Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit www.specopssoft.

Administration Guide. All right reserved. For more information about Specops Password Sync and other Specops products, visit www.specopssoft.com

Copyright and Trademarks Specops Password Sync is a trademark owned by Specops Software. All other trademarks used in this document belong to their respective owners. 2

Contents Using Specops Password Sync with Domino 6 Security 7 Name Resolution 8 Installation 9 Account Prerequisites 9 Database rollout New Installation 10 Database rollout Upgrade 11 Signing the Domino Specops Password Application 13 Granting Domino directory access to signer/application account 14 Granting Execution Rights 15 Granting ID Vault access to signer/application and server accounts 16 Granting Domino Inetlockout access to signer/application account 18 Web Service Configuration 19 Validating the Specops Domino Web service 20 Trusting SSL certificate from Specops Password Sync Server 21 Domino user policy configuration 22 Sync Point Configuration 23 Configuring Name Mapping 25 Best Practices 26 Installation 26 Password Sync Provider Test Tool 27 3

Enabling tracing 29 Troubleshooting 30 Error messages 30 4

About Specops Password Sync Specops Password Sync simplifies password management for users by allowing them to use one password with multiple systems. Specops Password Sync instantly synchronizes Active Directory password to other systems, such as IBM Domino. Synchronizing Active Directory passwords to other systems ensures that passwords are changed regularly and that the same level of complexity is applied across all systems. Specops Password Sync is a component of the Specops Password Management Suite. Specops Password Management takes a holistic approach to password management that increases security, cuts costs, and extends the reach of password-based security. You can learn more about the Specops Password Management solution and other Specops Password related products at www.specopssoft.com/products/specops-password-management. 5

Using Specops Password Sync with Domino In order to synchronize passwords with IBM Domino, the following components must be installed and configured: Domino Provider for Specops Password Sync: The Domino Provider for Specops Password Sync is a component of the Specops Password Sync Server. Once it has been determined that a password sync should take place for a user in Domino, the Domino Provider for Specops Password Sync sends a Web Request to the Web Service exposed by the Specops Password Domino Application. Specops Password Domino Application: The Specops Password Domino Application is an application (.nsf) in Domino exposed as a Web Service. 6

Security The Domino Provider for Specops Password Sync sends password changes over TLS/SSL to the Specops Password Domino Application. A dedicated user account in Domino should be used to authenticate the Domino Provider for Specops Password Sync to the Web Server exposed by the Specops Password Domino Application. A different dedicated account should be used as signer/application account for the Specops Password Domino Application. You can find more information about Specops Password Sync security in the Specops Password Sync Administration Guide at www.specopssoft.com/documentation/specopspassword-sync-documentation/specops-password-sync-administration-guide. 7

Name Resolution User names in Active Directory are different from user names in Domino. In order for sync to work correctly, it must be possible to uniquely identify the correct Domino user for each Active Directory user. For example, a user might have the following account specific names: Attribute Active Directory IBM Domino SAM Account Name jdoe n/a Full Name n/a John Doe/Company John Doe SMTP address/ Internet john.doe@company.com john.doe@company.com address User Principal Name / Active jdoe@sweden.company.com jdoe@sweden.company.com Directory (Kerberos) Logon name Short Name n/a Jdoe Note: In domino, the full name can be multiple items, and is not necessarily unique. It is not recommended to use full name, but rather the SMTP or Kerberos/UPN field. If the Specops Password Domino Application during a password reset detects that multiple Domino users are found as a result of the Specops Password Sync server search criteria, the Password reset will be rejected. Additionally, an error message will be logged in the Windows Event Log on the Sync server. Depending on what has been populated in Active Directory and Domino, there are alternatives to the Active Directory attributes to use when locating the user in Domino. For example: Attribute to use in the Sync Point configuration Mail userprincipalname employeeid samaccountname (This configuration is not recommended) Condition All users Active Directory SMTP addresses exists both in Active Directory and Domino. All Domino users Active Directory (Kerberos) logon name has been populated with the information from Active Directory. All users in Active Directory have their Domino abbreviated name John Doe/My Company stored in the employeeid attribute in Active Directory. All users have the same samaccountname in Active Directory as their Short Name in Domino. 8

Installation Account Prerequisites Specops Password Domino signer/application account The Specops Password Domino signer/applicant account, in Domino, executes the Domino Specops Password Reset application. This account must meet the following requirements: Access to ID Vault with the Password Reset Agent Authority option checked. Using an existing account, or a new account, as determined by the administrator. Note: It is recommended to create a new account with the name SpecopsPwdResetter/MyDomain Full account with ID file Specops Password Web Service user account The Specops Password Web Service user account, in Domino, will be used by the Domino Password Sync provider in the Specops Password Sync Server to access the Web service published by the Specops Password Domino Web Service. This account must meet the following requirements: Internet/HTTP password set for the user. Web user (no id file needed). Using an existing account or a new account, as determined by the administrator. Note: It is recommended to create a new account with the name SpecopsWebUser/MyDomain. The Domino sync point(s) on the Specops Password Sync Server should be configured to use credentials for this user as administrative credentials. Specops Domino Password Reset group The SpecopsDominoPwdReset group must be created in the Domino Directory and populated with the signer/application account and the web service account above. Administrative accounts used to configure and read log information for troubleshooting purpose can also be added to the SpecopsDominoPwdReset group. 9

Database rollout New Installation These steps apply if the Specops Password Domino Application is being installed for the first time. 1. Copy the SpecopsPassword.ntf template to your local data Domino client s directory, typically under C:\Program Files (x86)\ibm\notes\data. Note: The template SpecopsPassword.ntf gets installed along with the Domino Sync provider, typically under C:\Program Filesx86\Specopssoft\Specops Password Sync\Server\Providers\DominoWebService. 2. On the designated server, SRV17/Specops in the sample, select New Application. 3. Select the Specops Password template. 4. Enter a relevant Title and File Name. 5. Disable the Inherit future design changes checkbox if you do not want your application design to get updated when the nightly server task runs. Note: This setting is optional. 10

Database rollout Upgrade These steps apply if the Specops Password Domino Application has already been installed and an updated.ntf is provided from Specops. 1. Make sure the Sync Server is upgraded before upgrading the Specops Password Domino Application. 2. Copy the updated SpecopsPassword.ntf template to your local data Domino client s directory, typically under C:\Program Files (x86)\ibm\notes\data. Note: The template SpecopsPassword.ntf gets installed along with the Domino Sync provider, typically under C:\Program Files\Specopssoft\Specops Password Sync\Server\Providers\DominoWe bservice. 3. From the Domino Administrator client, click to select the Specops Password database. 4. From the File menu, select Application, and click Replace Design. 5. From the Replace Application Design dialog box, select Specops Password and Disable the Inherit future design changes checkbox if you do not want your application design to get updated when the nightly server task runs. Note: This setting is optional. 6. Click Yes in the dialog about replacing database design. 11

The Specops Password Domino Application is now updated and available from the Sync Server. 12

Signing the Domino Specops Password Application The Specops Password application will run in context of the signer/application user account. 1. Log in to the Domino designer (or administrator) tool with the signer/application account (SpecopsPwdResetter). 2. For the new Specops Password application, select Sign design. 3. Click OK to accept to sign with the signer/application account ID. 13

Granting Domino directory access to signer/application account In order for the signer/application account to be able to reset the HTTP/Internet password, you need to edit the ACL of the domino directory. 1. Select Application and click Access Control for the Domino Directory from the Domino administrator. 2. Grant editor role (UserModifier) for the signer/application account. 14

Granting Execution Rights For the Domino Specops Password Reset Web service to be functional, you need to configure the following settings: Signer/application account must be granted access to Sign agents to run on behalf of someone else. Web service account must be granted access to Sign or run restricted LotusScript/Java agents. You can configure these settings by editing the server configuration document for the designated server under the Security tab. 15

Granting ID Vault access to signer/application and server accounts In order to synchronize a password change from Active Directory to Domino s ID Vault through Specops Password sync, an administrative account must be granted special access to do the resets in ID vault. Before you perform the following steps, verify that you have enabled InetLockout. 1. From the Domino administrator, select the following: Configuration, Security and ID vaults. Note: If multiple ID vaults are involved, this must be repeated for all ID vaults. 2. Click Password Reset Authority, and add the signer/application account and the server where the Specops Password application web service will run. Note: If multiple certificates exist in the same vault, the signer/application account and the server must be granted access for all the certificates. 16

Note: Both the signer/application account and the server must have Password reset agent authority checked, indicated by the @ symbol in the UI. 17

Granting Domino Inetlockout access to signer/application account If a user has been locked out, i.e. has been added to inetlockout.nsf, and a reset takes place, the user will be unlocked if the sync point provider has been configured to use internet lockout (default value). Unlocking the user means that the user will be deleted from the inetlockout.nsf database. Thus, the signer/application account must be granted to delete users from inetlockout.nsf. 1. From Domino Administrator, select inetlockout.nsf from the files tab. 2. Right-click and select Access Control and click Manage. 3. Enable Delete documents to ensure the SpecopsPwdResettter account has permission to delete documents. 18

Web Service Configuration The Domino Sync Provider, in the Specops Password Sync Server, posts web service requests to a web service in the Specops Password Domino Application to unlock users, reset HTTP passwords, and reset ID vault passwords. In order for this to work, the HTTP server task must be enabled on the Domino Server, SSL must be configured, and Basic HTTP authentication must be used. Note: Configuring the Specops Password Domino Web Service to run over http (non-encrypted) would make it possible for an attacker to listen for passwords on the network, and is therefore not a supported configuration. The trusted SSL certificate must be trusted by the Specops Password Sync Server, so that the Domino Sync Provider on the Password Sync Server trusts the SSL certificate presented by the Domino server. Typically, a certificate generated by the infrastructure in the Active Directory domain can be imported into the Domino keyring, or an existing certificate in Domino can be imported into the certificate store on the Specops Password Sync Server. 19

Validating the Specops Domino Web service To validate that the certificate configuration is working properly, start Internet Explorer, validate that the following URLs work by entering them from Internet Explorer or a compatible web browser: https://<yourserver>/specopspassword.nsf/specopspasswordreset?wsdl https://<yourserver>/specopspassword.nsf/specopspasswordreset?openwebservice The URLs needs to be adjusted depending on how the Specops Password Domino Application has been setup. 20

Trusting SSL certificate from Specops Password Sync Server If a self-signed certificate is used, the certificate must be imported and trusted by the Password Sync Server, or the SSL channel will fail. If using a certificate from a trusted certificate authority in Windows, no additional configuration should be needed. If using a self-signed certificate from Domino, the SSL certificate must be imported in Windows under Trusted Root Certificate Authorities. This can be done by visiting the WSDL URL from Internet Explorer, continuing despite the security warning, and importing the SSL Channel into the Windows certificate store once it is enabled. For more information, read: http://blogs.msdn.com/b/robert_mcmurray/archive/2013/11/15/how-to-trust-the-iisexpress-self-signed-certificate.aspx http://blogs.msdn.com/b/ieinternals/archive/2013/12/12/ie-website-security-certificateblocking-page-missing-continue-link.aspx 21

Domino user policy configuration By default, Domino requires users to change their passwords after an administrator has reset it. This policy must be disabled in order for the Specops Password Sync Domino provider to be used. If the policy is enabled, users will be forced to change their passwords when logging into Notes/Domino, directly after having set a new password. 22

Sync Point Configuration When the Specops Password Domino Application has been installed in Domino and is reachable from Internet Explorer, the Domino Provider for Specops Password Sync can be configured. 1. Start the Password Sync Admin Tools. 2. Create a Sync point and select the Domino Web Service provider. Setting Name Reset HTTP Password Unlock if locked out Description If this setting is enabled (true), reset of Internet/HTTP password in Domino will take place when a password is synchronized between Active Directory and the Domino provider. This feature should be enabled. Default: true If this setting is enabled (true), locked out users in the Internet Lockout database will get unlocked when a password is synchronized between Active Directory and the Domino provider. 23

Reset ID Vault Password Enable this feature if the Domino system uses the Internet lockout feature. Note: If this is enabled, but the Internet lockout feature is disabled, it will not cause the reset to fail. Default: true In Domino both HTTP Password and ID files can be used for authentication. If ID Vault is not used, or a user is not in ID Vault, synchronizing the user s password from Active Directory to Domino, would mean that the user s new password would apply for Internet Logins, but not for Notes client logins. Enabling ID Vault on the server, and adding a user to ID Vault, means that the user s ID Vault password would be reset. Passwords will be synchronized from Active Directory, and users will be able to logon to both Web mail in Domino, and the Notes client. Note: There may be a delay between resetting the ID Vault password and when user can logon, due to how Domino s queue systems are designed. This feature should be enabled only if the system has ID vault configured. If a user doesn t exist in ID Vault, the reset will work, and the trace, if enabled, will indicate Entry not found in index for the user. Address to the ID Vault Server Default: True This is the name of the vault server to use. If left empty, it s assumed that the ID Vault is on the same server as the Specops Password Domino Application. An explicit server can be specified in the format SRV17/Domain. If multiple ID Vault servers exist, that must be addressed by configuring different Sync Points, each specifying the ID Vault server to use. 24

Configuring Name Mapping The name mapping decides what to send to the Domino provider from the Active Directory user object to identify the user. If all users in Domino have Kerberos names from Active Directory set, use the userprincipalname as illustrated in the picture. Without name mapping, the Active Directory samaccountname property will be used. Even though this might work in some Domino systems, it introduces a risk of inaccurate name translations between the Active Directory account and the Domino account. After the Sync Point has been configured, name mapping, and password changes from Active Directory users affected by a policy, including the newly created Sync point, should be synchronized to the Domino target system. 25

Best Practices Installation When setting up the Specops Password Sync server, it might be easiest to first use the file writer provider to make sure everything is installed and configured correctly from the Active Directory and the Password Sync Server. Please refer to the Specops Password Sync Administration Guide for more information. Once it has been verified that resetting a user s password can be processed to the file write sync provider s log file, the next step is to look at the sync provider to use in this case the Domino Sync Provider. In order to validate that the Web Service for the Domino Provider for Specops Password Sync is properly configured and reachable, start the PasswordSync.ProviderTestApp.exe on the sync server. The Password Sync admin tools must be installed on the sync server. 26

Password Sync Provider Test Tool Press Load to load all available providers, and select Domino Web Service. Enter the following: URL of the domino server, e.g., https://srv01.company.com/specopspassword.nsf/specopspasswordreset?openwebs ervice. Name of the web service user account, e.g., SpecopsWebUser/Specops. Password of the web service user account. 27

Information about the target user to reset password for e.g., JohnDoe@SWEDEN.COMPANY.COM. User s password. Clicking the Reset button should indicate that the reset was successful, or if it fails, information about the failure that can be used to resolve the issue. If the reset failure appears to happen in the Specops Password Domino Application, it is possible to enable tracing on that side, by setting Specops Password nsf tracing to 2 and clicking Reset. To view the trace information, double click Specops Password nsf from Domino Administrator. The default view should contain log information. In production systems, the tracing should be disabled, i.e. set to 0 from the Sync Point configuration in Password Sync. 28

Enabling tracing The following displays a successful reset for the user John Doe, when the search criteria is the UPN in Active Directory (JohnDoe@SWEDEN.COMPANY.COM): The following displays how the debug will look when attempting to reset user jdoe s password, and the name jdoe is found as full name for two users, John Doe and John A Doe. 29

Troubleshooting If you are having product related issues, there are several solutions for troubleshooting the product. Error messages The following are some error messages that might appear for incorrect configurations. The error messages can be viewed from either the Password Sync Provider Test Application, or in the Windows Event Log on the Sync Server. Error Multiple documents found for user 'John': '[John First Doe/Specops], [John Second Doe/Specops]'. The username provider must be unique for ($Users).GetDocumentByKey Resolution This error means that the user account with the password that is being synchronized from the Specops Password Sync server could not be uniquely identified in Domino. Therefore, the password was rejected. In order to locate the user, the LotusScript method "GetDocumentByKey(userName, True)" is used on the $(People) view in "names.nsf". Review the users in the error message, in this case John First Doe and John Second Doe, and verify that their person cards don t have information that prevents them from being unique. Could not establish trust relationship for the SSL/TLS secure channel with authority 'SRV01.COMPANY.COM:443' Possible solutions are to change the Sync Point configuration s Name mapping to use e-mail addresses from Active Directory that are unique in Domino, or use userprincipalname from Active Directory with unique User Principal Name / Active Directory (Kerberos)" set on their person card. The SSL certificate presented by the Web Service for Specops Password Domino Application is not trusted by the Specops Password Sync server. Use a certificate from a trusted certificate authority, or import the certificate as a Trusted Root certificate in Windows. It is often easiest to start with manually entering the Web Service URL from Internet Explorer on the Specops Password Sync Server. 30

Support Online We recommend submitting your case directly on our website at: www.specopssoft.com/support. Telephone International +46 8 465 012 50 Monday - Friday: 09:00-17:00 CET North America +1-877-SPECOPS (773-2677) Monday - Friday: 09:00-17:00 EST 31