SECURING


Enabling integrated Windows authentication (IWA) for Eclipse-based clients

Integrated Windows™ authentication (IWA) is available for supplied and third-party Eclipse-based client applications, enabling SPNEGO authentication for Eclipse-based features and applications within Notes® client. Examples include Widgets and Live Text and Feeds, IBM® Connections, Composite Applications, embedded IBM Sametime®, and embedded Symphony®. IWA also works with products that are based on Eclipse but not embedded within Notes, such as IBM WebSphere® Portal with SiteMinder and stand-alone Connections 3.0 with SiteMinder.

Note: IWA cannot be used as a mechanism for authentication on Notes client startup.

IWA is an authentication protocol that allows users to achieve single sign-on using the Windows credentials of the currently logged-in user. SPNEGO is one mechanism of IWA that allows the client and server to negotiate which authentication protocol to use. These protocols are limited to NT Lan Manager (NTLM) and Kerberos. Support for session management is provided by HTTP cookies.

The Domino® administrator can either use a security settings policy to specify support for IWA, or create an account of type OS-CRED and apply the account to client users by policy.

To enable IWA in the security policy:

1. In the Domino Directory, create or edit an existing security settings policy document (the 8.5.3 NAMES.NSF design is required).

2. On the Password Management tab, select Yes for the Enable Windows single sign-on for Standard Notes Client field.

Note: Enabling IWA authentication in the security settings policy supports it only in the browser and the network layer, for components such as Feeds and Widgets. For example, if the widget catalog is on a SPNEGO-protected site, and the client user accesses the catalog through the embedded browser, the user would authenticate to the catalog without the need for an account.

Creating an OS-CRED account for a client user automatically enables IWA for the entire Notes client. Application-specific accounts such as IBM Sametime and IBM Connections can also be changed to type OS-CRED.

IWA can also work with TAM-SPNEGO accounts. TAM-SPNEGO account type users can switch their accounts to use the new IWA-compatible SPNEGO support using the client's plugin_customization.ini file.

Note: This file is typically resident in the framework\rcp subdirectory of the Notes_install_dir, for example:

Program Files\IBM\\Notes\framework\rcp\plugin_customization.ini

Before Notes installation or upgrade, the file resides in the deploy subdirectory of the Notes install kit.

Add the following statement to specify that all existing TAM-SPNEGO accounts instead use OS-CRED authentication:

com.ibm.rcp.accounts/replace.tam.spnego=true

Note: There is no specific Domino policy for this setting, which is consumed primarily by Sametime. As an alternative to the plugin_customization.ini file, you can apply the setting by using the Custom Settings tab on the Domino Desktop policy settings document to define a custom name value/pair. For details on applying Eclipse preference settings using a policy, see the related topics.

OS-CRED SPNEGO is not automatically enabled. To enable it, create a new account of type OS-CRED using existing Domino administrator or client preferences user interface methods or set a platform preference by adding the following statement to the client's plugin_customization.ini file:

com.ibm.rcp.net.http/enable.spnego=true

This capability is available for the embedded Activities sidebar application. Similar to the Accounts configuration, the Connections configuration now offers 'OS Credential' as an authentication type when configuring client preferences. It is also supported when the Connections configuration is supplied in the client's the plugin_customization.ini file as follows:

com.ibm.lconn.client.base/server=Connections_server_namecom.ibm.lconn.client.base/authtype=OS-CRED

If problems are encountered during SPNEGO authentication, you can enable the following settings for the Eclipse-level logging in the rcpinstall.properties file. This provides log output from the JVM and from Notes to whatever log file your client system currently uses; by default this is C:\Program Files\IBM\Notes\Data\workspace\logs.

com.ibm.rcp.accounts.level=FINESTcom.ibm.rcp.net.http.level=FINESTcom.ibm.rcp.security.spnego.level=FINEST

There are several considerations and limitations to bear in mind when using integrated Windows authentication (IWA) for Eclipse-based clients:


Related concepts
Configuring administrative settings for deploying Eclipse-based plug-ins
Using Eclipse preferences to verify trust

Related tasks
Assigning Eclipse preference settings using a desktop policy
Using administrative accounts to manage client plug-ins