What is Secondary Authentication?
This is where the user has to perform an additional authentication process in order to be able to access Lotus Domino. This can be implemented where an organization allows all users some mobile services, but only a subset are allowed access to Lotus Domino. However, the most common reason to use this capability is to provide the user community with the capability to receive encrypted Lotus Notes email.
It can also be used to further strengthen the authentication process. There are 2 authentication methods available:
|•||Domino Directory - the connecting user must exist in the Domino directory and be able to provide the Internet Password that matches the password set on their person document in the Domino directory.|
|•||Notes ID Password - there is a copy of the connecting user's Lotus Notes ID file stored in the mSuite repository and the user can provide the password for this ID file. This is the method that must be used if you want users to be able to send* and receive encrypted Notes email.|
* Sending of encrypted mail is not supported on EAS devices. Receiving encrypted mail on EAS devices requires the user's primary mSuite password to be the same as their Notes ID password because the device only submits one password.
Configuring Secondary Authentication
Secondary authentication is managed on a per user basis, this is because the most useful method - Notes ID Password - requires the import of the user's Lotus Notes ID file. Clearly this cannot be done at a group level because every user's ID file is unique.
|1.||Expand the Administration node in the navigation tree.|
|2.||Expand any groups until the user is displayed in the action pane.|
|3.||Right mouse click the user in the action pane and choose Properties from the pop-up menu.|
|4.||The secondary authentication configuration is displayed in the lower half of the General page.|
|5.||Set the authentication mode to Domino Directory or Notes ID.|
|6.||If you selected Notes ID, use the Browse... button to locate a copy of the user's ID file. This will be imported into mSuite's SQL database. When the user connects, providing that they can provide the password for the ID file, it will be retrieved and used to encrypt and decrypt Lotus Notes mail items (provided you also checked the Decrypt mail box).|
|7.||If you check the Cannot save password box - the user will not be allowed to save the secondary authentication password on the device and will be prompted for it whenever it is needed. (Cannot save password only applies to 'mNotes' clients on Windows Mobile and Symbian devices.)|
For Exchange ActiveSync devices, since the device only provides one password, the primary and secondary passwords must be the same.
For 'mNotes' clients on Windows Mobile or Symbian devices, if you use the security policy to force the user to log on to their device, and then allow the secondary password to be saved, this will result in a good user experience with low security risks.