SECURITY
Password changes are cached when the HTTP server is configured for SSO. This means that users can log in to an SSO environment, change their Internet password, log out, and log in again using the new Internet password while the change is still replicating throughout the system.
Caching location and duration The user's cached new Internet password is only stored on the HTTP server where the password change was requested. Other servers in the SSO environment do not have access to this cached information; therefore if the user is prompted for a password by any of these other servers, the user may have to supply the old password rather than the new one. On servers that do not have the cached information, the user must provide the password that matches password information found by that server in the directory.
Note that for SSO users, initial log in provides access to the entire SSO environment. Therefore, users will have no problem if all log in activity can be done consistently at the server that cached the new password. The user can attempt to access a URL on the target server and be prompted for a password by that server, rather than opting to supply a password to a server that does not have the cached new password.
By default, the cached new Internet password is honored by the HTTP server for 48 hours. The length of time that the information is cached can be configured using the server Notes.ini parameter HTTP_PWD_CHANGE_CACHE_HOURS. Once the information times out from the cache, the user can only login using the password that can be verified against the password information found by the server in the Domino Directory.
Note If the HTTP server is restarted, the cached password information will be discarded. Again, the user must provide the password that matches password information found by the server in the Domino Directory.
Password caching and SSO login name Use of the new password relies on the HTTP server finding the user in its cache. In order for the cached new Internet password to work, the user must login with the same spelling of the user name that the user logged in as before. For example, if the user logged in previously as "John Doe" when changing the password, the user can't login later with the new password and a valid other name such as "jdoe". The user must login with the new password using "John Doe" as before.
Best practices for SSO password caching
You should instruct your users to follow these steps for best results:
1. Log in to a Domino HTTP server that supports SSO password caching.
2. Submit the Internet password change request by invoking the ChangePassword URL on the server. For example:
It may take some time for the password change to take effect on all the servers in the SSO environment. During this time, whenever users login, they should always log in first to the server where they requested the password change, using the same user login name as before and providing the new password.
If for some reason, a user's new password is not accepted on the server to which the password change was requested, the user should try again using the new password and their user name in distinguished name format (for example, John Doe/MyCompany).
Troubleshooting Internet password caching for SSO
The following list describes some common problems with setting up and using Internet password caching in an SSO environment.
If the user changes his password on the second server, the second server will cache the new Internet password for this user. In this case, the server does not have the user's login name, because the user logged in somewhere else first. The second server remembers the new password, but remembers that the new password applies to the user with the corresponding Domino distinguished name. If the user logs out and later wants to login directly to this server with the new Internet password, the user must provide their distinguished name (for example John Doe/MyCompany).
Note The password change information about the requested new password is not passed to any DSAPI library, and while a password change affects the Domino Directory information for this user, the password change likely does not change the DSAPI library's notion of the user's password.
When a user requests a password change, the HTTP server caches the new Internet password for this user, using the name it knows for this user. If the user logs out and later wants to login with the new password to a URL on the server not associated with the DSAPI library, the HTTP server will attempt to verify the user's name and password. If the password change to the directory is still pending, the HTTP server can verify the user's new password only if it is found in the cache. In order to find the user in the cache, the user must provide the name that matches the name in the cache, namely, the one passed from DSAPI, e.g. "CN=John Doe/O=MyCompany".