Let's
start out by going over how you would think to implement the
configuration in Lotus Notes. If you are going to set up SPNEGO in your
Connections account for an individual user you might go to your
preferences and click on the Connections entry the list. Then you would
check the "Enable IBM Connections Features" checkbox. Next you would enter the URL into the "Server URL" field. Then click on the "Advanced" button and choose the "OS Credential"
option. That sounds like it should be pretty simple and someday that
may be all you need to do. But for now let's go over some of the things
that you will need to do to get this working.
The
first thing to take care of is the krb5.ini. This is the Kerberos
configuration file that Lotus Notes is going to need to initialize
SPNEGO in your Windows environment. It will need to be placed in the
< Lotus Notes>/framework/rcp/deploy/extras directory. Below is an example of how this file needs to be configured.
[libdefaults]
default_realm = <change to something like IBM.COM/Should be the AD Domain>
default_tkt_enctypes = des-cbc-md5 rc4-hmac
default_tgs_enctypes = des-cbc-md5 rc4-hmac
[realms]
SERVER.IBM.COM = { (This line should not be changed)
kdc = logonserver.ibm.com:88 (change to the value of your logonserver. You can get this by typing echo %logonserver%)
admin_server= logonserver.ibm.com:88 (change to the value of your logonserver. You can get this by typing echo %logonserver%)
default_domain = <change to something like ibm.com>
}
[domain_realm]
.ibm.com = <change to the realm value to be used. ie. IBM.COM>
ibm.com = <change to the realm value to be used. ie. IBM.COM>
A couple gotchyas that are relatively minor are that when you set up your Connections preferences you need to specify "https://" address as the server the server URL. And you will want to use the "https://<hostname>/activities/service/authredirect.jsp" for the Authentication URL field. (NOTE: Greenhouse doesn't support SPNEGO. I'm just using this as an example)
After
making these changes you may still find that SPNEGO doesn't work as you
would expect. Well one reason may be that you are an administrator on a
Windows 7 PC. This is a quirk of the UAC in Windows. In order to get
SPNEGO to work you can right-click the Notes icon when you start and
choose "Run as Administrator".
This
should work to get your Activities widget working. But many times
you'll want to do something like use another widget. For example the "Status Updates"
widget is very popular. But if you're using SPNEGO you'll notice that
the thumbnail pictures of users may not be coming down. this is a
known issue that you can address by adding a line to your plugin_customization.ini file. This is located in your <Lotus Notes>/framework/rcp/ directory. This changes the behavior of the plug-in to pull the images via a feed mechanism.
com.ibm.lconn.statusupdates/download.image.enabled = true
PUSHING IT OUT
So
after making all those changes you should now have a working SPNEGO
enabled Connections account on your Lotus Notes client. What you usually
end up wanting to do from this point forward is to push these changes
out to a large group of users. The way to do that is through Policies.
If you go to your Name and Address book go to your Policies folder and
click on the Accounts view. Click on the Add Account button and start
filling out the form. The key fields will be the "Account type" which should be Connections; the "Connections service URL"; and the "Authentication URL" on the Advanced tab. Also on the Advanced tab, you need to choose the Authentication type and set that as OS-CRED.
The
most important trick to pushing this policy out is to place the
krb5.ini in the Account file field. This will place that file in the
rcp/deploy/extras folder. Note: You can only place one file in this
field. So this will be problematic if you need to create a custom icon.
For
the issues associated with the UAC causing authentication failures when
using SPNEGO, there are a couple options. One you can create a VBS
script that will starts the notes program with elevated privileges. Or
you can modify the shortcut. Right-click on the icon and select
properties. You will see a Compatibility tab and on that you can choose
to check the "Run this program as an administrator" option.
Both of these options have the negative side effect of creating a pop-up
that alerts you to the fact the program will need to run with elevated
privileges. If you want to bypass that's pop-up, you can create a
scheduled task that will run with elevated privileges and then start
that task via a shortcut.
Note: You need to be an administrator for these. Regular users will not need to implement these options to get SPNEGO to work.
Dim oShell,oExec
If WScript.Arguments.Named.Exists("elevated") = False Then
CreateObject("Shell.Application").ShellExecute "wscript.exe", """" & WScript.ScriptFullName & """ /elevated", "", "runas", 1
WScript.Quit
Else
Set oShell = CreateObject("WScript.Shell")
oShell.CurrentDirectory = CreateObject("Scripting.FileSystemObject").GetParentFolderName(WScript.ScriptFullName)
End If
Set oExec = oShell.Exec("notes.exe")
Start tasksch.msc
In the Left hand pane, go to the Task Scheduler Library
In the Right hand pane, click Create Task
General Tab: 1) Give the task a name; 2) check Run with highest privileges; 3) Configure for Windows 7
Actions Tab: 1) New - Start a program, 2) Start in <Notes data directory>
Conditions Tab: 1) Uncheck "Stop if the computer to battery power"; 2) Uncheck "Start the task only if the computer is on AC power
Settings Tab: Uncheck "Stop the task if it runs longer than"
The task you created will now show up in the middle pane.
Create a shortcut
Right click on the desktop and choose New -> Shortcut
For the location -> schtasks /run /tn <taskname>
click Next
Type what you want to call the shortcut and Finish