An introduction to Lotus Notes password options and essentials

Get an introduction to Lotus Notes and Internet passwords and how they interact with the Domino Directory to secure your Lotus Notes Domino environment.

There are a few different passwords and options available to secure Lotus Notes Domino. Educating end users of

these options can help tighten Lotus Notes security and reduce help desk calls. This tip introduces some essential Lotus Notes password choices that Domino administrators can pass along to their end users.

The first option is the Lotus Notes password, which is stored in the ID file. This password protects the contents of the ID file and authenticates the user to the Lotus Notes client and the Lotus Domino server. The Internet password is the second that many Lotus Notes users employ. This is a different password that's stored in the Domino Directory. It's used when logging onto a Domino-based website or webmail (iNotes).

The Lotus Notes password

Lotus Notes users must enter their passwords when logging onto the system.

password_logon_screen

After a password is entered, the Lotus Notes client validates it. When the password is entered correctly, the Notes client will unlock the ID file and the certificates within automatically. It then provides the user's credentials to any Domino server that the user tries to access. When enabled by the Notes/Domino administrator, the Domino server will validate the user's password against a copy of that user's password.

Upon matching the user's password with the one that's stored in the Domino Directory, the Notes client will continue the logon process. When a difference is detected between these passwords, a user will receive the following prompt:

You have a different password on another copy of your ID file and you must change the password on this copy to match.

This prompt is meant to protect the user from someone else using an older version of the user's ID file and password to access the Lotus Domino server. It may also appear when using multiple copies of the ID file by the same user (i.e. on the office PC and on a home PC). In this case, the user can simply change the password on the current ID file to match the password on the other -- regaining access to the Domino server.

The Internet password

Because a Lotus Notes user's password must be available at all times, it is stored in the Domino Directory. This is a completely different concept than the Lotus Notes password, which must be available to the Notes client when not connected to a Domino server at all. For example, they need it when working on an airplane. Because passwords are stored in different places and have different options, this can be very beneficial. The Internet password is also the password that other systems use through LDAP.

When a user enters a Domino-based website like iNotes, the Domino server will ask for a username and password. After the username has been found in the Domino Directory, the password provided will be checked against a securely stored version of the Internet password that the Notes user has chosen. When the correct credentials are provided, the user can access the Domino server.

User security options

Lotus Notes users can change their passwords by selecting: File -> Security -> User Security and providing their password at the prompt. This opens the user security dialog. Lotus Notes users then can perform the following tasks:

Note: The administrator can disable some of these options.

Changing the password

This option changes the Lotus Notes password; the Internet password can be changed from a Web page, synched with the Notes password or an administrator can change it manually.

Here, users are asked for their current password, and have the opportunity to enter a new password. This also enables users to upgrade the Encryption Strength used to secure the ID file.

Change_password_screen"
Currently 256-bit AES is the most secure option available (Notes 8 and higher versions only).

Securing the password and public keys

When a Notes user suspects his password is no longer secure, this option provides the user with a chance to strengthen his password. The most important step is to change the password. Among the other options is the possibility to create new public keys.

Related resources from SearchDomino.com:
Lotus Notes Domino password management tips

Secure Lotus Notes 8 with the Internet password lockout feature

Lotus Notes Domino Password Management

Set the Internet password options

Setting the Internet password depends on the options that the local Notes/Domino administrator provides. When the administrator has configured the Internet password to match the Lotus Notes password, a Notes user can disable that option. When the admin has not provided this option, the user may choose to configure the password on his own.

Allow password sharing with a Notes add-on product

This option is generally used to synchronize Lotus Notes with mobile devices. It allows third-party add-ons to automatically access a Lotus Notes/Domino environment.

For example, a mobile device synchronization tool may need to access a Domino server to synchronize a user's calendar. When this option is disabled, the user is asked for his password when the third-party software tries to access the ID file.

Configure the Notes client to use the operating system login

This option is only available if the Lotus Notes Single Logon service was installed when the Notes client was installed. It allows the Notes client to start without asking the user for his Lotus Notes password.

Note: This only occurs when the Microsoft Windows and Lotus Notes passwords are exactly the same. Otherwise, the user is notified that the passwords do not match.

Notes_single_Logon_Password_Synchronization

The user is provided with an option to change the Lotus Notes password to match the Windows password after he has successfully logged onto Lotus Notes with the current (non-matching) password. This will bring both passwords into sync and enable a single logon for Lotus Notes.

Any password changes made in Lotus Notes or Microsoft Windows also will be synchronized to the other, except password changes forced from the Windows login (i.e. when a password has expired). Future versions of Lotus Notes will create a central ID vault to solve this.

ABOUT THE AUTHOR:   
Fred Janssen
Fred Janssen is a principal administrator with more than 13 years experience in the Lotus Notes/Domino environment. He is currently employed as a Notes/Domino consultant with Eniac Essentials in the Netherlands. Fred frequently presents to local Notes/Domino user groups and also teaches similarly minded courses. He can be reached at fjs872@gmail.com.

Do you have comments on this tip? Let us know.

This was first published in August 2008

Dig deeper on Lotus Notes Domino Password Management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.uk

Close