I need to use the .Net token (or FedAuth cookie) to get in Domino credential from Active directory
The same need is describe in:
Lotus Notes and c# SSO.
Internet users are loged in a Share Point application and have to open a form in Domino.
My Domino Server is configured Assistant Directory, the users are managed in Active Directory and not in names.nsf. This works good. I can make a POST to log automatically a user of the AD.
But Share Point don't have the user password! Ideally it would be cool to POST the cookie... or run an agent that will inquire in back end the Active directory with the cookie to verify it. Is there a way to do this?
My Domino is 8.53 so I can't use SAML (if someone did this with Domino 9.0 I will be pleased to know :-).
There is a SSO using SPNEGO which can be setup on windows-based Domino servers.
More information about it can be found in the Domino Administration help (steps are very well documentd) and here:
Wiki: Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment
Basically the steps to enable this are (details in notes admin help and the linked document):
Set an SPN on your windows server (to allow this server to pass Kerberos tickets to the AD)
Enable SSO on the Internet Site / Server doc
In the SSO Configuration: add all servers you will need SSO and enable windows-based SSO
Add a name mapping to your Person docs (Kerberos Principal Name Field) and set notes.ini entry WIDE_SEARCH_FOR_KERBEROS_NAMES=1 on your domino server to include this field in the namelookup
Configure browser: IE: trusted sites (add your host names), Firefox: add domino host to network.negotiate-auth.trusted-uris
Hope that helps - Michael
You could generate your own Domino Ltpa token (cookie) from sharepoint upon login. So long as the domains are set up ok, the browser should pass this to the Domino server and automatically log them in.
Feel free to contact me directly if you need specific help.
Related
I would like users inside an organization to connect automatically to a site hosted on a server,
without needing to enter credentials.
the server the site is hosted on, uses a certain AD (Active Directory), with other credentials than those used in the AD of the organization and known with their windows account they login to in the office.
I heard about LDAP over SSL (LDAPS) but not certainly sure that is what I need and not sure how to implement it.
The site is written with Asp.Net Core 5.
Can anyone help me understand if it is what I need or suggest a different solution?
Thanks in advance!
Is it generally possible to have a Microsoft Azure in the background to act as a SSO Authentication server for Apache auth?
The example is:
There are many users inside the Microsoft Azure
I have a Webpage on a Linux server served by Apache2
The webpage should be protected (exactly like basic-auth) by Azure (via SSO)
If the user is signed in into Azure and has rights, he can see the website
If the user is not signed in, he will be redirected back to Azure's login-page and after successful login will back to the webpage.
Is this generally possible?
If so what technologies/modules do I have to use for apache in order to speak with Azure?
Thanks for any hints towards the right direction.
Update
The Azure server is already fully configured. I just need to sort out the end on Apache.
I think what you are looking for is Azure Active Directory. it is an Identity as a Service product that supports modern protocols like OAuth, OpenID Connect. There's a client SDK called ADAL (Active Directory Authentication Library), but since it's standard protocols, you can integrate with other standard based authentication libraries. For example, the node.js tutorial shows how to use passport.
You didn't mention what web stack you are using but it's most likely listed here:
https://azure.microsoft.com/en-us/documentation/articles/active-directory-developers-guide/
On a side note: if you can host your app on Azure Web App Service then it has built in integration with Azure Active Directory, so you can add a layer of authentication on top of your website without modifying your application code.
More info on that here: https://azure.microsoft.com/en-us/documentation/articles/app-service-mobile-how-to-configure-active-directory-authentication/
I work in a web based application in Lotus Notes. Suddenly, the login page is skipped and it is directly going to functionality. What may be the reason? Is it a settings issue?
Two possible reasons:
You have granted the "Anonymous" user access to the application.
Verify the ACL of the database.
You have some sort of SSO solution in
your company that logs you in automatically. (LTPA token on the IBM
WebSphere plugin for IIS, for example).
I assume you are testing your application on an actual Domino server, and are not using the "preview" function of Domino Designer.
I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?
I'm trying to access an e-mail by lotus connections through a link to the iNotes, but when I click on the link is redirected to the login page of iNotes and does not take the same authentication at the lotus connections. How do I prevent this? There is also a solution if, instead I use iNotes, I use an XPages application that requires authentication?
This is a server administration issue.
You will need to make sure that you have Single SignOn setup across both the Domino server and the IBM Connections server. Once the LTPA keys have been exported from IBM Connections and then imported into Domino and both server are in the same domain then authentication is automatic.
When the user is logged into Connections and clicks a link that brings them to the Domino server the LTPA SSO will kick in and automatically authenticate them and vice-versa.
In addition to what Declan writes he is some information if you want to use SSO between server side XPages code and IBM Connections: http://www.openntf.org/blogs/openntf.nsf/d6plinks/NHEF-8TY9EV