Active Directory password synchronization

WARNING: This feature impacts your Active Directory domain controller configuration; proceed only with a working backup of your domain controller. See further details in this topic.

This feature applies the Windows passwords of users registered in an Active Directory domain to their Domino HTTP and/or Notes ID passwords. Note that industry best practice encourages the use of federated login using a single password authority and discourages syncing of passwords across multiple systems.

When a user whose Active Directory information is synced to Domino changes their Windows domain password, a Domino password filter that is installed and runs on an Active Directory domain controller creates a password change request. The Domino password filter pushes the request to a Domino server in the domain that is designated as a Request Processor. The Request Processor processes the password change request by applying the new password to the user's HTTP password, to the Notes ID password in the ID vault, or to both passwords.

This feature is primarily useful for environments that do not use federated SAML authentication that want to unlock Notes IDs and apply the Active Directory passwords to them. For example, HCL Nomad mobile users can benefit from this as can disconnected, offline users who can't connect to an Active Directory domain controller.

This feature requires the ability to extract passwords from Active Directory to re-apply the passwords to the Notes IDs in the vault. Microsoft provides an API call exactly for this purpose. This API can be used only from software installed on the Active Directory domain controller, which is why Domino is installed there for this feature.

Note: The implementation used by Domino to obtain the Active Directory password is the only secure method available. The LDAP protocol can not be used.
Password synchronization is supported for:
  • Registered HCL Notes, HCL Nomad, HCL Verse, and HCL iNotes users accessing Domino servers with HTTP passwords or Notes IDs.
  • Web users who are not registered in Domino but who have Person documents in the Domino directory used for accessing Domino web applications with HTTP passwords.

Requirements

  • Active Directory password synchronization is supported on Window Server 2016 and Windows Server 2019. As of Domino 12.0.1, it is also supported for Windows Server 2022.
  • Directory Sync must be enabled with users' Active Directory information synced to the primary Domino directory.
  • You must register a Domino server for each Active Directory domain controller that will send password changes to Domino and install it as a Domino Utility Server on the domain controller. The server IDs for these servers are used on the Active Directory domain controllers to create and transfer password change requests. The Domino server does not run on the Active Directory domain controllers after initial setup.
  • Multiple Active Directory domains can send changes to one Domino domain. One Active Directory domain cannot send changes to multiple Domino domains, however.
  • Syncing passwords for Notes IDs requires the IDs to be in an ID vault.
  • All passwords can be synced except ones that begin with an open parentheses. For example, the password (mypassword cannot be synced. If a user whose password is synced attempts to change to a password beginning with an open parentheses, Windows shows an error stating that it doesn't meet the requirements and the change is not allowed.
Note:
  • The Notes Client Single Logon feature is deprecated in Domino 12, but if it is used on pre-Notes 12 clients it is not compatible with password synchronization.
  • If users change their Notes ID passwords through Notes or administrators reset Notes ID passwords, the new passwords override Windows passwords changed through password synchronization until the next Windows password change.

Precautions

Active Directory password synchronization runs in the Local Security Authority Subsystem (lsass.exe) in the Windows kernel. HCL has tested Active Directory password synchronization on clean operating system installs with no third party software installed. HCL can't test with other third-party software that may interact with the LSASS, such as anti-virus and anti-malware programs. Therefore HCL strongly recommends taking the following precautions when testing and deploying Active Directory password synchronization in your environment:
  • Ensure you have multiple domain controllers deployed as per Microsoft best practice.
  • Back up your domain controllers prior to installing Domino Active Directory password synchronization.
  • Verify your backup and ensure you know how to recover your domain controllers.
  • Prior to deploying in production, test Active Directory password synchronization in a test or staging environment that exactly matches your production environment, including all third-party software.
  • Do not install on all domain controllers at once. Phase your deployment.
Note: The Active Directory password synchronization password filter is not digitally signed by Microsoft and does not run on domain controllers that are running with LSA protection enabled.