Lotus Domino Administrator 8.5 Help - Details of Microsoft IIS security options

WEB SERVERS

Details of Microsoft IIS security options
Anonymous Access
Anonymous Access lets Web users access a Web site without a user name or password. IIS always maps anonymous Web users to a specific anonymous user account, which you can configure. If Anonymous Access is the only IIS authentication method enabled, IIS does not use any user credentials -- that is, a user name and password -- sent by the browser for authentication, but the IIS plug-in passes the credentials to Domino, and Domino will authenticate the user according to the normal procedure for Web users. If an anonymous user attempts to access a Domino resource that requires authentication, Domino will respond appropriately according to the security options you have set for the Domino Web site (a Basic name-and-password challenge, or a session authentication login page). Therefore, if you want Domino to completely handle user authentication, you should enable Anonymous Access as the only security option for the IIS Web site when setting up name-and-password authentication.

Anonymous Access uses the following guidelines:

The Web user does not need to be a registered 2000/2003 user.
If you want a user to access secure resources, the Web user must be a registered Domino user and the user must have an Internet password.

Basic Authentication
When using Basic Authentication, IIS verifies the user credentials that the browser sends as a valid user account. If Basic Authentication is the only IIS authentication method enabled, IIS requires all browser requests to have credentials -- anonymous access is not allowed. Whenever a user sends a Domino request, the IIS plug-in passes the user name to Domino and informs Domino that the user has been authenticated by IIS. Such a user is called a "pre-authenticated" user. The plug-in passes the pre-authenticated name exactly as the user entered it in the browser. Domino then attempts to look up that name in its directories. Since IIS has already verified the user's password, Domino does not use the Internet password stored in the user's Person document or LDAP entry.

If Domino finds the name in a Domino Directory, then Domino uses the primary name in the Person record for authorization (ACL checking). If Domino does not find the name, then Domino uses the pre-authenticated name as-is for authorization.

In both cases, Domino builds the user's group list from the set of groups in the Domino Directory which include the user as a member, and Domino also adds the special group "-WebPreAuthenticated-" to the group list. You may use -WebPreAuthenticated- as a group entry in database ACLs and other access lists.

Note If you want to list IIS users by name in database ACLs, you must be careful to use the correct form of the name. Use the primary name if the user is listed in the Domino Directory, or the IIS pre-authenticated name if the user is not in the directory. Remember that if a user is listed by name in an ACL and is also a member of a group in the ACL (including "-WebPreAuthenticated-" or any other group), the name entry takes precedence over the group entry.

In summary, Basic Authentication uses the following guidelines:

Anonymous access is not allowed.
The Web user must be a registered Windows 2000/2003 user.
The Web user does not have to be a registered Domino user.
Domino does not use the user's Internet password.
The Web user is automatically assigned to the -WebPreAuthenticated- group.

Integrated Windows Authentication
Integrated Windows authentication is a Microsoft-specific protocol supported by Internet Explorer (IE). When a Web user makes a request to the site, IE automatically sends to IIS the user's current Windows logon account name. IIS verifies the name against the Windows registry on the IIS server. When a user makes a Domino request, the IIS plug-in passes to Domino the user's Windows name and Domino processes the pre-authenticated name as described above for Basic authentication.

Windows account names use the form domain\username or machinename\username -- for example, SALES\JSmith. If Domino is using Person documents in the Domino Directory to authenticate the Windows users, the documents must contain the exact Windows account names as aliases. For example, if Joe Smith has an IBM® Lotus® Notes® ID in the "CorpSales" domain and a Windows user account in the "SALES" Windows domain, the User name field in Joe Smith's Person document needs to contain:

Joe Smith/CorpSales

SALES\JSmith

This allows Domino to authenticate the Windows user SALES\JSmith as the Domino user Joe Smith/CorpSales.

In summary, integrated Windows authentication uses the following guidelines:

If this is the only authentication method enabled, only IE users can access the Web site.
Anonymous access is not possible since IE automatically sends the user's Windows account name on every request.
The Web user must be a registered Windows 2000/2003 user.
If you want to match the Windows user to a Domino Person document, You need to add the user's Windows account name as an alias to the Person documents.
Domino does not use the Internet password.
The user is automatically assigned to the -WebPreAuthenticated- group.

SSL
If you enable SSL on a Web server, IIS handles the actual SSL connection. However, if a Web user provides a client certificate, the IIS plug-in passes the certificate to Domino and Domino uses the certificate to authenticate the user. If Domino cannot find a certificate for the user, then Domino will downgrade the user to Anonymous access.

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary