Notes Shared Login…. Gotcha!

If you have implemented Notes Shared Login, or if you are thinking about Technote 1405060 New 8.5 Notes Shared Login “Gotchas” should be of interest to you. First off a couple of points of clarification.  There are two different features Notes has available to allow an end-user to sign on to Lotus Notes with out providing a password when launching Notes.  Both methods work on Windows based machines only. Notes Client Single Logon to use this feature during the installation you must select to install the “Client Single Logon Feature”, once enabled when the user first logs on to Notes they will receive a prompt to change their Notes password to match their Windows password.  There are some limitations detailed in the Notes & Domino Infocenter

OS and Domino password policies must be aligned as closely as possible to allow password synchronization to work. During OS password changes, the Notes Network Provider must be able to change the Notes ID to the new password provided by the OS. Notes is notified of the new OS password only after the OS password has been changed. If the new OS password does not meet the Notes password quality and history requirements, the Notes password change will fail. During Notes password changes, the Notes client must be able to change the OS password to the new Notes password. If the new Notes password does not meet the OS password quality and history requirements, the OS password change will fail.

Operating system (OS) password changes, that is, password changes that are initiated outside of Lotus Notes, occur in the system access control environment; therefore, the NOTES.INI file and the Notes ID file must reside on a local drive.

The key point to understand about Notes Client Single Logon is that the Notes ID still has a password, it is simply synchronized to the Windows password and being passed by Windows at Login. The second feature is Notes Shared Login in this case the ID file no longer has a password, and authentication is done at Windows Login.  Before we go any further it is worth noting the cases where shared login will not work.

You cannot use shared login if any of the following conditions is true: -you use a computer that does not run Microsoft Windows -you use a Smartcard to log in to Lotus Notes -your User ID is protected by multiple passwords -you are a roaming user that uses a roaming ID -you run Notes on a USB drive -you use a mandatory Windows profile -you are running Notes in a Citrix environment

The other important item to note is that the Notes ID no longer has a password, as a result you can not simply copy the ID file from one machine to another, if you need to copy your ID file you must use the documented procedure to copy and ID file when using Notes Shared Login. Shared Login needs to be enabled via a Security Settings document in a Policy, it is disabled by default. It is highly recommended to use Notes Shared Login in conjunction with the ID Vault to insure you can always reset a password or recover an ID file if needed. Related Links Technote 1405060 New 8.5 Notes Shared Login “Gotchas” Notes and Domino Wiki: Best Practices for Shared Login Notes and Domino WikiL Upgrading from Notes client single logon to Notes Shared Login Deploying a Notes custom install using the surunas upgrade method and enabling Notes client single logon

6 Responses to Notes Shared Login…. Gotcha!
  1. Ben Rose
    August 3, 2010 | 12:51 pm

    We abandoned Shared Login a while ago when we realised it didn’t update the internet password. Useless.

  2. Gavin Bollard
    August 3, 2010 | 7:57 pm

    Same here regarding the Internet Password.

    Shared login is a very poor replacement for the Notes Client Single Login.

    We’ve abandoned it.

  3. Stephan H. Wissel
    August 3, 2010 | 9:02 pm

    @Ben, Gavin: You are missing one piece in the puzzle. Since the Notes.id doesn’t have a password there is no password to change (and hence no password change propagates to the Internet password). To make that happen you have 3 options:
    a) Setup Domino to use SPINEGO (so it automatically authenticates with the Windows login credentials)
    b) Use TDI (entitlement included in Domino) to keep passwords in sync
    c) Setup Domino to authenticate against AD for http access

  4. Dennis Heinle
    August 3, 2010 | 11:53 pm

    Our previous admin starting setting up users on Shared Login. I thought it was great until I found out at IAMLUG that it does not work with Citrix. It also does not sync the internet password. However I also learned at IAMLUG that you can setup directory assistance to authenticate with LDAP (AD) for internet / sametime / traveler / quickr logins. Gabriella Davis and Marie Scott did the presentation on this. I need to find the slides on it.

    So now we need to figure out what we are doing with Citrix.

    Dennis

  5. Pierre
    August 4, 2010 | 8:23 am

    SPNEGO on Domino is great. It takes a bit at the beginning to populate the NAB with AD DN but then no login screens at all.

  6. ernest
    August 7, 2010 | 11:47 am

    good article!