Using Notes Shared Login to secure server ID files

Starting with HCL Domino 12.0.1, you can secure the server ID files of Domino servers on Windows using the Notes Shared Login (NSL) functionality.

About this task

As with NSL for user ID files, a complex "secret" protects the server ID rather than a Notes password. This secret is encrypted using a Microsoft Windows security mechanism and saved locally on the Windows server. The feature relies on Windows account credentials to secure the server ID file and to start the Domino server.

This feature prevents an unauthorized user from copying and using a server ID file, for example, to use it to set up another server. It also avoids the need to provide Notes passwords for server IDs when starting the Domino server.

If a server ID file is Notes password-protected prior to the use of this feature, after the feature is enabled, the Notes password is no longer used.

Procedure

To enable NSL to secure server ID files, open or create a Configuration settings document in the Domino directory, select the Security tab, and select one of the following options in the Server ID protection field:
OptionDescription
Disabled Do not use NSL for server ID files. (Default)
Use OS credentials Enable NSL by encrypting the server ID file using the credentials of a specific Windows account. Only the credentials associated with that account can be used to decrypt the ID file and start the Domino server. Use this option if Windows is configured to required a specific Windows account to start the Domino server.
Note:
  • If you run Domino as a Windows service, you can't start the Domino server manually under a different account.
  • After enabling this option, if you change the Windows account used to start Domino, select Disabled, wait five minutes or restart the server, and then select Use OS credentials again to begin using the new account.
Use local machine credentials Enable NSL by encrypting the server ID file using the credentials of any Windows account that is allowed to log on to the Windows server. Any of these accounts can be used to decrypt the ID file and start the server. Use this option if the Domino server is not required to start under a particular account.

Results

The following security event is logged to the server console and log file when you enable this feature:
Server ID protection: Enabled
The following event is logged if you disable it:
Server ID protection: Disabled