What are Notes ID files, and how are they different from regular computer accounts?

To My Readers:

Over the years that I have been writing technical tips for SearchDomino.com, I have operated under an unstated assumption. My premise was that readers have been with SearchDomino.com throughout the life of my column, so I should make sure to not revisit any previous topics. Instead, I should explore new ground each month and raise the technical level of my tips as readers learn along with me. A recent conversation with the Editor of this Web site let me know that this assumption was not entirely true. There is a range of readership experience on the site. In fact, many readers of SearchDomino.com were recently thrown into a job role that requires them to manage a Notes/Domino system, and they come to this site looking for basic help.

Based on this new model of reader interests, I will begin to alternate my tips between advanced and beginner topics. I will also indicate, at the top of each tip, the technical level of that column, so readers can more easily skim for information they want to read.

-- Chuck Connell

What are Notes ID files, and how are they different from regular computer accounts?

Keywords: Notes, ID, account, username, password
Technical Level: Beginner

View member feedback to this tip.

One of the biggest differences between a Notes/Domino system and other software systems is the nature of user accounts. By "user accounts" I mean the list of people who are allowed to use the system, and the username and password they must supply in order to do so. On most computer systems (e.g., all flavors of Unix) there is a centrally stored list of usernames and passwords. The passwords are, of course, encrypted, so that when people look at this list, they cannot easily steal all of the passwords. When you want to log on to this kind of computer system, you type in your username and password. The software compares what you typed to the central list of accounts, and decides whether to let you in. This stan

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Domino How to turn off the message recall feature in Lotus Notes 8 What is Notes 8.5's DAOS (Domino Attachment and Object Storage) feature? SaaS and collaboration set the stage at Lotusphere Top 10 Lotus Notes/Domino administration tips of 2008 How to upgrade to Lotus Notes 8 and retain Lotus Notes 7 Five Domino domain default server settings you should change and why How DirLint verifies data in Lotus Notes Domino 8 directories An introduction to Lotus Notes password options and essentials Tivoli Directory Integrator synchronizes Notes Domino 8 directories Setting up RSS feeds in Lotus Notes Domino 8 Lotus Notes Domino User Settings Secure Lotus Notes/Domino 8.x from mail to unknown recipients How to turn off the message recall feature in Lotus Notes 8 Domino server setting and email policy tricks admins must know Top 10 Lotus Notes/Domino administration tips of 2008 Synchronize LinkedIn contacts with Lotus Notes Domino Setting up local replication of a Lotus Notes database for offline employees Secure Microsoft Excel spreadsheets with LotusScript Programmatically create a shortcut for Lotus Notes How to create a comments field for Lotus Notes documents The truth about AutoSave in Lotus Notes/Domino 7

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

dard model is so ubiquitous that many computer administrators assume that all software operates in this way.

In fact, the Lotus Notes product does not manage user accounts this way at all. Many beginning Notes administrators have been tripped up by this difference. For the Notes workstation software, the user's account name and password are stored in a small separate file, called the Notes ID file. This file can be anywhere: on the user's C drive, on a network folder, on a USB key. When someone wants to log on to Notes, the Notes software opens the last-used Notes ID file. The user is prompted to enter a password. Notes compares the password entered to the password stored within that Notes ID file. If they match, the user is authenticated. In this account model, the user does not interact with the Domino server, only with Notes as it accesses a local ID file. If a user wants to log on as someone else (rather than the last-accessed ID) the user can tell Notes to open a different ID file during the log-on process.

As usual, there are a few technical details that complicate this basically simple description.

Nevertheless, the basic idea of a local ID file, which contains its own password, is central to understanding Notes user accounts, and is quite different from traditional account models.

It is important for administrators to be aware of one consequence of this account model -- it is possible for a single person to have more than one Notes ID file, each with a different password. Of course, this complicates logging on and reduces security, so it is not usually desirable to have multiple IDs with different passwords. But administrators should be aware that this possibility exists.

I will add one caveat to be complete. Within a Domino server, there is a set of traditional usernames and passwords. These accounts are used when someone accesses the Domino system directly from an Internet protocol (usually a Web browser). In this case, the Notes workstation software is not used, so the Notes ID file is not used. Domino Web accounts do use a standard, centrally stored username/password pair. But the Notes workstation software does not; it uses the Notes ID file with its own internal password.

For more information see:

Overview of Notes/Domino security, Iris Today, September 2001.
Links page on DominoSecurity.org. This is a Web site that I maintain.

Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.

Thanks for explaining Notes ID files. However, you don't explain the advantages of the Notes system compared to UNIX. Lots of Notes users complain about not being able to log in without their ID files (especially roaming users on R5).

Also I didn't get your third point:

"Domino contains options to force Notes to authenticate with the server for every user log on, as a way to increase security."

You probably mean that all ID files need to have the same password. Anyway it needs more explanation, I think.

—Thilo H.

******************************************

Thanks for your comments. Notes IDs have a large advantage over Unix/mainframe passwords. With a traditional computer account, you only need one thing in order to log in to someone's account -- the password. With Notes, you need two things -- the ID file and its password. So Notes is "two-factor authentication." It is similar to a smartcard in this sense.

Regarding the sentence "Domino contains options to force Notes to authenticate with the server," I am referring to the options "check public keys" and "check passwords." Both of these options cause the server to compare information in the user's ID file with information stored on the server. So they provide an additional level of checking on the validity of the ID file.

—Chuck Connell, tip author

Do you have comments on this tip? Let us know.

Please let others know how useful it is via the rating scale below. Do you have a useful Notes/Domino tip or code to share? Submit it to our monthly tip contest and you could win a prize and a spot in our Hall of Fame.

Rate this Tip To rate tips, you must be a member of SearchDomino.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.