Enabling integrated Windows authentication (IWA) for Eclipse-based clients

Integrated Windows authentication (IWA) is available for supplied and third-party Eclipse-based client applications, enabling SPNEGO authentication for Eclipse-based features and applications within Notes® client. Examples include Widgets and Live Text and Feeds, IBM® Connections, Composite Applications, embedded IBM® Sametime®, and embedded Symphony®. IWA also works with products that are based on Eclipse but not embedded within Notes®, such as IBM® WebSphere® Portal with SiteMinder and stand-alone Connections 3.0 with SiteMinder.

Note: IWA cannot be used as a mechanism for authentication on Notes® client startup.

IWA is an authentication protocol that allows users to achieve single sign-on using the Windows credentials of the currently logged-in user. SPNEGO is one mechanism of IWA that allows the client and server to negotiate which authentication protocol to use. These protocols are limited to NT Lan Manager (NTLM) and Kerberos. Support for session management is provided by HTTP cookies.

The Domino® administrator can either use a security settings policy to specify support for IWA, or create an account of type OS-CRED and apply the account to client users by policy.

To enable IWA in the security policy:
  1. In the Domino® Directory, create or edit an existing security settings policy document (the 8.5.3 NAMES.NSF design is required).
  2. On the Password Management tab, select Yes for the Enable Windows single sign-on for Standard Notes Client field.
Note: Enabling IWA authentication in the security settings policy supports it only in the browser and the network layer, for components such as Feeds and Widgets. For example, if the widget catalog is on a SPNEGO-protected site, and the client user accesses the catalog through the embedded browser, the user would authenticate to the catalog without the need for an account.

Creating an OS-CRED account for a client user automatically enables IWA for the entire Notes® client. Application-specific accounts such as IBM® Sametime® and IBM® Connections can also be changed to type OS-CRED.

IWA can also work with TAM-SPNEGO accounts. TAM-SPNEGO account type users can switch their accounts to use the new IWA-compatible SPNEGO support using the client's plugin_customization.ini file.
Note: This file is typically resident in the framework\rcp subdirectory of the Notes_install_dir, for example:
Program Files\IBM\\Notes\framework\rcp\plugin_customization.ini

Before Notes® installation or upgrade, the file resides in the deploy subdirectory of the Notes® install kit.

Add the following statement to specify that all existing TAM-SPNEGO accounts instead use OS-CRED authentication:
com.ibm.rcp.accounts/replace.tam.spnego=true
Note: There is no specific Domino® policy for this setting, which is consumed primarily by Sametime®. As an alternative to the plugin_customization.ini file, you can apply the setting by using the Custom Settings tab on the Domino® Desktop policy settings document to define a custom name value/pair. For details on applying Eclipse preference settings using a policy, see the related topics.
OS-CRED SPNEGO is not automatically enabled. To enable it, create a new account of type OS-CRED using existing Domino® administrator or client preferences user interface methods or set a platform preference by adding the following statement to the client's plugin_customization.ini file:
com.ibm.rcp.net.http/enable.spnego=true
This capability is available for the embedded Activities sidebar application. Similar to the Accounts configuration, the Connections configuration now offers 'OS Credential' as an authentication type when configuring client preferences. It is also supported when the Connections configuration is supplied in the client's the plugin_customization.ini file as follows:
com.ibm.lconn.client.base/server=Connections_server_name
com.ibm.lconn.client.base/authtype=OS-CRED
If problems are encountered during SPNEGO authentication, you can enable the following settings for the Eclipse-level logging in the rcpinstall.properties file. This provides log output from the JVM and from Notes® to whatever log file your client system currently uses; by default this is C:\Program Files\IBM\Notes\Data\workspace\logs.
com.ibm.rcp.accounts.level=FINEST
com.ibm.rcp.net.http.level=FINEST
com.ibm.rcp.security.spnego.level=FINEST

There are several considerations and limitations to bear in mind when using integrated Windows authentication (IWA) for Eclipse-based clients:

  • IWA is available only on supported Windows platforms.
  • IWA is available only for Notes® 8.5.3 and later.
  • IWA is supported only on the IBM® JVM supplied with Notes® 8.5.3 or later.
  • The client function has been tested against a limited, defined set of server configurations, as follows:

    The client user must log into Windows as the domain user to take advantage of this support. The authentication that occurs when logging in to Windows causes generation of the needed TGT (ticket-granting ticket). Without the TGT, the JVM SPNEGO support will not work.

  • Cross-realm and cross-forest authentication are supported only through the use of a krb5.ini file present on the system. If a krb5.ini is present in the C:\Windows directory, the values in this file will be used over the default system properties.
  • On Windows 7 and Windows Vista, SPNEGO is not functional for users who are members of the Administrators group when UAC is enabled. To use SPNEGO on these platforms, advise the client user to launch Notes® with elevated privileges, disable UAC, or log in as a non-admin user.