Critical Issues with Lotus Notes

and Domino 8.5 Password

Authentication, Security
and Management
Security Comparison

PistolStar, Inc.
PO Box 1226
Amherst, NH 03031
USA
Phone: 603.547.1200
Fax: 603.546.2309
E-mail: salesteam@pistolstar.com
Website: www.pistolstar.com

© 2009, PistolStar, Inc. All rights reserved.

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

Critical Issues with Lotus Notes and Domino 8.5

Password Authentication, Security and Management

Lotus Notes 8.5 Issues

1. Notes Shared Login – New Feature to Eliminate Notes Password Prompts

With Notes Shared Login, users can start Lotus Notes 8.5 by logging into Microsoft Win-
dows using their Windows password — they do not also have to provide their Notes pass-
word. A random password is generated and set on the Notes ID as well as stored on the
local hard drive using Microsoft’s Data Protection API (DPAPI) to encrypt and save data
tied to the Windows profile.

Drawbacks:
• Because Notes Shared Login integrates the Windows password, it is implied that
there is true integration with Microsoft Active Directory when there is not. The Active
Directory password and password policies (password expiration, password complex-
ity) do not apply to Notes Client authentication and the Active Directory password
policies are not enforced; the static Notes ID file’s password expiration and complex-
ity differ and are not linked to Active Directory, therefore its password policies are out
of synch with Active Directory.
• Users are still required to manage the Notes ID password, therefore they still have
two passwords to manage (Notes ID and Windows).
• Placing the user’s Notes ID file password on their local hard drive poses a security
risk, even with the DPAPI used.
• Notes Shared Login works only on the computer on which it is activated, as the
Notes ID can only be stored on the user’s local hard drive; Notes ID files on network
shares are not supported.
• The credentials that are stored locally using DPAPI can only be used on the local
computer.
• When a user tries to launch the Notes client using the Notes ID file password from
another computer, they must first have “exported” the Notes ID from that machine
using a new Notes-centric process, set a password on it, and provide that password
again when launching Notes on the second computer.
• The DPAPI is vulnerable to attack whenever there is an open Windows session.
• If the user’s Windows password expires while logged into Windows or if their ac-
count is disabled while logged in, Notes Shared Login will still allow them to gain ac-
cess to Lotus Notes; thus, Notes Shared Login does not always reflect the status of
their Active Directory account.
• Windows users using Windows mandatory profiles will not be able to use Notes
Shared Login since no user-specific data persists across Windows logins.
• With Notes Shared Login, Lotus continues its practice of employing proprietary
methods for password authentication.
• With Notes Shared Login activated, other Lotus Notes features (including the new
roaming capabilities offered in 8.5) are disabled — specifically, smart card integra-
tion, which has been available since Notes 6.

© 2009, PistolStar, Inc. All rights reserved. Page 2

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

• With Notes Shared Login activated, support ceases for Citrix environments, Domino
Password Checking, Domino HTTP Password synchronization and third-party applica-
tions (see #7 below).
• The Notes Shared Login functionality is only available with Lotus Notes 8.5, therefore
phased upgrades to 8.5 would present a unique set of challenges, requiring a full client/
server upgrade.
• Organizations need to upgrade their entire environment at one time, not piecemeal, or
incompatibility issues with previous versions will result.

Password Power Benefits:

• Password Power offers true and complete integration with Active Directory; users can
achieve single sign-on to the Notes Client via authentication redirection using their Ac-
tive Directory password.
• The Active Directory and Notes ID passwords are fully synchronized, allowing users to
just remember, make changes to and manage their Active Directory password.
• Active Directory password policies are fully enforced and applied to Notes client authen-
tication; the Notes ID file password expires when the Active Directory password policies
require it to.
• Active Directory authentication is performed using the Kerberos authentication protocol,
which adds a layer of security due to Kerberos’ practice of mutually authenticating the
user and the server to which they are attempting access.
• Passwords are encrypted in volatile memory each time the user logs into Windows;
they are not stored on the user’s hard drive. If the user logs out of Windows or their
computer shuts down or crashes, the encrypted password is lost. Single sign-on is
available again the next time the user logs into Windows.
• Password Power saves any changes the user makes in the Windows mandatory pro-
files.
• Password Power’s authentication functionality is not proprietary.
• Smart card integration is fully supported and without restrictions.
• Support for Citrix environments, Domino Password Checking, Domino HTTP password
synchronization and third-party applications is fully included and without restrictions.
• Active Directory integration works with all recent versions of Notes (Notes 6, 7, 8, and
8.5).
•
2. Recovery of Forgotten Notes ID File Password

With Notes 8.5, Lotus now offers automatic password recovery of the Notes ID File, allow-
ing users to more easily recover damaged, lost and forgotten ID files. Copies of the Notes
ID file are stored in a highly protected ID vault, providing administrators with the ability to
more easily manage and reset individual's passwords. This feature is only available with
the Notes 8.5 upgrade.

Drawbacks:
• The automatic Notes ID password recovery capability is only available with the Notes
8.5 upgrade and is limited to the user’s computer.
• Restoring access to Lotus Notes using Notes Shared Login is limited to the user’s com-
puter on which Notes Shared Login is activated.

© 2009, PistolStar, Inc. All rights reserved. Page 3

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

• Password recovery involving the ID vault is a manual process requiring the Help Desk.
• Self-service password recovery is not available (users must engage an IT administrator
or the Help Desk).
• The Help Desk must change the password in two places: Windows/Active Directory and
the ID vault.
• For Help Desk access, the user must be a Notes user and have access to the Notes
Admin Client; otherwise, customized code must be written to programmatically integrate
the ID vault with the organization’s existing Help Desk application(s) and with a new API
offered by Lotus. This action involves costs for initial training, development and subse-
quent associated maintenance.

Password Power Benefits:

• Notes ID file password recovery is automatic; self-service password reset is also en-
abled using challenge question and answer functionality.
• Recovery of the Notes ID file without single sign-on is fully automatic and supported on
multiple computers.
• Stores encrypted recovery Notes ID file either locally or on a file server; as well as op-
tionally in Active Directory or ADAM, where it can be replicated between domain control-
lers.
• Passwords only need to be changed in one location — Active Directory.
• Automatic self-service Notes ID password recovery functionality works with all recent
versions of Notes (Notes 6, 7, 8, and 8.5).

3. Notes ID File Password Storage - The ID Vault

Drawbacks:
• Only a single ID vault is supported in Notes 8.5.
• The single ID vault becomes a single point of failure if the server goes down (unless
vault replicas are created on other servers).
• With the single ID vault, any ID vault replication delays can cause issues such as the
Notes ID file password being out of synch during a password reset by the Help Desk.
• Collecting thousands of Notes ID files in an ID vault could create scalability issues,
which will likely require multiple vaults.
• Possibility exists that populating and collecting Notes ID files in an ID vault will lead to
performance issues, as settings must be configured correctly the first time or numerous
pilots must be conducted since the functionality is prohibitively difficult to validate in test
environments with more than a few test users.
• When launching Notes on a machine, the user’s name must be in the drop-down in the
Notes Login Dialog (they cannot type their name and see it come up in the drop-down).
This means the ID vault can only be used on machines where the user has previously
logged into the Notes client.
• When the Notes ID file gets updated in the ID vault (e.g. after a name change), upload-
ing to the ID vault is unpredictable.
• Notes ID password changes must be done manually (are not automatic) when password
expiration occurs in the Notes Client for the ID vault.

© 2009, PistolStar, Inc. All rights reserved. Page 4

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

Password Power Benefits:

• Does not involve collecting/populating Notes ID files in an ID vault, therefore there is no
potential for performance and scalability issues.
• IT does not have the concern of having the risk of failure if the server goes down.
• Administrators and users are not required to struggle with untested functionality
• IT does not have to deal with the possibility of having to employ multiple vaults
• There is no possibility of unpredictable uploading to an ID vault after a Notes ID file is
updated.
• Provides Notes ID automatic password expiration and password change capabilities lev-
eraging Active Directory password policies.
• The standard Notes Login Dialog is replaced with one that allows the user to type in
their name; there is no login dialog at all with single sign-on.

4. Limited Roaming User Capabilities

With Notes 8.5, users can be set up to log into any available Notes client and use all the
Notes functionality. However, if the Notes Shared Login feature is activated, this functional-
ity/capability does not work.

Drawbacks:
• With Notes Shared Login activated, if user only employs Notes on a single machine, the
functionality works fine.
• With Notes Shared Login activated, if user employs multiple machines or uses a ma-
chine in more than one place, they will find some functionality is not available or work-
ing.
• With Notes Shared Login activated, Notes roaming does not work for users with Notes
IDs stored in the Domino Directory; Notes Shared Login needs to be deactivated for
Notes roaming support.
• The Notes ID cannot be moved to other machines; only the machine on which the Notes
ID is initialized will know it.
• There is no support for single sign-on with roaming – the user must know and enter their
password each time the Notes client is launched.
• Users with Windows roaming profiles can only be logged into one computer at a time.
• The Roaming Profile document containing the Notes ID file is not supported in Notes 8.5
(roaming users had a special profile document with the Notes ID attached in their local
names.nsf in previous versions of Notes).

Password Power Benefits:

• Roaming users obtain fully supported single sign-on and on more than one machine.
• Notes roaming users with Notes IDs stored in the Domino Directory are fully supported,
as are users with ID files on network drives.
• The Notes ID can be used on machines other than one on which it was initialized.
• Users with Windows roaming profiles can be logged into more than one computer at a
time.
• The Roaming Profile document containing the Notes ID file is supported by synchroniz-
ing its password with Active Directory, ensuring encrypted email support via Blackberry
and/or Domino Web Access is uninterrupted by password changes.

© 2009, PistolStar, Inc. All rights reserved. Page 5

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

5. Use of Functionality on Multiple Machines and in Multiple Locations

Drawbacks:
• Notes 8.5 does not support Kiosk logins with a guest account.
• Users can login with a Windows guest account and gain access, but there is no security
because the DPAPI is effectively shared by all users of Lotus Notes on that machine.
• There is limited support for Kiosk logins using an Active Directory user account with sin-
gle sign-on.
• With the initial setup, users must know the correct password; with ID vault storage, the
Help Desk is required if the password is unknown.

Password Power Benefits:

• Support is provided for multiple computers automatically.
• Support is provided for access to kiosks with a guest account because Active Directory
credentials can be entered when launching the Notes client; employing an Active Direc-
tory user account to login to their own Windows profile allows users to obtain full single
sign-on.

6. Password Checking Not Working – Rendered Inactive

Drawbacks:
• The Notes ID file password checking functionality does not work, particularly when using
Notes Shared Login.
• Different passwords on different copies of the user’s Notes ID files are not allowed when
Password Checking is enabled.
• With Notes Shared Login, manual synchronization is not possible.

Password Power Benefits:

• Notes ID file password checking is fully functional and supported.
• All Notes ID file copies are brought into synch with the user’s Active Directory password.

7. No Support for Citrix/Terminal Server Environments and Third-Party Applications

Drawbacks:
• Support for Citrix environments does not work with Notes 8.5.
• Notes native smart card support does not work when Notes Shared Login is activated,
as Notes Shared Login does not allow the Notes ID file to be moved around to other
machines. Smart card integration with a mutable key stored on the smart card is also
not supported.
• Domino HTTP password synchronization is not supported, requiring an additional login
to access Domino and limiting browser-based access to Domino (see Lotus Domino is-
sues below).
• Support is not available for third-party applications requiring the Notes ID file password
(e.g. Domino Web Access and Blackberry encrypted email with the embedded Notes ID
file in the mail file). Blackberry requires the Notes client to be running in order to syn-
chronize.
• Support is not provided for the passwords for other enterprise systems, such as IBM

© 2009, PistolStar, Inc. All rights reserved. Page 6

 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

WebSphere, IBM System i, SAP, Oracle and Web portals (e.g. (Microsoft SharePoint); sin-
gle sign-on and password synchronization are not available for these systems.

Password Power Benefits:

• Smart card integration for all smart card vendors is fully supported.
• Built-in Domino HTTP password synchronization is fully supported.
• Third-party systems, particularly Citrix, are fully supported.
• Third-party applications such as Domino Web access and Blackberry encrypted email
with the embedded Notes ID file are fully supported by synchronizing the passwords
with Active Directory.
• Single sign-on or password synchronization are provided for WebSphere, System i,
SAP, Oracle and Web portals.

Lotus Domino 8.5 Issues

1. Single Sign-On to Lotus Domino Not Available

Drawbacks:
• While Lotus Notes enables single sign-on to the Notes Client, it does not also enable
single sign-on to Lotus Domino, which Notes users need to log into as well. Therefore,
any benefit of reduced logons and password prompts does not really exist.

Password Power Benefits:

• Lotus users only to need to remember their Active Directory password and to login with
it one time to achieve true single sign-on to all their Lotus applications (Domino, Same-
time, Sametime Connect , Quickr).
• Password Power enables Lotus users to also have single sign-on to Domino using Ac-
tive Directory with Kerberos.
• Users also gain the added security of the Kerberos authentication protocol, which mutu-
ally authenticates the user and the server to which they are attempting access.

2. Browser-based Users Accessing Domino Have Limited Usability and Lack Security

Drawbacks:
• Users working remotely and others who need to access Domino via a browser do not
have the advantage of a full set of features enabling convenience and flexibility.
• Notes users accessing Domino via a browser also sacrifice security.

Password Power/Web Set Password Benefits:

• With PistolStar’s Web Set Password, browser-based users obtain access to Domino
easily and with the benefit of comprehensive password authentication, management
and security features if single sign-on is not desired.
• Web Set Password provides users with the option of logging in with either their Active
Directory or Domino HTTP password to access all Domino domains.
• Users gain the ability to manage their own passwords and perform self-service pass-
word resets.
• Users can also self-register, creating their own user accounts without involving adminis-
trators (if optionally enabled in the configuration).
© 2009, PistolStar, Inc. All rights reserved. Page 7
 Critical Issues with Lotus Notes & Domino 8.5 Password Authentication, Security & Management

• Globally and remotely-based users achieve streamlined access to corporate-wide intra-

nets and extranets.
• Web Set Password customizes the native domcfg.nsf Domino database to provide a
powerful upgrade to Domino’s authentication and password security functionality.
• IT administrators obtain capabilities and best practices for optimizing the security of the
authentication process without increasing Help Desk calls.
• These added capabilities and best practices also enable IT administrators to meet the
security requirements of government and industry regulations.

3. Domino Password Synchronization with the Notes and Active Directory

Passwords is Not Available

Drawbacks:
• Domino HTTP access does not synchronize the Notes ID password or the Active Direc-
tory password with the Domino HTTP password, therefore users need to remember
more than one password to access their Lotus applications and encounter multiple log-
ins.

Password Power/Web Set Password Benefits:

• Web Set Password allows users to synchronize their Domino HTTP password with their
passwords for the Notes ID and Active Directory from a browser, reducing the number
of logins.
• Password synchronization increases security because having only one password to
commit to memory decreases the likelihood end-users will write it down and become a
target for internal network intruders.

Password Power – Deployed to Millions of Users,

Fully Supported By Its Developers

Unlike Lotus Notes version 8.5, Password Power is a proven technology that has been deployed
in over 400 enterprise environments. It is easy to use, predictable and reliable, providing powerful
authentication, access control, and password management capabilities. Password Power opti-
mizes the usability, security and compliance of Lotus applications by integrating Active Directory
and the Kerberos authentication protocol. Organizations realize a dramatic reduction in Help Desk
calls, decreased IT security costs and increased administrator and end-user productivity. Best of
all, Password Power is delivered and supported by PistolStar’s expert development and technical
support team.

###

© 2009, PistolStar, Inc. All rights reserved. Page 8