How to manage passwords to secure Lotus Notes/Domino environments

Password and ID management can make or break a Lotus Notes/Domino environment. Keeping users' passwords and systems secure can be a challenge. Here are some tools and best practices to help you maintain a tight grip on all Lotus Notes passwords within your infrastructure.

Lotus Notes/Domino administrators face numerous challenges when managing passwords. Here are some tools to help you control password usage in your Lotus Notes/Domino environment.

  Managing Lotus Notes passwords and Internet passwords  

Lotus Notes users have two different passwords available:

  • The Lotus Notes password is stored in the user's ID file.
  • The Internet password is stored in the user's Person document, which is found in the Domino Directory.
One of the easiest ways to help users manage these passwords is to configure the Domino environment so that both passwords remain synchronized.

The Administration Process (AdminP) handles the process of changing the Internet password through the Change HTTP Password in Domino Directory action.

A policy within the Password Management Options section of your security settings document (see Figure 1) manages password synchronization. In this policy, set the Update Internet Password When Notes Client Password Changes to Yes.

Password management options
Figure 1. The Password Management Options section handles password synchronization.

When using the Update Internet Password When Notes Client Password Changes option, consider disabling Allow Users to Change Internet Password over HTTP. This may sound strange, but this option only works in one direction.

When a user's Lotus Notes password is changed, the Internet password also changes. Unfortunately, this isn't the case when the Internet password is changed, since the Administration Process does not have access to end-user ID files.

Allowing Lotus Notes users to change their Internet password over HTTP connections will take the Internet password out of sync with the Lotus Notes password. This can be troublesome when an administrator supports Web-only users who cannot access a Lotus Notes client to manage their password.

Other Lotus Notes password management options

The following selections are available in the Password Management Options section of the security settings document:

  • Use Custom Password Policy For Notes Clients: Enables administrators to configure their own rules for passwords and change passwords on the first use of the Notes client. It also gives them character control.
  • Check the password on the Notes ID file: Users can keep their Notes password on multiple copies of their ID file secure. After changing their password on one ID file, it forces users to change their password on any other copy they have, such as on their home PC.

    Domino will instruct users: You have a different password on another copy of your ID file and you must change the password on this copy to match when the server detects that a different password is in use on the ID file.

  Using Lotus Notes Single Logon  

A Lotus Notes/Domino administrator may install the Lotus Notes Single Logon service during the installation of a user's workstation (see Figure 2). To effectively use the Lotus Notes Single Logon feature, users must change their Notes password to match their Windows password, or vice versa.

After a mandatory restart of their workstations, the Lotus Notes Single Logon service will securely provide the user with a Windows passwords to the Lotus Notes client. When both passwords match, the Notes client will open without a password prompt, and users can continue working.

Lotus Notes Single Logon
Figure 2. The Lotus Notes Single Logon screen.

The Lotus Notes Single Logon service also handles password changes and synchronizes new Lotus Notes passwords to Windows. This also works in reverse, but with limitations:

  • The Notes.ini must be in the default location (i.e., not on a network drive).
  • The Lotus notes Single Logon Service does not handle password changes made from the "Password Expiration" dialogue at Windows Logon.

Note: The Single Logon service does not work on Citrix, but third-party software can provide these capabilities.

  How to recover password and ID files  

One frequent issue for a Lotus Notes administrator is that of password recovery, along with recovering lost or damaged ID files.

For password and ID recovery to function properly, users' ID files need to contain "Recovery Information," which is not enabled by default. A secure copy of the ID file also needs to be collected in a mail-in database. The Lotus Notes clients will take care of the process.

  Configuring password and ID file recovery  

Perform these steps for every certifier in your Domino environment:

From the Domino Administrator client, select Configuration -> Certification -> Edit Recovery Information. Select the certifier that you'd like to enable password recovery for, then click Next. You will then see the Edit Master Recovery Authority List screen (see Figure 3).

Edit Master Recovery List
Figure 3. The Edit Master Recovery Authority List lets you add or change recovery authority names.

From here, refer to Administrator Help for details, but be sure to use the following guidelines:

  1. Require at least two Recovery Authorities to recover passwords, even for smaller environments. Requiring three is better; it is bad practice to require only one Recovery Authority.
  2. Allow a maximum of eight Recovery Authorities to be added.
  3. Select or create a mail-in database where the ID files will be mailed to a Domino server that is accessible to all Recovery Authorities.
  4. A recovery message is no longer needed when all users are on Lotus Notes 7 or higher. The collection process for the Recovery Information is fully automated and invisible to the end user.

Select OK to put this process into motion. Password Recovery information will be inserted into the users' ID files. After awhile you will notice backup ID files coming into your created mail-in database.

Related resources from
An introduction to Lotus Notes password options

Secure Lotus Notes 8 with Internet password lockout

Cracked users' HTTP passwords still a threat on Lotus Notes R6 and R7

Lost passwords can be recovered using the Extract Recovery Password tool in the Administrator client (see Figure 4). To access this tool, go to: Configuration -> Certification -> Extract Recovery Password.

From there, point the tool to a user's current ID file and supply them with the recovery password. This step must be performed by the specified number of Recovery Authorities in the master recovery authority list.

Domino Administrator
Figure 4. The Extract Recovery Password tool recovers lost Lotus Notes passwords.

Users must choose Recover Password in the Wrong password dialog box and supply the necessary recovery password(s). Users also must create a new password to be able to continue working.

Lost or corrupted ID files can be recovered from the Lotus Notes database where recovery information is collected. (See the securing passwords portion of this article above).

Locate the most recent backup ID file from the user, detach it and then rename the attachment to the correct location. Finally, perform the Lost Password procedure as outlined above.

  Securing the Internet password  

By default, a simple hash protects an Internet password on older versions of Domino in the Domino Directory (see Figure 5). From there, an administrator needs to perform a few simple tasks to securely store Internet passwords.

The first step is to enable the correct setting. To do this, select Actions -> Edit Directory Profile from within the Domino directory. Be sure that Use more secure Internet Passwords is set to Yes.

Domino Directory profile
Figure 5. Use the Domino Directory to secure older Domino passwords.

Next, you must upgrade the current stored passwords. In the People view of the Domino Directory, select Actions -> Upgrade to more Secure Internet Password.

You will be asked, "Do you want to upgrade to the more secure Internet password format? By doing so, clients will only be able to access 4.6 servers and above." Select Yes.

  Future Lotus Notes/Domino password changes  

IBM's next release of Domino will contain extensive changes to ID file and password management capabilities.

  1. ID files can be secured with a Lotus Notes user's Windows identity. This means that there will no longer be a separate password for the ID file.
  2. ID files can be stored in an ID vault on a Domino server, instead of storing them on a local or home drive.
  3. The entire process of securing an ID file and moving it to the ID vault will be configured through policies. This will eliminate the need to create your own collection process. When policies are set correctly, and both the Domino server and Lotus Notes client are updated to version 8.5, the process will occur automatically -- without any interaction from users or an administrator.

Fred Janssen
Fred Janssen is a principal administrator with more than 13 years experience in the Lotus Notes/Domino environment. He is currently employed as a Notes/Domino consultant with Eniac Essentials in the Netherlands. Fred frequently presents to local Notes/Domino user groups and also teaches similarly minded courses. He can be reached at [email protected].

Do you have comments on this tutorial? Let us know.

Dig Deeper on Lotus Notes Domino Password Management

  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...