Category Archives: IBM Domino

Internet Explorer – Edge Mode without SPNEGO SSO

Last week I had an issue that some Domino Server didn’t provide SSO through SPNEGO any longer (environment worked for over 2 years now). This environment uses the customized domcfg.nsf template of Andreas Artner, maybe it’s related, but I don’t think so, on Windows 7 with latest Internet Explorer 11 and Domino Servers 9.0.1 with latest fix pack.

So what happened? The Domino servers are placed in the “Local Intranet Zone” of IE through Group Policy from beginning. The Windows administrators started to enable “Enterprise Mode” for better handling of compatibility mode and one of the steps is to deactivate the “Display intranet sites in compatibility View” option.

After this, all sites which are not explicitly configured in “Enterprise Mode” are loading in “Edge Mode” and not longer in quirks mode.

Nearly everything worked fine, XPages load every HTML5 Element, the sites seem to deliver content faster and so on.

BUT:

The configured SPNEGO authentication does not load any longer. The domcfg.nsf loads directly the fallback login form. I analyzed with Fiddler 4, but nothing suspicious was in the trace. So we configured one Domino Url to load in Quirks Mode (IE Level 5) and Desktop SSO worked immediately. So we played with the different levels and it showed that only the “Edge Mode” in IE11 made problems, when we went a step back and used the IE 10 compatibility mode everything worked: XPages, HTML5 and Desktop Single Sign-On.

I hope this saves you some time during troubleshooting, I think the Enterprise Mode is a trending thing and removing the Quirks Mode is an important step.

Securing Domino Protocols against Brute Force Attacks

Since years i think that the Internet Lockout Feature of IBM Domino is not enough. The function is documented here: IBM Domino Administrator Help

Cite of this document:

There are some usage restrictions for Internet password lockout: You can only use Internet password lockout with Web access. Other Internet protocols and services, such as LDAP, POP, IMAP, DIIOP, IBM® Lotus® Quickr®, and IBM Sametime® are not currently supported. However, Internet password lockout can be used for Web access if the password that is used for authentication is stored on an LDAP server

So documentation tells us, that only HTTP can be secured through inetlockout.nsf and over years the documentation was right. So protocols like LDAP, SMTP or POP3 are prone to dictionary attacks.

Last week at a customer site i can’t login into IBM Connections, even with the right spelled password. After checking the Domino server i found that the user has an entry in the inetlockout.nsf database. That was the first time that i had this behavior, Domino server was version 8.5.3.

Today i had some spare time and checked the other protocols of my demo server for my AdminCamp sessions next week.

So i secured SMTP, POP3 and IMAP for authentication and started to use the wrong password for login and i tried to test wrong passwords on LDAP authenticated Sametime and Connections. What should i say? I was lockedout through all protocols! Martin Leyrer points me to following technote, where the feature is mentioned to secure SMTP against brute force. That’s the only document i can find where the extended inetlockout is mentioned or documented. lockout

I don’t know how many of my customers or friends asks for this feature, but we talked often about this. That’s a feature we asked long time and which is really important for all deployments of Domino with internet access. Now all important protocols are save against brute force or dictionary attacks.

So great news, but the documentation must be updated and the feature must be officially announced.

Why?

  1. It is a really important security feature
  2. If you use already inetlockout for http and you update your Domino server, the feature is active without any additional work! Good for security, but your helpdesk team could be a little bit surprised.

Which Domino version first had this code icluded?

When you want to know how to deploy the lockout feature, please read documentation and this technote.

Update:

I got a mail that with 8.5.3 FP6 only SMTP and LDAP are working with inetlockout. I can’t test this in the moment, but with 9.0.1 pop3 and imap are secured too. Need to test this back with lower version and diiop.

nginx

You can use nginx as a reverse proxy for mail protocols. So this is a way to add SHA256 enabled certifiers in front of your domino servers.

System Requirements IBM Notes Domino 9 are available

You find the default system requirements in the overview document: “Index of system requirements for Notes, Domino, Domino Administrator, Domino Designer & Notes Traveler

I’ve some interesting points. IBM Domino for Windows is available as 32 and 64 bit software, but it is only supported on Windows Server 2008 R2 and Windows Server 2012, so no 32 Bit Windows is supported!

So a lot of us will have to upgrade the OS first.

We got a Linux 64 Bit server the first time in a gold release. I tested it in the beta and it works without any problems.