Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 328
  • Last Modified:

Person document and dominos web-app access

A user is unable to access a internal Dominos hosted website at http://apps.intranet.mycorp.com/spiffy-app.nsf.  He is getting HTTP 500 errors.

Authentication is transparent for everyone else but the above user.  I was instructed make sure his person document in the Dominos name and address book met X requirements - specifically that the Basic tabs "Short name/User ID" section on the left column was filled out correctly - and it is.

This doesn’t make sense to me.  I understand how NTLM authentication works with IIS, passing the users already authenticated domain logon to the IIS server (so he doesn’t get a logon prompt) but does dominos do the same?

Does the contents of a users person document on a dominos mail server effect how someone can access a Dominos website?
0
Marketing_Insists
Asked:
Marketing_Insists
  • 4
  • 3
1 Solution
 
qwaleteeCommented:
If you are NOT using DOmino with IIS, then the person document is king for setting up authentication.  If using IIS, it is often the same, but Domino DOES have options for integrating the credentialing with ISS, in other words, Domino can be set to accept whatever credentials IIS presents for the user, on the assumption that ISS did the correct authentication.  Even in that case, I recall that it will try to match he name provided by IS against a unique person document match, then use the full name value from the person doc for AUTHORIZATION.

Authentication is the process of proving your identity.  Authorization is the process of granting access to something for a previously authenticated user.)

************ Are you using Domino with IIS? *************************
0
 
Marketing_InsistsAuthor Commented:
Yes, the web server in question is a IIS server (can tell from the error messages)  but it is also hosting a Dominos server.
0
 
qwaleteeCommented:
Two things.  First, check Jake Howlett's excellent intro to DOmino on ISS at http://www.codestore.net/store.nsf/unid/EPSD-5F6P9G?OpenDocument

Next, it sounds as if the user is having an IIS authentication problem, not a Domino authentication problem.  You would need to troubleshoot this in IIS.  Do you have any auhenticated IIS applications you can verify this against?  I believe you can check it by just putting up a plain HTML web page, and instucting IIS not to serve anonymously.  If the user can't get in, then it is an IIS probelm.  If the user can get in, then IIS is authentciating properly, and it is a Domino problem -- in which case, the mpst likely problem is that the Window user ID is not listed on the person document in DOMAIN\USER-ID format.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Marketing_InsistsAuthor Commented:
The user in question has two listings in the NAB.  The two person docs share only the same full name, John Smith, but has other differing person doc info, such as different domain, different mail server, different domain\User id.

If John Smith is the full name value from the person doc and their are two of them, could that be the cause of the trouble?

--

also, In the past, some nsf databases accessed from the notes client  were inaccessible to users because the users Notes password didn't meet complexity criteria for accessing the database.
Would this carry over to a web app?




0
 
qwaleteeCommented:
Marketing_Insists,

> If John Smith is the full name value from the person doc and their are two of them, could
> that be the cause of the trouble?

Having two people with the same name is generally a no-no.  It always breaks mail.  It can also break web access depending on your settings (if you have strict security installed, Domino will allow authentication only where there is a single unique login match).

YOu can easily "prove" that's the problem by temporarily changing the full on each.  You may have to wait a while for the credentials cache to clear.


- qwaletee
0
 
qwaleteeCommented:
Marketing_Insists,

> also, In the past, some nsf databases accessed from the notes client  were inaccessible to
> users because the users Notes password didn't meet complexity criteria for accessing the database.
> Would this carry over to a web app?

That does not make sense to me.  The Notes password complexity check can prevent you form creating a "bad" password, but has nothing to do with access to databases.  If you have the Notes ID, and you have the password to t, and it has not expired, then you have access to any apps that you are granted permission to.  Doesn't matter what the password actually is, or whether it violates standards.

- qwaletee
0
 
Marketing_InsistsAuthor Commented:
Thanks!  It turned out to be a authentication issue with IIS's NTLM scheme
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now