There are a few different passwords and options available to secure Lotus Notes Domino. Educating end users of these options can help tighten Lotus Notes security and reduce help desk calls. This tip introduces some essential Lotus Notes password choices that Domino administrators can pass along to their end users.
The first option is the Lotus Notes password, which is stored in the ID file. This password protects the contents of the ID file and authenticates the user to the Lotus Notes client and the Lotus Domino server. The Internet password is the second that many Lotus Notes users employ. This is a different password that's stored in the Domino Directory. It's used when logging onto a Domino-based website or webmail (iNotes).
The Lotus Notes password
Lotus Notes users must enter their passwords when logging onto the system.
After a password is entered, the Lotus Notes client validates it. When the password is entered correctly, the Notes client will unlock the ID file and the certificates within automatically. It then provides the user's credentials to any Domino server that the user tries to access. When enabled by the Notes/Domino administrator, the Domino server will validate the user's password against a copy of that user's password.
Upon matching the user's password with the one that's stored in the Domino Directory, the Notes client will continue the logon process. When a difference is detected between these passwords, a user will receive the following prompt:
You have a different password on another copy of your ID file and you must change the password on this copy to match.
This prompt is meant to protect the user from someone else using an older version of the user's ID file and password to access the Lotus Domino server. It may also appear when using multiple copies of the ID file by the same user (i.e. on the office PC and on a home PC). In this case, the user can simply change the password on the current ID file to match the password on the other -- regaining access to the Domino server.
The Internet password
Because a Lotus Notes user's password must be available at all times, it is stored in the Domino Directory. This is a completely different concept than the Lotus Notes password, which must be available to the Notes client when not connected to a Domino server at all. For example, they need it when working on an airplane. Because passwords are stored in different places and have different options, this can be very beneficial. The Internet password is also the password that other systems use through LDAP.
When a user enters a Domino-based website like iNotes, the Domino server will ask for a username and password. After the username has been found in the Domino Directory, the password provided will be checked against a securely stored version of the Internet password that the Notes user has chosen. When the correct credentials are provided, the user can access the Domino server.
User security options
Lotus Notes users can change their passwords by selecting: File -> Security -> User Security and providing their password at the prompt. This opens the user security dialog. Lotus Notes users then can perform the following tasks:
- Change their password
- Secure their password and keys
- Set their Internet password options
- Allow password sharing with a Notes add-on product
- Configure the Notes client to use the operating system login
Note: The administrator can disable some of these options.
This option changes the Lotus Notes password; the Internet password can be changed from a Web page, synched with the Notes password or an administrator can change it manually.
Here, users are asked for their current password, and have the opportunity to enter a new password. This also enables users to upgrade the Encryption Strength used to secure the ID file.
Currently 256-bit AES is the most secure option available (Notes 8 and higher versions only).
When a Notes user suspects his password is no longer secure, this option provides the user with a chance to strengthen his password. The most important step is to change the password. Among the other options is the possibility to create new public keys.
Setting the Internet password depends on the options that the local Notes/Domino administrator provides. When the administrator has configured the Internet password to match the Lotus Notes password, a Notes user can disable that option. When the admin has not provided this option, the user may choose to configure the password on his own.
This option is generally used to synchronize Lotus Notes with mobile devices. It allows third-party add-ons to automatically access a Lotus Notes/Domino environment.
For example, a mobile device synchronization tool may need to access a Domino server to synchronize a user's calendar. When this option is disabled, the user is asked for his password when the third-party software tries to access the ID file.
This option is only available if the Lotus Notes Single Logon service was installed when the Notes client was installed. It allows the Notes client to start without asking the user for his Lotus Notes password.
Note: This only occurs when the Microsoft Windows and Lotus Notes passwords are exactly the same. Otherwise, the user is notified that the passwords do not match.
The user is provided with an option to change the Lotus Notes password to match the Windows password after he has successfully logged onto Lotus Notes with the current (non-matching) password. This will bring both passwords into sync and enable a single logon for Lotus Notes.
Any password changes made in Lotus Notes or Microsoft Windows also will be synchronized to the other, except password changes forced from the Windows login (i.e. when a password has expired). Future versions of Lotus Notes will create a central ID vault to solve this.
|ABOUT THE AUTHOR:|
| Fred Janssen
Fred Janssen is a principal administrator with more than 13 years experience in the Lotus Notes/Domino environment. He is currently employed as a Notes/Domino consultant with Eniac Essentials in the Netherlands. Fred frequently presents to local Notes/Domino user groups and also teaches similarly minded courses. He can be reached at firstname.lastname@example.org.
Do you have comments on this tip? Let us know.