|Latest 7 Posts
| Important Security Fix for IMAP|
Sat, Apr 22nd 2017 8
| NIFNSF Supported Maximum Size above 64 GB!|
Fri, Apr 21st 2017 6
| Disclaimer Attachment Issue not yet fixed in IF1|
Fri, Apr 14th 2017 7
| Get Notes FP Version in @Formulas |
Wed, Apr 12th 2017 10
| Notes/Domino 9.0.1 FP8 IF1 released|
Tue, Apr 11th 2017 16
| Current Information about NIFNSF|
Fri, Mar 31st 2017 9
| CREATE_R9_LOG is not a valid notes.ini parameter and does not exist!|
Fri, Mar 24th 2017 8
| IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )|
Tue, Sep 29th 2015 25
| Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8|
Sun, Feb 5th 2017 23
| Symantec Backup Exec End of Life|
Sat, Dec 5th 2015 22
| Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix|
Wed, Mar 25th 2015 17
| Notes 9.0.1 FP7 IF1 released|
Thu, Dec 8th 2016 16
| Notes/Domino 9.0.1 FP8 IF1 released|
Tue, Apr 11th 2017 16
| TLS 1.2 Connection Issues with mail.protection.outlook.COM |
Thu, Jan 7th 2016 15
| IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice|
Fri, Jan 27th 2017 13
| Passing a document to an agent without saving it first|
Sun, Apr 6th 2014 10
| DAOS NLO Encryption and Decryption|
Wed, May 28th 2014 10
||Domino Federarted Web Login / SAML with F5 and ADFS 3.0
In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.
In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.
Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.
Win2012 R2 ADFS 3.0
ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.
Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.
The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.
Domino SAML Implementation
In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.
Even Domino uses a IdP Initiated model the first request was always initiated by Domino.
Here is the flow that Domino uses.
- Browser hits the Domino Server for a resource that needs authentication
- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.
- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.
- Browser redirects back to Domino with the SAML post request
- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated
- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location
In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.
So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!
Apr 25, 2016
| Recent Blog Posts
Important Security Fix for IMAP|
Sat, Apr 22nd 2017 9:13a Daniel Nashed
In case you are running IMAP on a server that is reachable over the internet you should look into this fix ASAP. It might not be that critical for internal services. See details about this vulnerability here --> http://www.ibm.com/support/docview.wss?uid=swg22002280 All versions of Domino are affected!
NIFNSF Supported Maximum Size above 64 GB!|
Fri, Apr 21st 2017 9:02p Daniel Nashed
After getting that question offline and having a discussion on my blog, I checked with IBM if they plan support NIFNSF sizes above 64 GB. Since it is kind of a database container and needs a database handle someone could think that the maximum limit is also 64 GB. That would give us at least 64 GB room for the NIF index -- which would be already a big improvement. But from what I recall from some comments at Connect some years ago the maximum limit was not around 64 GB when they designed it
Disclaimer Attachment Issue not yet fixed in IF1|
Fri, Apr 14th 2017 6:28p Daniel Nashed
As Rob Kirkland commented in one of my last blog posted, the fix in IF1 does not solve the iusse. We both checked with IBM and got the reply that the SPR just changes back the default and disables the change introduced in FP8 for Google calender integration. IBM is working on a fix hopefully makes it into FP9. So for now you should keep the notes.ini Parameter MIMEDisclaimersNoEncode=0 disabled. Thanks to Rob to bring this up! -- Daniel TPONAKFJLP After upgrade to FP8, with
Get Notes FP Version in @Formulas |
Wed, Apr 12th 2017 6:19a Daniel Nashed
In C-API and Lotus Script, Java developers the version information already shown for each FP. For example Lotus Script returns the full version string with session.NotesVersion. But if you want to check the version information in @Formulas @Version will still return 405. There is a new optional parameter which returns the Feature Pack version. So you use @Version to check the version and if it is 405 you check @Version(1) which will return 8 for Feature Pack 8. It is used in the new ma
Notes/Domino 9.0.1 FP8 IF1 released|
Tue, Apr 11th 2017 5:06a Daniel Nashed
Notes and Domino 9.0.1 FP8 IF1 has been shipped and there is also a separate fix for iNotes. All those IFs have the same version number but contain different SPRs! The most important IF is for the Domino Server. It fixes the disclaimer issue I reported before. And also the performance fix for the new feature NIFNSF which was introduced in in FP8. Be aware that NIFNSF is a server feature and not a client feature. It requires translog enabled on your server! Translog is not officially
Current Information about NIFNSF|
Fri, Mar 31st 2017 10:42p Daniel Nashed
Domino 9.0.1 Feature Pack 8 introduced "NIFNSF" which allows to separate the view/folder index into a separate file. Let me try to summarized my current experience from my tests and from the field. There are multiple benefits moving the index to a separate file. 1. Backup Storage Reduction First of all having the index in a separate file reduces the amount of data that you need to backup. For mail databases the index is around 10%. If you have DAOS enabled from the remaining dat
CREATE_R9_LOG is not a valid notes.ini parameter and does not exist!|
Fri, Mar 24th 2017 8:29p Daniel Nashed
After hearing this question twice a week I think it is time for a blog entry. There is a notes.ini parameter for the different ODS formats in different releases. The latest one you should use is Create_R9_Databases=1 to create databases with ODS 52. ODS 52 is needed for local databases which are encrypted (there was an underlying ODS issue that has been addressed in ODS 52). Also for hew new LargeSummary (16MB instead of 32KB per document) you need to be on ODS 52. But there is no ne
Traveler 220.127.116.11 Relased with important bug fixes|
Fri, Mar 24th 2017 8:12p Daniel Nashed
As posted before Traveler 18.104.22.168 had one issue that needed urgent attention. Push was not working when the mail-server had a short downtime. If you are on that release you should update asap. There are a couple of other fixes along with that ARPA included in 22.214.171.124. Just back from a couple of days of travel and installed it this morning. Looks good so far. APAR # Abstract LO90889 Invitee status not correct on mobile device if the invitee response is received in a non-syncing
D9.0.1 FP8 Attachment Corruption Issue with Disclaimers|
Tue, Mar 21st 2017 3:27p Daniel Nashed
There is an issue that has been reported about FP8. When using disclaimers attachments might be corrupted. IBM released a technote with details and is working on a fix. Feature Pack 8 contains an enhancement/fix to correctly send Google Calendar files. The fix is enabled by default and causes this corruption. You can still deploy FP8 and disable the feature/fix temporary via Notes.ini MIMEDisclaimersNoEncode=0 on your SMTP outbound server. See this SPR #TPONAKFJLP / APAR #LO91828 fo
Traveler on Domino 9.0.1 FP8|
Tue, Mar 7th 2017 9:51p Daniel Nashed
Domino 9.0.1 Feature Pack 8 has just shipped. If you are intending to update your Traveler Server to Domino FP8 you should be aware that you need at least Traveler 126.96.36.199 (which currently has an issue reconnecting to a mail-server if it wasn't reachable --> see previous blog posts). If you still intend to update your server there are some important requirements. FP8 comes with Java 1.8 and Traveler is using that JVM. So it some changes are needed in the Traveler code to support the