Domino Blog

News, views and directions on IBM Lotus Domino

I was looking through the Notes/Domino wiki today and noticed a spotlighted article on deploying SSO for web clients in a Domino environment.  This is a hot topic that many of you have asked about, and I wrote a short blog on not too long ago.  

If you are interested in doing SSO in your Domino web apps, I highly recommend you take a look at this new article.  It really goes through some of the questions I know many of you have been asking and it covers all the basics and more.  It's good stuff!!  Find that article here!

Did you know you can do Windows SSO for Web clients in Domino 8.5?  Did you know you could do this without "massive" changes to your Domino environment?

That's right!  You can setup your Domino servers such that your Domino server can honor Microsoft Windows users' Active Directory logon credentials so that users who are logged onto the AD domain can open Domino applications without being prompted for a password!  This may be a HUGE leap forward for many of you and make tons of your customers happy!  This *could* mean that your end-users who only access web applications or iNotes web mail would NOT have to have a separate Notes/Domino login from their Windows login.

Here's essentially how it works...

First - you setup SSO for your Domino servers much like you normally would - setting up the multi-server session-based authentication (single sign-on) in the SSO Configuration documents (or Web Sites).  Then, you setup the Windows service for the Domino server by having your AD administrator use the setspn utility to assign at least one service principal name (SPN) for that server to an AD account.  That tells the Windows Kerberos Distribution Center (KDC) that a Kerberos service ticket can be issued to Domino.

Once Kerberos tickets can be issued to the Domino server, you then will setup user name mapping to enable a Domino server to reconcile users names found in both AD and the Domino Directory.  This achieves three things - first, it makes it so that when Domino finds a user's LDAP name in AD and/or the Domino Directory, it enables the server to verify that the two names actually belong to a single user.  Second, name mapping may be needed to determine a user's Notes distinguished name if the name passed to it was only an AD name.  And, finally, name mapping specifies which Directory to use when Windows SSO is not available.

So - once all that is set up, you setup the web browsers on the clients to authenticate to Domino using Single Sign-On and voila! (well, sort of!!) ;-)

Now, there of course, are some caveats.  First - and maybe most importantly, the end-user must actually log into the workstation and the AD domain.  Additionally, the Domino server itself must be a part of the Windows AD domain - which means, yes, it must be running on a Windows server itself!  In addition, the computer your end users are logging into must be able to authenticate into the AD domain and have network access to the AD server.  

There are a few other requirements as well, and of course some other steps to make it happen.  But, there is excellent documentation available in the Info Center and the administration help, so take a look here and get your clients setup for Windows SSO today!

I had to get this out before Lotusphere so you could take a look at it yourself b/c ok - I admit it..I'm a convert.  I have to tell you..the things that are coming out of Lotus Development these days never cease to amaze me, and Lotus has gone and done it again!

I had the good fortune to be able to shadow a Lotus Protector Proof of Concept installation.  Lotus Protector for Mail Security is a content filtering solution that blocks spam and viruses out of the box and also provides rich content filtering of inbound/outbound messages (the filtering part is pretty cool...more on that later!).  Now, normally an anti-spam/anti-virus solution wouldn't exactly get me stoked!  This, on the other hand..was pretty darn cool!

So the customer I visited was looking to replace their existing anti-virus solution (from one vendor) as well as their anti-spam solution (from another vendor) and possibly take out another solution that was doing some address verification and re-writes.  All-in-all, they had 5 boxes in conjunction with their Domino mail solution that provided those features.  We hoped to replace those 5 boxes with one - yes, one - a Lotus Protector instance.  (big hopes, in my mind at the time!)  I was prepared for a very long day of installing and configuring software.

When we got there, the customer had a VMWare instance waiting for us, and Lotus Protector was installed in that instance in little to no time with no intervention (it was a self-expanding ISO image) and we were ready to begin configuring rules.  First, we connected Lotus Protector to the Domino LDAP (or any LDAP) so that it could do address lookups, use groups for administration or filtering rules and fun things like that.  Once it was connected to LDAP, we validated the pre-configured rules for anti-spam and anti-virus - changing only a few variables for how the messages got routed or quarantined.  Then - and this is the really cool part - we setup a sample compliance rule to check for any emails that might be storing credit card or Social Security Number information.

Then, we setup where to route informational notes which could be either to a group or individual email account -- OR (this is the cool part) through an RSS feed.  We chose to do RSS feeds and setup a feed in the admin's Notes 8.5.1 client.  And, because the admin was using Notes 8.5.1, they also had complete integration into Protector to manage spam mail settings and more on Protector directly from in the Notes client.

We setup a few more rules, validated the configuration and voila...we were done!  Then we re-routed mail flows so it only went through Protector, not the other appliances, and watched it work!  The interesting part...within a 2-hour timeframe of Protector being in place, the admins were able to identify more than 5 messages either coming into their environment or out of the environment that has credit card information in it - all b/c of a rule that took less than a minute to setup!  I thought that was pretty cool!!

I don't want to get into all the cool things of Protector right now because I'd hate to spoil your fun of learning about it next week at Lotusphere!  But all I can say is that it made a convert of me and I know think it's an AWESOME tool!!  If you're going to Lotusphere next week - take a look at it.  They will be at Pedestal #7 in the showcase and are also presenting on Thursday from 10-11am (ID207).

See you there!

WOW!  I'm totally impressed!  There are quite a few people out there using Notes on Citrix and you guys ROCK at providing your input!!  Thank you guys so much for your great replies and information!  I assure you...the Notes/Citrix team has been reading your responses and are planning some great documents/whitepapers to help out!

So while we are on the subject..let me ask some other questions - some about Citrix, some not.

Citrix Performance
Some of you have stated your performance post ND8 is great, some not so great.  How many users are you getting on Citrix, in average in post ND8? If you are having performance problems, did you review the Notes/Citrix 8.5 performance whitepaper? Did that help or are you still having scaling problems?

iNotes
What about iNotes?  Are you using your Citrix clients to feed up iNotes to your end-users or is that being done natively on your desktops or thin clients?  If you do use Citrix for iNotes access - how's your performance there?  What browser are you using for it - IE or Firefox?

Other Virtual Methods
Do you use something other than Citrix for virtual desktops today?  Anybody still using Windows Terminal Services to serve up those thin clients?  Anything else in use?  I know today we only support Citrix...is there really a need to still support Terminal Services or other virtual desktops??

Thanks so much for your help, everyone!  This is great stuff and is really helping the developers!!

Ok - we're looking for your help here.  Are you running Notes on Citrix?  Did you recently upgrade your Citrix environment and your Notes clients on Citrix?  What were your trials/tribulations?  What were your successes?  Would you want to share your success story (either publically or anonymously)??

I've had many customers ask about running Notes on Citrix and how others are doing it.  I know many of you are successful - some, wildly successfuly!  We're looking to outline success (or trial) stories about it and need your help.  Also - do you think that topic would be beneficial?  Is your company starting to look at Notes on Citrix as an option?  Send me an email if I can interview you to get your story.

Inquiring minds want to know (and we want your help!!!)

A bit late in blogging about this, but I recently attended and presented at AdminCamp 2009 ( http://www.admincamp.de/ ).  This is a top-notch conference put on by a dedicated group of Notes & Domino practioners.  I had lots of great discussions with customers and partners, and the Notes/Domino enthusiasm was contagious!  Being a technical conference, there were lots of great presentations and a nightly discussion/Q&A session that many people participated in.  Need deeper knowledge of DAOS, LDAP, LINUX, etc.?  Many of the presentations are available on their website, including some in English (for those with limited German skills - including me...).  

A special thanks to Rudi Knegt, Bernfried Geiger, and Jens Augustiny for making me feel comfortable and providing the opportunity to meet with members of the Notes/Domino community - and to Andrew Pollack who spent several hours driving in traffic while commuting from Dusseldorf airport...

Now that we know Domino 8.5.1 is just around the corner (thanks, Ed Brill!), it's time to wet your whistles a bit on what you're going to see!  Let's talk about something I know you'll really like .... DAOS!!  Just when we thought those Lotus developers couldn't get any better, they've gone and outdone themselves!  Here's what's coming for DAOS in 8.5.1.

As we talk about what's new, we need to make sure we understand what you *already* get as a part of DAOS in Domino 8.5.  

Currently, when an email is received that has an attachment in it, the attachment is extracted and stored in an external file (NLO).  DAOS then determines if the DAOS store already has a copy of the attachment and if so, latches on to the existing copy of the object, bumps the reference count, and then deletes the duplicate object.  This happens on each server that receives the email - and each server would receive and store its own copy of the attachment.  With this, you get net disk savings because only one copy of the attachment is stored, BUT, unfortunately, that's limited to a server-by-server basis..there is NO savings when that file is transferred across the network.

Now, we've talked before about how DAOS saves you I/O operations on the server.  This is because in processes like copy-style compact, DAOS can detect that we are copying a DAOS object from a DAOS enabled database on the server to another DAOS enabled database on the same physical server, and then short-cut the process and just increment the reference count of the object and return a "DAOS ticket" to the database getting the new copy.  Essentially, this is copying the DAOS ticket instead of copying the object itself.  We call this inter-server copying.  Again, you get savings in I/O operations and bytes written for inter server objects, but NO savings across servers.

So now that we're all on the same page, let's talk about what's NEW in Domino 8.5.1...!!!

Let's face it...most of us have multiple servers in our environments.  And, as mail messages, etc. move from one server to another server, there's a lot of copying of objects (ie. replication) that goes on.  In Domino 8.5.1, DAOS is now enhanced so that it can EXTEND its optimization between clients and servers, and among servers!!  This is intra-server copying!  So, instead of sending a copy, the sending server says "I'm sending you an attachment with this unique key" and the receiving server can say "Wait..I already have it, here's the ticket..send that to me instead" or "Yup, it's unique, send the whole attachment, but only send it once for all my users"!!  Make sense?  So now, DAOS is smart enough to save you bandwidth across the network - and even better - this will happen automatically between any two 8.5.1 clients and/or servers as long as the recipient is DAOS enabled!!  That's right...the sender does not need to be using DAOS!

There's a lot of potential here!  Imagine if you will, you are at home and you're about to send an email with 2 large attachments on it.  In the past, you would send the email and "wait" while replication occurred and those attachments got sent.  NOW though...if those attachments already exist on the server, only the ticket gets sent...NOT the entire attachment!!  So, a replication process that might have taken you minutes before only takes seconds now!  Talk about making it easy!

Now, obviously, there's a great more detail involved than what I've just outlined for you - and a lot more that's coming!  (a LOT more) But, you get the idea here.  DAOS goes one step further in 8.5.1 to save both network bandwidth AND disk I/O AND disk space in your Domino environment!  So now we see...

• Net disk savings because only one copy of the attachment is stored
• Option to use a separate, low-cost storage device for attachments
• Savings in I/O operations and bytes written for inter-server object copies
• Savings in bytes transferred across the network
• Savings in I/O operations and bytes written by other servers

Now, you just need to get to Domino 8.5.1!!!  

Really...does it get any better than this????!!

There's this great entitlement that came with your ND 8 licenses that I think just hasn't gotten enough press.  This new entitlement is for Tivoli Directory Integrator, or TDI.  You see, Notes/Domino R8 came with an entitlement to use Tivoli Directory Integrator - it's completely free for you to use - as long as Domino is one of the systems you use in your assembly lines.

Have you heard of it?  Well, let me tell you...you just might start singing it's praises if you aren't already!

So, what is TDI?  First of all, the term "Directory" in the product name I think is a little misleading, as TDI can be used for integrating anything- not just directories.  In essence, TDI reads databases or files in many different formats and can push that data into Domino.  For instance..it can take data out of your HR system and put it into a Domino database or the Domino Directory.  Or it can take data out of Active Directory into Domino.  Or from a web service or SAP or whatever into Domino!  It's practically limitless in what it can connect to and how you can use it to populate Domino!

What does this mean to you?  Well, many of my customers have asked me lately the following questions:

• How do I use my Active Directory username/password for logging into iNotes?
• How can I get my AD and Domino names to synchronize?
• How can I get information like phone numbers or location out of my HR system into my Domino Directory?
• My Sametime (or Quickr) environment points to AD for login/authentication - how do I used that same info for iNotes?

I'm sure many of you have the same questions - or ones similar.  Do you know what my first answer is to those questions?  Yup.. TDI!  You have this great, little-known tool totally FREE to you that does so much of what you need...and I bet you didn't even know it!

So...what is it..how do you get started?  Below are some links to great information to get you started.  And, please, let me know...are you interested in hearing more?  More details?  More how-to's?  I'm thinking about doing a series on TDI like I did for DAOS.  What do you think?  Would that be worthwhile???

Video on How to Integrate Domino with Active Directory using TDI
Document on Lotus Domino Integration with Tivoli Directory Integrator
Learning TDI (TDI 101)
TDI Users Group and Forum

Happy Reading!!! (TDI ROCKS!!!)

So much good information, so many resources, and so little time!  If you're like me, you HAVE to be thinking that about all the great resources out there for information about the new features in Domino 8.5!  However, in case you haven't seen them, I wanted to point out a couple of resources that I think are of "special" importance!

Domino Configuration Tuner
So, I've written a few entries about DCT and how totally AWESOME it is!  I've had tons of customers use it already and they have just been amazed at how much it's helped them and how much it's pointed out about their environments.  And..I'm sure you're certainly aware of the great entries in the wiki on DCT and the great job Scott O'Keefe has been doing about keeping you updated on new DCT stuff.  Well, Scott is at it again..this time with his very own blog!  Enter the 'Tuner Blog!  That's right - Scott has a blog out there to enhance the awareness of the Domino Configuration Tuner and keep you apprised of new rule implementations.  And yes, the leading apostrophe is intentional - an homage to the old QuickTune days!  Head on over - there's some GREAT stuff out there!

ID Vault
This great feature has also been getting press lately, and many of you have asked about ID Vault and how to implement it.  Well, if you HAVE implemented it, or are thinking about it, make sure you take a look at this technote and you get Interim Fix 3.  There are some mandatory fixes in it for ID Vault.

DAOS
You all know how near and dear to my heart DAOS is.  I just can't stop writing about it!  So, take a look here!  That's right - yours truly co-wrote an article for developerWorks on DAOS!  I teamed up with Gary Rheaume (Lead Architect) and Pat Mancuso (Principle Architect and Developer) -- two great minds in the DAOS camp - to bring you information about how IBM is implementing DAOS and how you can achieve ultimate storage and server cost savings with DAOS in your own environment.  If I do say so myself, it's a fabulous article!!  ;-)  Take a look - hopefully it will help you in your quest to justify DAOS in your environment.

On a side note...
You've probably been noticing that my posts are a bit few and far between these days and I apologize for that.  Well, for the next month and a half, I'll try to get some guest bloggers in here to help out and bring you more frequent information.  You see, I brought a little life into this world on April 5th (her name is Amelia), and I've been a bit preoccupied!  Technically I'm out on maternity leave until late June, but the blog must go on!  So, bear with me and please keep checking back - there will be more to come!!  

We had some issues last week with the blog disappearing from sight for a couple of days.  Sorry to the readers out there!  But...we're back, and so is some great news!  In fact, it's such great news, I can't believe it's taken me this long to write about it!  

The Domino 8.5 Performance Benchmarks are out!  This great article outlines the performance improvements seen in benchmark testing simply by upgrading from Domino 8.0.x to Domino 8.5.  And let me tell you...there are some IMPRESSIVE numbers in there!  The tests performed were intended to mimic the actions of everyday Notes/Domino users - with messaging and calendar operations on the server.  Then, the team measured % processor busy, disk operations per second and disk megabytes transferred per second.

We've been telling you that Domino 8.5 is THE release to help reduce TCO and these benchmarks help prove that!  The article summarizes:

You can realize substantial I/O reductions, reductions in disk operations per second by 22 percent to 33 percent, and reductions in disk bytes transferred per second by 31 percent to 67 percent. In addition, processor utilization has been reduced by as much as 20 percent. Upgrading to Lotus Domino 8.5 can lower your Lotus Domino deployment total cost of ownership.

So..take a look at the results!  You also might want to think about moving to Domino 8.5 soon!