Active Directory password synchronization

This feature applies the Windows passwords of users registered in an Active Directory domain to their Domino HTTP and/or Notes ID passwords.

When a user whose Active Directory information is synced to Domino changes their Windows domain password, a Domino password filter that is installed and runs on an Active Directory domain controller creates a password change request. The Domino password filter pushes the request to a Domino server in the domain that is designated as a Request Processor. The Request Processor processes the password change request by applying the new password to the user's HTTP password, to the Notes ID password in the ID vault, or to both passwords.

This feature is primarily useful for environments that do not use SAML authentication that want to unlock Notes IDs and apply the Active Directory passwords to them. For example, HCL Nomad mobile users can benefit from this as can disconnected, offline users who can't connect to an Active Directory domain controller.

This feature requires the ability to extract passwords from Active Directory to re-apply the passwords to the Notes IDs in the vault. Microsoft provides an API call exactly for this purpose. This API can be used only from software installed on the Active Directory domain controller, which is why Domino is installed there for this feature.

Note: The implementation used by Domino to obtain the Active Directory password is the only secure method available. The LDAP protocol can not be used.
Password synchronization is supported for:
  • Registered HCL Notes, HCL Nomad, HCL Verse, and HCL iNotes users accessing Domino servers with HTTP passwords or Notes IDs.
  • Web users who are not registered in Domino but who have Person documents in the Domino directory used for accessing Domino web applications with HTTP passwords.

Requirements

  • Directory Sync must be enabled with users' Active Directory information synced to the primary Domino directory.
  • You must register a Domino server for each Active Directory domain controller that will send password changes to Domino and install it as a Domino Utility Server on the domain controller. The server IDs for these servers are used on the Active Directory domain controllers to create and transfer password change requests. The Domino server does not run on the Active Directory domain controllers after initial setup.
  • Multiple Active Directory domains can send changes to one Domino domain. One Active Directory domain cannot send changes to multiple Domino domains, however.
  • Syncing passwords for Notes IDs requires the IDs to be in an ID vault.
  • All passwords can be synced except ones that begin with an open parentheses. For example, the password (mypassword cannot be synced. If a user whose password is synced attempts to change to a password beginning with an open parentheses, Windows shows an error stating that it doesn't meet the requirements and the change is not allowed.
Note:
  • The Notes Client Single Logon feature is deprecated in Domino 12, but if it is used on pre-Notes 12 clients it is not compatible with password synchronization.
  • If users change their Notes ID passwords through Notes or administrators reset Notes ID passwords, the new passwords override Windows passwords changed through password synchronization until the next Windows password change.