Solved

Synchronize IBM notes Internet Password with AD

Posted on 2014-12-31
9
338 Views
Last Modified: 2015-01-05
I would like to Synchronize IBM notes Internet Password with AD. Is there a way to do so Domino 9.0.1 FP2 and IBM Notes 9.0.1 FP2
0
Comment
Question by:lberthiaume
  • 5
  • 3
9 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40526540
Do you have any link with AD at the moment, and how do the users currently use their notes clients - entering passwords or logged on with the OS?  

You can't sync with what is already in AD as they are encrypted but when a user changes their OS password you can have it change their Notes password and the Internet password can be kept in sync with that using policy.

You may have to be careful then though if you have people with, for example, using Traveler to sync with mobiles, tablets etc. especially if you have internet password lockout configured because then once the password changed the mobile device would use the old password and lock the account out.

Please explain a bit more and will see what can be suggested.

Steve
0
 
LVL 13

Expert Comment

by:CRAK
ID: 40526811
Listening....
0
 

Author Comment

by:lberthiaume
ID: 40527785
I have Shared login and ID vault running.    
From what I know, I would have to use Directory services to synchronize the internet passwords. This in turn would synchronize the internet passwords to AD.
To complicate things I also have a Traveler server which in turn talks to the BES for our blackberries, and would like that to sync with AD.
For now I still don't know if this is still possible and what complications I may run into with Traveler (blackberries).
In other words have everything and anything under one password.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40527801
Hmm, will wait on what other people say for now.

So at the moment the users change their windows domain password presumably based on a policy prompting and requiring them to (and/or when they just feel like it).  As you are using Shared Login rather than client single logon then anything from the client side to sync the password is out, and afaik anything from the AD side too.

So from my mind think your options are:

1. prompt the user in some way to change their internet passwords
2. prompt the user to change their AD and internet passwords at the same time, i.e. script it rather than letting the user change at the OS - e.g. a login script / GPO could prompt for a new password monthly based on password age before they are required to change it also make the change through Notes.

Apart from that maybe you could use your AD logins as an extra directory for logins to HTTP

BES shouldn't be effected but traveler users will of course be with their internet passwords.

Listening for anyone else's better ideas myself, majority of my customers have chosen not to integrate to that level yet.

Steve
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:lberthiaume
ID: 40527815
I am still in testing environment phases for now, production will go into as far as I can go.    You  gave me the idea that maybe we can administratively manage the internet passwords and change them ONLY if they need to...

A new script to synchronize Internet password is pretty much beyond me.   Unless there is a script out there that I could "modify" to our needs.
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40527848
will see what i can find to show you
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 500 total points
ID: 40528569
Scripting wise pretty well anything is possible of course, except to control the Windows password changing box and the like.  You can soon write the user's internet password assuming they have a suitable access to the directory, e.g. this old script of mine.  Similar could be done as VBScript etc. though this does seem the 'wrong' way to go about it.

http://scripts.dragon-it.co.uk/links/lotus-notes-set-internet-password

Are there common denominators between AD and Notes, e.g. if the shortname on Notes is always the same as their AD login or similar then it is easier to tie it in.  Frankly unless they change their password through something else than the OS itself there is no way of Notes knowing their password to then amend the internet password as with shared login there is no password to sync.

So if the user could be made to change their AD password etc. or even just prompted to enter a new password next time they go into Notes if the AD password age is changed today...  below is bit of login script I wrote for one company that checked the password expiry for the logging in user and advised them to change it for example.  The "objUser.PasswordLastChanged" part could be checked and if just changed advise the user to change their internet password or trigger a script to do it?

CheckExpiry

Sub CheckExpiry
  DIM objSysInfo, objUser, objDomain, objWShell
  DIM strUserDN, strDomainDN, strUserCN
  DIM maxPwdAge, numDays, daysToExpiration, objPwdExpires

  set objWShell = WScript.CreateObject( "WScript.Shell" )
  strUserCN=objWShell.ExpandEnvironmentStrings("%username%") 


  SET objSysInfo = CreateObject("ADSystemInfo")
  strUserDN = objSysInfo.UserName
  strDomainDN =  objSysInfo.DomainShortName

  SET objDomain = GetObject("LDAP://" & strDomainDN)
  SET objUser = GetObject("LDAP://" & strUserDN)
  SET objUserName = GetObject("WinNT://" & strDomainDN & "/" & strUserCN,User)

  objPwdExpires = objUserName.Get("UserFlags")
  If (objPwdExpires And &H10000) <> 0 Then 
    Msgbox "User password does not expire"
    Exit Sub
  END IF

  ' Check the domain policy for password changes:
  SET maxPwdAge = objDomain.Get("maxPwdAge")

  ' Calculate the number of days that are held in this value, add the days to last password set date
  ' and so know how many days until it needs changing

  numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + maxPwdAge.LowPart) / CCur(-864000000000)
  whenPasswordExpires = DateAdd("d", numDays, objUser.PasswordLastChanged)
  daysToExpiration = DateDiff("d", Now(),whenPasswordExpires)

  MsgBox "Password expires on " & whenPasswordExpires & " ( " & daysToExpiration & " days )"

  IF daystoExpiration <=1 THEN
     msgbox "PLEASE CHANGE YOUR PASSWORD." & CR & CR & "Unless you change your password today you may lock your account out 

as it expires at " & whenPasswordExpires & CR & CR & "Plase press Control-Alt-Delete and choose Change Password now.", 

16+0,"PASSWORD EXPIRES on " & whenPasswordExpires
  ELSE
    IF daystoExpiration <=5 THEN msgbox "Please note you have " & daystoexpiration & " days left to change your password.  

Please change before then to avoid locking your account." ,48+0,"PASSWORD EXPIRES on " & whenPasswordExpires
  END IF
End Sub

Open in new window


Steve
0
 

Author Closing Comment

by:lberthiaume
ID: 40531401
Thanks for your help
0
 
LVL 43

Expert Comment

by:Steve Knight
ID: 40531718
Well sorry I didn't come up with an easy fix.... perhaps you could post back as your project goes on with feedback and hopefully we can help with any other issues.

Sterve
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Pegasus Mail (http://www.pmail.com/) is a donation ware that is a collaboration of David Harris along with his team members. It is a desktop mail client that offers the option of configuring more than one mail account with single set up. It supports…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
The purpose of this video is to demonstrate how to set up Lists in Mailchimp. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchimp account. : Click on Lists. Click on Create List Button : Choose the desi…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now