Authenticating web users against the Notes® ID passwords in the ID vault

You can configure HCL Domino® to use the password in an ID vault to authenticate users that access the server over HTTP, IMAP, POP3, and LDAP internet protocols.

When this feature is enabled, HCL Verse, HCL iNotes®, and other internet users with Notes® ID files provide their names and Notes® ID passwords from an ID vault to authenticate with a Domino® server. With this feature, users need to remember just one password, their Notes® ID password, to authenticate to the server and perform secure mail operations. Without this feature, users provide their internet passwords to authenticate to the server and then are prompted for their Notes® ID passwords to perform secure mail operations if the passwords are different than their internet passwords.

Note:
  • This feature is ignored for authentication of the following users:
    • Notes® client users
    • Internet-only users without Notes® IDs
    • Users who authenticate via SAML federated identity authentication
  • If directory assistance is configured for cross-domain directory lookups, add the notes.ini setting ENABLE_IDV_CROSSDOMAIN_AUTHENTICATION=1 to your Domino servers. Then, when a user accesses a Domino server and the user is registered in a secondary domain, the server is able to access the vault in the secondary domain to verify the user password, if configured.
To enable the feature:
  1. Create or edit a Configuration Settings document in the Domino® directory. (Configuration > Servers > Configurations).
  2. Click the Security tab.
  3. In the Internet Password Verification section, select one of the following options:
    Table 1. Internet Password Verification options
    Option Description
    Check internet password in directory Always use internet passwords in Domino® directory Person documents to authenticate internet users. This option is the pre-release 11 behavior and the default selection.
    Check internet password in vault Always use passwords from Notes® ID files in the vault to authenticate internet users who have registered Notes® IDs. These users must have IDs in the vault to authenticate.
    Check vault first, then directory. Try to use passwords from Notes® IDs in the vault to authenticate internet users who have registered Notes® IDs. If the password fails against the Vault, it is checked against the internet password in Domino® directory Person documents to authenticate the users.

    Use this option if some internet users with registered Notes® IDs do not have IDs in the vault or if you are unsure if they do.