HCL Domino & ADFS – SSO Suddenly stops working

If you are using ADFS with Domino as a Single Sign-On solution, and you get a call from a friendly user telling you that Single Sign-On stopped working, check if you are seeing the following error on the HCL Domino server console:

SECCheckAndParseSAMLResponse> VerifyAssertionSignature : Document has been modified or corrupted since signed! (signature)

If that is the case, check the expiration date of the “Token-decrypting” and “Token-signing” certificate on the ADFS Server. The easiest way to do that is using the ADFS Management Snap-in or ADFS Management Console.

If the secondary “Token-decrypting” and “Token-signing” is going to expire in two weeks or fewer and the ADFS certificate rollover has started, than you have to reimport the FederationMetadata.xml into your HCL Domino servers. Just download the new “FederationMetadata.xml” file according to the official documentation and re-import it into the existing IdP Configuration documents (you may have more than one).

After importing the new “FederationMetadata.xml” file, just refresh the HTTP configuration and restart the HTTP Task on the Domino Server. You can do that using the “tell http refresh” and “tell http restart” commands respectively. That should be it, your SSO solution should be back in business.

UPDATE

As Patrick Schneider mentioned, in the comment section of this post, you can increase the lifetime of the signing and decrypting certificates:

You can define the certificate duration in ADFS using PowerShell (10 years: Set-ADFSProperties -CertificateDuration 3650 and force a manual Certificate Rollover, see https://xenit.se/tech-blog/changing-default-adfs-decrypt-signing-certificate-lifetime-from-1-year-to-x-years/ )
Be aware that this also affect other services that are using ADFS.

@Patrick Schneider, thank you very much for this valuable information!

HCL Domino AppDev Pack – IAM System Requirements

As of now, there are no separate System Requirements listed for IAM component, of the Domino AppDev Pack, in the official documentation.

I opened a support case regarding this and got the information that the IAM component will run on any OS where the Node.js, version which is mentioned in the official documentation, will run.

HCL Domino AppDev Pack 1.0.2 – Documentation Released

The documentation for the new version of Domino AppDev Pack 1.0.2 is available.

So if you are evaluating to deploy the Domino AppDev Pack, make sure to take a look at the release notes of the 1.0.2 version.

What’s New in Release 1.0.2

Release 1.0.2 includes the following new features:

• (Preview) A domino-db application may now request the ability to make Proton requests on behalf of a user. The feature, collectively named Act as User is implemented across multiple components from the AppDev pack. For details, see:
  • IAM Service: the Domino Database Access section and related sections on other pages.
  • Act as User Administration in Proton Configuration and Database Configuration
  • Act as User in domino-db
• IAM service
  • Efficiently leverage multiple CPU cores on the server.
  • The ability to configure token expiration. See Configure Token Expiration.
  • Support 3rd party statistics server integration through ‘StatsD’ protocol. See IAM statistics.
• The ability to create and read Names, Readers and Authors items.
• The ability to create, read and delete attachments. See Attachments for details.
• The ability for Proton to update the Domino directory with an application’s certificate. See details here.

IBM Domino 10.0.1 FP2 is available for Download

Two days ago the IBM/HCL released a new Fix Pack for IBM Domino and Notes 10.0.1, the Fix Pack 2. Take a look at the IBM Domino 10.0.1 FP2 Release Notes.

The Fix Pack is available for Download from the Fix Central:
IBM Domino 10.0.1 Fix Pack 2
IBM Notes 10.0.1 Fix Pack 2

If you are interested in running Domino on Docker, take a look at the Daniel Nashed´s Blog for the updated scripts.

SAML & IBM Notes Traveler – Encrypted E-Mails Issue

A while ago, we ran into issue with SAML on IBM Notes Traveler devices. The Users were not able to open encrypted E-Mails.

Before assigning Users with SAML Policy in Domino Directory, Users were able to upload their ID-File and open Encrypted E-Mails. But as soon as the SAML Policy was assigned to a user, that would not be possible anymore.

We opened a Ticket at IBM and shortly after that we got a confirmation that the issue is related to SPR # GFAL9ZBJVT . A few days ago we got a Hot Fix for this issue, which needs to be installed on the users Mail Server. After installing this fix, the users were able to open encrypted E-Mails on their Apple devices (with Companion App installed) without any issue.

The Hot Fix for SPR # GFAL9ZBJVT is not included in Domino 10.0.1 or 10.0.1 FP1 release.

Update: The Hotfix is included in Domino 10.0.1 FP1 Code, take a look at the article from Daniel Nashed.

IBM Notes/Domino G1 Language Packs Released

IBM Notes and Domino G1 Language Pack was released yesterday, part numbers are listed below.

Take note that the FP1 is not included, so you should install it right away after installing the slipstream version. And if you had the first “troubled” version of the client installed, you should uninstall the original slipstream release completely before installing the FP1 Update to ensure compatibility with FP1, as described in the official article.

IBM Notes Client 10.0.1 Multilingual User Interface

• IBM Notes Client v10.0.1 Multilingual User Interface for Windows (Group 1) Multilingual (CC0I9ML )

IBM Notes 10.0.1 for Mac

• IBM Notes v10.0.1 Mac 64 bit German and Italian (CC0IDML )
• IBM Notes v10.0.1 Mac 64 bit French, Spanish, Brazilian Portuguese (CC0ICML )
• IBM Notes v10.0.1 Mac 64 bit Korean and Japanese (CC0IBML ) – View details
• IBM Notes v10.0.1 Mac 64 bit Simplified Chinese and Traditional Chinese (CC0IAML )

• IBM Notes v10.0.1 Mac 64 bit French, Spanish, Brazilian Portuguese (CC0ICML )
• IBM Notes v10.0.1 Mac 64 bit Korean and Japanese (CC0IBML ) – View details
• IBM Notes v10.0.1 Mac 64 bit Simplified Chinese and Traditional Chinese (CC0IAML )

IBM Notes 10.0.1 for Windows

• IBM Notes v10.0.1 Windows German (CC0HRDE )
• IBM Notes v10.0.1 Windows Brazilian (CC0HZBP )
• IBM Notes v10.0.1 Windows French (CC0HVFR )
• IBM Notes v10.0.1 Windows Italian (CC0HYIT )
• IBM Notes v10.0.1 Windows Japanese (CC0HXJA )
• IBM Notes v10.0.1 Windows Japanese (CC0KCJA )
• IBM Notes v10.0.1 Windows Korean (CC0HSKO )
• IBM Notes v10.0.1 Windows Simplified Chinese (CC0HTSC )
• IBM Notes v10.0.1 Windows Spanish (CC0HUES )
• IBM Notes v10.0.1 Windows Traditional Chinese (CC0HWTC )

IBM Notes Designer & Admin for Windows

• IBM Notes, Domino Designer and Admin V10.0.1 for Windows German (CC0I0DE )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Brazilian (CC0I8BP )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows French (CC0I4FR )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Italian (CC0I7IT )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Japanese (CC0I6JA )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Japanese (CC0KDJA )
• IBM Notes, Domino Designer and Admin V10.0.1 for Windows Korean (CC0I1KO )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Simplified Chinese (CC0I2SC )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Spanish (CC0I3ES )
• IBM Notes, Domino Designer and Admin v10.0.1 for Windows Traditional Chinese (CC0I5TC )

IBM XWork Server

• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux German (CC0IQDE )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux French (CC0IMFR )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux Italian (CC0IRIT )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux Korean (CC0ISKO )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux Simplified Chinese (CC0ITSC )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux Spanish (CC0INES )
• IBM XWork Server 10.0.1 Language Pack for Windows, AIX, Linux Traditional Chinese (CC0IUTC )
• IBM XWork Server10.0.1 Language Pack for Windows, AIX, Linux Portuguese Brazilian (CC0IPBP )

IBM i

• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i German (CC0IYDE )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i French (CC0IVFR )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Italian (CC0IZIT )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Korean (CC0J0KO )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Portuguese Brazilian (CC0IXBP )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Simplified Chinese (CC0J1SC )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Spanish (CC0IWES )
• IBM Domino 10.0.1 Language Pack for Windows, AIX, Linux, IBM i Traditional Chinese (CC0J2TC )

IBM Notes Domino 10.0.1 Fix Pack 1, AppDev Pack 1.0.1 and Verse on-Premises 1.0.7 Released

IBM Notes and Domino 10.0.1 Fix Pack 1 is available for Download. There are no new Features in this release, just bug fixes, for more details take a look into the official Release Notice.

IBM Notes 10.0.1 Fix Pack 1 Download

IBM Domino 10.0.1 Fix Pack 1 Download

We also got a new Version of AppDev Pack and Verse 1.0.7 last week, take a look at the official Blog Post.

Domino Tech School

Domino Tech School is a series of webinars concentrated around Domino V10. It has been announced on January 8th this year. Since than there were two sessions, “Domino Query Language” and “Upgrading to Domino V10: Best Practices”. If you have missed one of these two Sessions, don´t worry, you can still watch the recording, but you still have to register.

All of the Sessions were great so far, I like how fast the recording is available, minutes after the Webcast is finished. And it contains useful Information for everyone, Developers and Administrators. So make sure you check it out.

Make sure that the “Names.nsf” cannot be accessed via Internet!

Important Notice: If you are using your Domino Server as an LDAP Directory for Connections and/or Sametime do not continue with the steps described further down.

If your Domino Server is exposed to the Internet, make sure that the Domino Directory or the “Names.nsf” database cannot be accessed via Web Browser, or at least certain fields which can be used to get the hash values of the Internet Passwords.

A while ago, we got contacted by a customer who found out that his Domino Servers are vulnerable to a certain exploit which allows an attacker to extract the hash values of HTTP Passwords, of every user in the Domino Directory. The mentioned vulnerability is documented as “CVE-2005-2428”, you can read all the details of the exploit in the article bellow:

https://www.exploit-db.com/exploits/39495

EDIT: In a response to my post, Sven Hasselbach also wrote a post on his blog. It is very informative and detailed, he added Information I missed, so I would strongly urge you to read it. Furthermore the I would also like to add the comment from Christoph Stöttner:

I haven’t checked the authentication, but you can’t use LDAP any more (Softerra will present: The user has insufficient access rights!)! So even when Connections or Sametime User can authenticate (please double check), TDI will not read or update any user account, even worse with default settings in Connections TDISOL all your profiles get deactivated!

The mentioned vulnerability is from 2016! So nothing new. To get the hashes the attacker already need to have a valid login (or allowed anonymous access to your names)! Then he can grab the hashes. Afaik with “Use more secure internet passwords” and “Yes – Password verification compatible with Notes/Domino release 8.01 or greater” it’s not that easy to decrypt the hashes.

I think a way more important is proper ACL, a well-configured security tab in the server document and “Enforce server access settings: Yes” for all used protocols.

As described in the article, you could remedy this by hiding $dspHTTPPassword and HTTPPassword or, you could “block” the access to names.nsf via Web Browser completely. The only reliable way I could find, with the help of Roberto Boccadoro, to do this on Domino would be to set the following property:

I tested this in few environments, with SPNEGO and Web Federated Login enabled, and I could find no issues.

Directory Integration – IBM Domino & Microsoft Active Directory – Questionnaire

Many customers I have encountered are using tools to integrate Domino and Active Directory with each other in some form. Being that as simple as synchronizing some User Document fields using LDAP or some more problematic processes as synchronizing passwords. Some would like to have a “full” Integration with Active Directory and some would like to keep the two directories as separated as possible.

Going forward to Domino v11, IBM and HCL are thinking about a more native and subtle integration with Active Directory and the best thing about it is that everyone can express their opinion by completing the following Questionnaire:

https://epwt-www.mybluemix.net/software/support/trial/cst/forms/nomination.wss?id=5711

    So, please let the Product Management know how you feel about Directory Integration. All you need is an IBM ID, if you do not have it already, you can create one here:

https://www.ibm.com/account/reg/us-en/signup?formid=urx-19776