Active Directory password synchronization

This feature applies the Windows passwords of users registered in an Active Directory domain to their Domino HTTP and/or Notes ID passwords.

When a user whose Active Directory information is synced to Domino changes their Windows domain password, a Domino password filter that is installed and runs on an Active Directory domain controller creates a password change request. The Domino password filter pushes the request to a Domino server in the domain that is designated as a Request Processor. The Request Processor processes the password change request by applying the new password to the user's HTTP password, to the Notes ID password in the ID vault, or to both passwords.

Password synchronization is supported for:
  • Registered HCL Notes, HCL Nomad, HCL Verse, and HCL iNotes users accessing Domino servers with HTTP passwords or Notes IDs.
  • HCL Traveler users accessing their mail through the web browser on their mobile devices.
  • Web users who are not registered in Domino but who have Person documents in the Domino directory accessing Domino web applications with HTTP passwords.

Requirements

  • Directory Sync must be enabled with users' Active Directory information synced to the primary Domino directory.
  • You must register a Domino server for each Active Directory domain controller that will send password changes to Domino and install it as a Domino Utility Server on the domain controller. The server IDs for these servers are used on the Active Directory domain controllers to create and transfer password change requests. The Domino server does not run on the Active Directory domain controllers after initial setup.
  • Multiple Active Directory domains can send changes to one Domino domain. One Active Directory domain cannot send changes to multiple Domino domains, however.
  • Syncing passwords for Notes IDs requires the IDs to be in an ID vault.
  • All passwords can be synced except ones that begin with an open parentheses. For example, the password (mypassword cannot be synced. If a user whose password is synced attempts to change to a password beginning with an open parentheses, Windows shows an error stating that it doesn't meet the requirements and the change is not allowed.