Académique Documents
Professionnel Documents
Culture Documents
PistolStar, Inc.
PO Box 1226
Amherst, NH 03031
USA
Phone: 603.547.1200
Fax: 603.546.2309
E-mail: salesteam@pistolstar.com
Website: www.pistolstar.com
With Notes Shared Login, users can start Lotus Notes 8.5 by logging into Microsoft Win-
dows using their Windows password — they do not also have to provide their Notes pass-
word. A random password is generated and set on the Notes ID as well as stored on the
local hard drive using Microsoft’s Data Protection API (DPAPI) to encrypt and save data
tied to the Windows profile.
Drawbacks:
• Because Notes Shared Login integrates the Windows password, it is implied that
there is true integration with Microsoft Active Directory when there is not. The Active
Directory password and password policies (password expiration, password complex-
ity) do not apply to Notes Client authentication and the Active Directory password
policies are not enforced; the static Notes ID file’s password expiration and complex-
ity differ and are not linked to Active Directory, therefore its password policies are out
of synch with Active Directory.
• Users are still required to manage the Notes ID password, therefore they still have
two passwords to manage (Notes ID and Windows).
• Placing the user’s Notes ID file password on their local hard drive poses a security
risk, even with the DPAPI used.
• Notes Shared Login works only on the computer on which it is activated, as the
Notes ID can only be stored on the user’s local hard drive; Notes ID files on network
shares are not supported.
• The credentials that are stored locally using DPAPI can only be used on the local
computer.
• When a user tries to launch the Notes client using the Notes ID file password from
another computer, they must first have “exported” the Notes ID from that machine
using a new Notes-centric process, set a password on it, and provide that password
again when launching Notes on the second computer.
• The DPAPI is vulnerable to attack whenever there is an open Windows session.
• If the user’s Windows password expires while logged into Windows or if their ac-
count is disabled while logged in, Notes Shared Login will still allow them to gain ac-
cess to Lotus Notes; thus, Notes Shared Login does not always reflect the status of
their Active Directory account.
• Windows users using Windows mandatory profiles will not be able to use Notes
Shared Login since no user-specific data persists across Windows logins.
• With Notes Shared Login, Lotus continues its practice of employing proprietary
methods for password authentication.
• With Notes Shared Login activated, other Lotus Notes features (including the new
roaming capabilities offered in 8.5) are disabled — specifically, smart card integra-
tion, which has been available since Notes 6.
• With Notes Shared Login activated, support ceases for Citrix environments, Domino
Password Checking, Domino HTTP Password synchronization and third-party applica-
tions (see #7 below).
• The Notes Shared Login functionality is only available with Lotus Notes 8.5, therefore
phased upgrades to 8.5 would present a unique set of challenges, requiring a full client/
server upgrade.
• Organizations need to upgrade their entire environment at one time, not piecemeal, or
incompatibility issues with previous versions will result.
With Notes 8.5, Lotus now offers automatic password recovery of the Notes ID File, allow-
ing users to more easily recover damaged, lost and forgotten ID files. Copies of the Notes
ID file are stored in a highly protected ID vault, providing administrators with the ability to
more easily manage and reset individual's passwords. This feature is only available with
the Notes 8.5 upgrade.
Drawbacks:
• The automatic Notes ID password recovery capability is only available with the Notes
8.5 upgrade and is limited to the user’s computer.
• Restoring access to Lotus Notes using Notes Shared Login is limited to the user’s com-
puter on which Notes Shared Login is activated.
• Password recovery involving the ID vault is a manual process requiring the Help Desk.
• Self-service password recovery is not available (users must engage an IT administrator
or the Help Desk).
• The Help Desk must change the password in two places: Windows/Active Directory and
the ID vault.
• For Help Desk access, the user must be a Notes user and have access to the Notes
Admin Client; otherwise, customized code must be written to programmatically integrate
the ID vault with the organization’s existing Help Desk application(s) and with a new API
offered by Lotus. This action involves costs for initial training, development and subse-
quent associated maintenance.
Drawbacks:
• Only a single ID vault is supported in Notes 8.5.
• The single ID vault becomes a single point of failure if the server goes down (unless
vault replicas are created on other servers).
• With the single ID vault, any ID vault replication delays can cause issues such as the
Notes ID file password being out of synch during a password reset by the Help Desk.
• Collecting thousands of Notes ID files in an ID vault could create scalability issues,
which will likely require multiple vaults.
• Possibility exists that populating and collecting Notes ID files in an ID vault will lead to
performance issues, as settings must be configured correctly the first time or numerous
pilots must be conducted since the functionality is prohibitively difficult to validate in test
environments with more than a few test users.
• When launching Notes on a machine, the user’s name must be in the drop-down in the
Notes Login Dialog (they cannot type their name and see it come up in the drop-down).
This means the ID vault can only be used on machines where the user has previously
logged into the Notes client.
• When the Notes ID file gets updated in the ID vault (e.g. after a name change), upload-
ing to the ID vault is unpredictable.
• Notes ID password changes must be done manually (are not automatic) when password
expiration occurs in the Notes Client for the ID vault.
With Notes 8.5, users can be set up to log into any available Notes client and use all the
Notes functionality. However, if the Notes Shared Login feature is activated, this functional-
ity/capability does not work.
Drawbacks:
• With Notes Shared Login activated, if user only employs Notes on a single machine, the
functionality works fine.
• With Notes Shared Login activated, if user employs multiple machines or uses a ma-
chine in more than one place, they will find some functionality is not available or work-
ing.
• With Notes Shared Login activated, Notes roaming does not work for users with Notes
IDs stored in the Domino Directory; Notes Shared Login needs to be deactivated for
Notes roaming support.
• The Notes ID cannot be moved to other machines; only the machine on which the Notes
ID is initialized will know it.
• There is no support for single sign-on with roaming – the user must know and enter their
password each time the Notes client is launched.
• Users with Windows roaming profiles can only be logged into one computer at a time.
• The Roaming Profile document containing the Notes ID file is not supported in Notes 8.5
(roaming users had a special profile document with the Notes ID attached in their local
names.nsf in previous versions of Notes).
Drawbacks:
• Notes 8.5 does not support Kiosk logins with a guest account.
• Users can login with a Windows guest account and gain access, but there is no security
because the DPAPI is effectively shared by all users of Lotus Notes on that machine.
• There is limited support for Kiosk logins using an Active Directory user account with sin-
gle sign-on.
• With the initial setup, users must know the correct password; with ID vault storage, the
Help Desk is required if the password is unknown.
Drawbacks:
• The Notes ID file password checking functionality does not work, particularly when using
Notes Shared Login.
• Different passwords on different copies of the user’s Notes ID files are not allowed when
Password Checking is enabled.
• With Notes Shared Login, manual synchronization is not possible.
Drawbacks:
• Support for Citrix environments does not work with Notes 8.5.
• Notes native smart card support does not work when Notes Shared Login is activated,
as Notes Shared Login does not allow the Notes ID file to be moved around to other
machines. Smart card integration with a mutable key stored on the smart card is also
not supported.
• Domino HTTP password synchronization is not supported, requiring an additional login
to access Domino and limiting browser-based access to Domino (see Lotus Domino is-
sues below).
• Support is not available for third-party applications requiring the Notes ID file password
(e.g. Domino Web Access and Blackberry encrypted email with the embedded Notes ID
file in the mail file). Blackberry requires the Notes client to be running in order to syn-
chronize.
• Support is not provided for the passwords for other enterprise systems, such as IBM
WebSphere, IBM System i, SAP, Oracle and Web portals (e.g. (Microsoft SharePoint); sin-
gle sign-on and password synchronization are not available for these systems.
Drawbacks:
• While Lotus Notes enables single sign-on to the Notes Client, it does not also enable
single sign-on to Lotus Domino, which Notes users need to log into as well. Therefore,
any benefit of reduced logons and password prompts does not really exist.
2. Browser-based Users Accessing Domino Have Limited Usability and Lack Security
Drawbacks:
• Users working remotely and others who need to access Domino via a browser do not
have the advantage of a full set of features enabling convenience and flexibility.
• Notes users accessing Domino via a browser also sacrifice security.
Drawbacks:
• Domino HTTP access does not synchronize the Notes ID password or the Active Direc-
tory password with the Domino HTTP password, therefore users need to remember
more than one password to access their Lotus applications and encounter multiple log-
ins.
Unlike Lotus Notes version 8.5, Password Power is a proven technology that has been deployed
in over 400 enterprise environments. It is easy to use, predictable and reliable, providing powerful
authentication, access control, and password management capabilities. Password Power opti-
mizes the usability, security and compliance of Lotus applications by integrating Active Directory
and the Kerberos authentication protocol. Organizations realize a dramatic reduction in Help Desk
calls, decreased IT security costs and increased administrator and end-user productivity. Best of
all, Password Power is delivered and supported by PistolStar’s expert development and technical
support team.
###