Configuring the primary domain for cross-domain TOTP authentication

Complete these steps to configure TOTP authentication for the primary domain.

About this task

This procedure uses Domain1 for the primary domain name and Domain2 for the secondary domain name.


  1. Add the following notes.ini setting to all Web servers in Domain1 and to the ID vault server in Domain1:
  2. Ensure that the Domain1 Domino directory has a Notes cross-certificate at the /Org level for Domain2 that establishes trust.
  3. Configure directory assistance to look up names in the Domain2 Domino directory:
    1. Create a directory assistance database (if not created already) on a server in Domain1.
    2. Add a Directory Assistance Document for Domain2. The following fields in the document are required.
      On the Basics tab:
      • Domain type Select Notes.
      • Domain name Specify the Domino domain of the secondary directory, for example Domain2.
      • Make this domain available to Select Notes Clients & Internet Authentication/Authorization
      • Enabled Select Yes.

      On the Naming Contexts (Rules) tab, select Enabled > Yes and Trusted for Credentials > Yes for at least one rule that applies to Domain2. You can use the default N.C. 1 rule.

      On the Domino tab, specify the replica of the Domain2 Domino directory on the Domain2 administration server.

      For additional information, see Creating a Directory Assistance document for a Domino Directory or extended directory catalog.

    3. At the Domino server console, run the command sh xdir to verify the configuration. You should see output similar to the following output:
      [11A4:0006-105C]  DomainName      DirectoryType         ClientProtocol Replica/LDAP Server
      [11A4:0006-105C]    --------------- --------------------- -------------- -----------------------
      [11A4:007C-105C]  1 Domain1        Primary-Notes         Notes & LDAP   names.nsf
      [11A4:007C-105C]  2 Domain2        Secondary-Notes       Notes          server1/domain2!!names.nsf
  4. Configure TOTP authentication for Domain1. For more information, see Configuring TOTP authentication.
  5. Replicate the Domain1 Domino directory and Directory Assistance database to all participating Web servers in Domain1.