Setting up Windows single sign-on for Web clients

You can set up a Domino® Web server to honor Microsoft Windows users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.

About this task

The Domino® Web server uses Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) and the underlying Kerberos network authentication security that is provided by Active Directory to negotiate the authentication with a browser client.

Restriction: Windows single sign-on for Web clients is incompatible with SAML deployment. If the Domino Web server is configured for SAML session authentication, Windows single sign-on for Web clients must be disabled in any SSO configuration document used by the SAML-enabled Web server.


  • Microsoft Windows Server Active Directory Domain Controller.
  • The functional level of an Active Directory domain (or forest in the case of multiple domains) must be set to Windows Server 2003 or higher. Backwards compatible modes for Windows Server 2003 cannot be used. For example, you cannot set Windows Server 2003 to use Windows 2000 mixed mode. To check the domain and forest functional level, from the Active Directory Users and Computers snap-in utility, right-click the domain, click Properties, and look at the General tab.
  • Domino® server running on a Windows computer that is a member of an Active Directory domain.
  • Domino® server configured for multi-server session-based authentication (single sign-on).
  • Browsers that are supported by Domino® running on Windows clients that are logged on to the Active Directory domain and that have network access to the Active Directory server.
  • Web users with accounts in Active Directory.


  1. Prepare the Domino® server for Windows single sign-on for Web clients.
  2. Set up the Windows service for Domino®.
  3. Configure user name mapping.
  4. Configure Web client browsers.