Configuring the secondary domain for cross-domain TOTP authentication

Complete these steps to configure TOTP authentication for the secondary domain.

About this task

This procedure uses Domain1 for the primary domain name and Domain2 for the secondary domain name.


  1. Add the following notes.ini setting to all Web servers in Domain2 and to the ID vault server in Domain2:
  2. Ensure that the Domain2 Domino directory has a Notes cross-certificate at the /Org level for the Domain1 /Org that establishes trust.
  3. Create a replica of the Domain1 Domino directory on the ID vault server for Domain2.
  4. Configure directory assistance on the ID vault server for Domain2 to look up names in its local replica of the Domain1 Domino directory.
    1. Create a directory assistance database (if not created already) on the ID vault server for Domain2.
    2. Add a Directory Assistance Document for the Domain1 Domino directory. The following fields in the document are required.
      On the Basics tab:
      • Domain type Select Notes.
      • Domain name Specify the Domino domain of the secondary directory.
      • Make this domain available to Select Notes Clients & Internet Authentication/Authorization
      • Enabled Select Yes.

      On the Naming Contexts (Rules) tab, select Enabled > Yes and Trusted for Credentials > Yes for at least one rule that applies to the primary domain. You can use the default N.C. 1 rule.

      On the Domino tab, specify the replica of the Domain1 Domino directory that you created on the ID vault server in Domain2.

      For additional information, see Creating a Directory Assistance document for a Domino Directory or extended directory catalog.

    3. At the Domino server console of the ID vault server, run the command sh xdir to verify the configuration. You should see output similar to the following output:
      [11A4:0006-105C]  DomainName      DirectoryType         ClientProtocol Replica/LDAP Server
      [11A4:0006-105C]    --------------- --------------------- -------------- -----------------------
      [11A4:007C-105C]  1 Domain2        Primary-Notes         Notes & LDAP   names.nsf
      [11A4:007C-105C]  2 Domain1        Secondary-Notes       Notes          names-server1.nsf
  5. Run the following command twice from the server console of the ID vault server to create Multi-Factor Authentication Certificates for both the Domain1 Org and the Domain2 Org.
    mfamgmt create trustcert <Notes DN to allow>  <certifier ID file>  <certifier password> 
    For example:
    mfamgmt create trustcert */O=Org1  sr$1ulxl47o 
    mfamgmt create trustcert */O=Org2  tr$polx3p98 
    The certificates are created in the Domain2 Domino directory.
  6. Replicate the Domain2 Domino directory and Directory Assistance database to all participating ID vault servers in Domain2.