command a couple of times. Sh nlcache re Please note, this is a very strong command with several other implications for the running Domino server, we don’t recommend it in a production environment without very good reason. © Copyright IBM Corp. 2004. All rights reserved. IE-IIS-AD-Domino-LPTA-SSO-20070208.doc © Copyright Infoware Solutions Svenska AB. 2005. All rights reserved. Page 31 (31)