Specifications
Lotus Redbooks Wiki – IBM Lotus Notes and Domino V8.5 Deployment Guide
172
Admin Shared Login
In order to understand the best practices of implementing Notes Shared Login, you need to know how it
works.
Notes Shared Login relies in the Windows credentials used to authenticate on the workstation. These
credentials are used to unlock the Notes ID file, so when the user signs on in Windows, then launches the
Notes client, there is no password prompt and no need to synchronize passwords. Once the Notes ID is
unlocked, it still authenticates against Domino using the client/server certificate-based authentication, just
like before. The Notes ID file itself is not altered but more protected. To protect the ID file that are Notes
Shared Login-enabled, the Windows Data Protection API (DPAPI) is used.
When an ID file is configured for Notes Shared Login, a complex "secret" is generated to protect it. Then, it
is encrypted with DPAPI using additional application-specific entropy. The encrypted "secret" is then saved
in the Windows user’s profile directory. The Notes ID file is encrypted with a bulk key which is derived from
the "secret", then saved.
Once Notes Shared Login is functional, all password management tasks are now controlled via Windows
policies, and all Domino passwords policies in place are ignored.
Notes Shared Login is configured using Security policy settings, specifically under the Password
Management tab, in the Notes Shared Login tab. There are four (4) combinations of configuration when you
deploy Notes Shared Login:
Notes Shared Logn is
• Disabled and users cannot change Notes Shared Login state
• Enabled and users cannot change Notes Shared Login state
• Initially disabled and user can change the Notes Shared Login state vie User Security preferences
• Initially enabled and user can change the Notes Shared Login state vie User Security preferences.
Best Practices for enabling Notes Shared Login
Here are some best practices to consider if you choose to deploy Notes Shared Login.
Have an ID backup system or procedure in place to recover ID files
Because the ID file is closely integrated with the Windows credentials and the workstation used, it is strongly
recommended to backup these Notes Shared Login-enabled ID files. Here are some suggestions:
• Notes ID Vault (recommended)
It is designed to work together with Notes Shared Login
It allows the provisioning of ID files and the recovery of lost/damaged ID files
Free - part of the Domino server product
•
ID Recovery database
This feature exists since Domino R5 and still present in 8.5
No enhancements are planned for future releases
ID Recovery requires to be configured in every certifier (OUs, O) in order to send updated IDs to
the recovery database
• Third-party or custom system
Use of third-party solutions
Scripts that copy local ID file to a network share
User maintenance process (manual)