Overview#

Lotus Notes has (at Least) two passwords that are used in different Authentication Scenarios.

There are two ways to access your Lotus Notes mail:

  • from your computer’s Lotus Notes Client software - Often called the Notes client - We will refer to this as the "NotesID Password"
  • from an internet browser - Often referred to as Lotus Notes Web Mail or iNotes. We will refer to this as the "iNotes password"

Each of these methods have distinct passwords.

NotesID Password#

The NotesID Password which as the password which protects the "Lotus Notes ID or Domino ID",

iNotes password#

You will use your iNotes password to access your mailbox using iNotes webmail interface or IMAP or on your mobile device using Lotus Notes Traveler or other Browser based Lotus Applications.

Lotus Notes Single Logon#

Client Single Logon is the feature which uses the Windows Service "Lotus Notes Single Logon." With Client Single Logon, when the user changes his password on his workstation, his Notes ID file password should automatically be synchronized.

What does not work:

  • If you use a Smartcard to log in to Lotus Notes, or if your User ID is protected by multiple passwords, the "Lotus Notes Client Single Logon Feture" with Windows is not supported.
  • If an administrator changes the user's password directly in AD, the password for the user's Notes ID file will not be synchronized.
  • Non-Windows workstations

IDM and Lotus Notes#

AFIK, all the Vendor IDM products will synchronize the iNotes password and none of them can synchronize the NotesID Password.

We often see organizations utilize the "Lotus Notes Single Logon" feature and IDM wich will then keep the two passwords in-sync within the limitations of the "Lotus Notes Single Logon".

We have been on a couple projects where we utilized a Web based application that was able to set the NotesID Password under certain conditions. The idea worked well when there was only one user on the Workstation and it was a Windows workstation. (The Lotus Notes API was calling DLLs).

The concept worked similar to this:

  • The Web Based application captured the "old" and "new" Password from the user.
  • A Java Applet was then loaded on the users machine, if not already present
  • The "old" and "new" passwords were passed to the Java Applet
  • The Java Applet then made the appropriate calls using the Lotus Notes API to change the NotesID Password.
  • The Web Based application Passed the new password to the IDM system for processing other connected applications.

After more than 5 years of operation, one client said the application worked for 80% of their users.

The Notes Client Authentication Challenge[1] #

Organizations utilizing Lotus Domino clients know all too well that their endusers are only allowed to authenticate against the Lotus Notes ID. As a result,  a lost Notes ID file or forgotten password can create a nightmare for both the company’s IT department and the end-user.

The steps for recovering a Notes ID password are complicated, time-consuming and require Help Desk execution and end-user involvement. In the recommended scenario, the end-user  initiates the recovery process for the Notes ID but must find three Domino administrators to generate recovery strings. This information is then used by the end-user to reset the password on their Notes ID.

Then there are the issues of two passwords, which is somewhat difficult to explain to an end-user that just wants things to work.

The result is excess work for IT and a drain on IT resources, as well as a large amount of downtime for the end-user. 

Notes ID vault[2]#

The ID vault is an optional, server-based database that holds protected copies of IBM® Lotus® Notes® user IDs. New in AFIK, 8.5.3, the ID vault allows administrators and users to easily manage Notes user IDs. Users are assigned to a vault through policy configuration, and copies of user IDs are uploaded to a vault automatically once the policy has taken effect.

The benefits of using an ID vault include:

  • The ability for authorized personnel to change (reset) passwords on IDs stored in a vault when users forget them, without access to the ID files or the vault
  • Support for the use of a custom application to reset passwords
  • Easy recovery of lost or damaged user IDs
  • Automatic synchronization of multiple ID copies
  • No user involvement during ID renames
  • No user involvement during ID key rollover

There have been some third-party products that provided some of this functionality for past versions.

Warnings#

As all things change, be sure your Lotus Notes Version deals with passwords yourself.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-9) was last changed on 05-Apr-2013 20:42 by jim