Domino and SPNEGO

What on earth is SPNEGO ? Well, according to this very good guide, its 'Simple and Protected GSS-API Negotiation Mechanism (SPNEGO)'. Okay, I'm still not the wiser.

What it means is that folks in an active directory enterprise can use Internet Exploder (bear with me) and use their AD credentials to sign into a Domino server. Very cool indeed. In fact, if your Domino enterprise runs applications-only, this is a very effective way of doing single-signon. Nice. This new feature is introduced in 8.5.2.

Wait. Wasnt there a really horrible way of doing SSO between AD and Domino, using AD ? Yes. And Warren Elsmore does a fantastic way of describing it here. The 'Old' method runs on Domino 6 onwards and here at the-client-who-cannot-be-named, we've been using it for production systems for years. Years. No mess, no fuss.

Okay. So the first time I install an 852 server in our development environment, the 'old' method stops dead in its tracks. Why?

I had enabled the 'Windows Single Sign-On integration (if available)' option on the Web SSO configuration document. Ouch. So leave that Disabled for the OLD method, and Enabled for the new SPNEGO method.

Now. We have two AD SSO methods. Which one should we use ? Well, it all depends how badly you've pissed off your AD administrators. The 'Old" method used IIS to authenticate the user token against the directory. Since IIS runs on a server, and its part of the domain, our chum the AD administrator didnt have to do a thing. Which is (IMHO) what AD administrators are good at. ;-)

In the new SPNEGO method, we have to go around and add stuff to the AD directory. Nothing difficult, you understand, but probably difficult enough to confuse most folks who masquerade as AD administrators.  

Also, in the new SPNEGO method, the Domino server has to run on Windows and make AD calls. Not a big fuss for some folks, but if you've implemented some serious tin (AIX, iSeries, Solaris, zSeries, etc) or Linux, then this might cause some deployment issues. You see the 'Old' method allowed you to run ISS on a server that wasnt your target domino server and make remote calls to your Domino server. 

Or at least thats my very brief impression, based on skimming the release notes. Your mileage might vary.