am trying to configure a Thinkpad T43 Laptop which has a fingerprint reader to do an automatical log-in to Lotus Notes (6.5.4).
What i would like to do is to have only one finger-print authentication during the boot time of the computer. Then it should automatically log me into Windows and once I am there let me start Lotus Notes without a password promt.
Can this be done ?
I have installed the “IBM Client Security Software”.
Right now I managed to configure it in such a way that the “finger-print”-authentication is used as the boot-password, then I am automatically logged into Windows with my account. Perfect so far :-))
When I start Notes the first time then I am prompted for a password with the “IBM CSS”-login (not the notes login anymore). It has the text “Initial authentication” at the top. Once i enter the password here, I can close Notes and restart it again and again without any password promps anymore.
I also managed through changes in the policies of IBM CSS to display an additional “finger-print-prompt” after each Notes start. However what I can not achieve is to get rid of the “Initial Authentication” password prompt.
Anybody has an idea ?
Do I have to use the “normal” SSO with Windows form Lotus Notes.(The one that has to be choose during the installation of a Notes client)
I have never used it because i was told it has disadvantages when switching ids and accounts.
Subject: Log in to Notes with “IBM Client Security Software” (Fingerprint-reader on IBM TP T43)
There are two different approaches that you could take. I believe that the one you mentioned is support that IBM CSS built for Notes/Domino R5, where the Notes ID password is stored encrypted using the hardware RSA key on the chip. That “Initial authentication” will never go away, since that is how the ID file password is being stored by IBM CSS.
The second approach is to use Notes’s built-in (as of ND6) support for cryptographic tokens. Using that approach, you would launch Notes normally with your password, then use the “Your Smartcard” tab of the User Security Dialog to first configure Notes to use IBM CSS’s PKCS#11 library (something along the lines of C:\Program Files\IBM ThinkVantage\Client Security Solution\csspkcs11.dll), then to lock (“smartcard enable”) the ID file with the cryptographic token. This approach has the rather substantial advantage that it makes the ID file effectively immune from password-guessing attacks, but the corresponding disadvantage that you won’t be able to simply copy the .id file to another computer, since it will be locked with that particular crypto chip. With most hardware cryptographic tokens, you’d see additional PIN (or fingerprint) prompts at the usual times within Notes, but the IBM Embedded Security System’s default configuration ignores PKCS#11’s requirements for each process to log in to the token independently and allows any application to use the hardware device without logging in independently.
I wouldn’t recommend using Single Log On between Windows and Notes with a hardware cryptographic device – mixing a lowest common denominator security approach with the high levels of assurance provided by a hardware device just doesn’t make any sense from a security standpoint. You’ll be better off securing both Notes and Windows independently with the hardware device.