I am working on a domino site that has 99% public access but some parts of it require you to log in. I have been through all the design elements currently there and turned on Available to Public Access users, and I have set the anonymous entry in the ACL to no access, read and write public documents. I have also added $PublicAccess = “1” to each document in the database.
I created the domcfg.nsf file on the server but I have yet to add a document in there to configure this site.
When I add a design element that is not available to public access users, and then try to navigate to it in the browser, I get a standard windows password popup box, similar to the one you would get if you want to map a drive in windows and you need to enter a username and password. Until recently however I would get the normal login page that domino throws up. I have tried entering my shortname from the server NAB and my internet password in this box but it doesn’t let me see the restriceted pages.
My question is - where has the usual yellow domino login page gone? Why do I now get the windows popup box asking for a username? And why wont it let me log in? I am mentioned in the ACL as a manager - do I need an entry for me in there in brackets?
Thanks! Matt.
Subject: Security in Domino - popup password box
Are you actually using the Domino server? If you are previewing the application AND you are accessing the database as local (that is, you opened the database to your workspace using the Browse button in the database open dialog), you may be bypassing Domino altogether. Your local preview only uses simple authentication, and the personal address book does not offer a method to authenticate web users – even though nhttp knows enough to demand authentication for the database/design element.
Subject: RE: Security in Domino - popup password box
No I am definitely using Domino. I am working from home and connecting to the companie’s domino server both in Notes and via the browser. It has an IP address that is publically accessible and the server is on the outside of the firewall at the business. I’m entering the ip address and path in IE and I have a connection document setup in Notes to access it there also.
I’ve set the session authentication setting on the server doc to Single server and I now get the login form (I presume coming from the domcfg.nsf db) whenever I try opening a restricted page in the site now but when I enter my shortname and internet password it’s saying I am not authenticated even though I am a manager of the db.
Subject: RE: Security in Domino - popup password box
Hmmm. Have you tried using your fully-distinguished name? Do you have the authority to issue a dbcache flush?
Subject: RE: Security in Domino - popup password box
Also, if the server is configured to allow “Fewer name variations with higher security”, short name is not accepted as a user name. Try the common name, fully hierarchical name, Internet address of one of the values in “User names” instead.
Subject: RE: Security in Domino - popup password box
Thats it, the server was configured to allow fewer name variations - as soon as I put in my common name it allows me to access the restricted pages. Thanks so much for all your help on this topic guys, I should have tried that username first I know, I just didn’t realise that domino treats them all differently.
Subject: RE: Security in Domino - popup password box
Happy to see, that you did NOT try to go the other route and change the server configuration. 
I cannot imagine what admin in his right mind would revert to “more name variations”. Heck, that even allows for first names as user names …
Subject: RE: Security in Domino - popup password box
Well the guy I am doing this for say security is paramount (which it should be obviously) so I want to keep it as locked down as possible - changing that would open up a world of potential abuse I’m sure.
Subject: RE: Security in Domino - popup password box
Edit: Ooopsie. Sorry for replying to the wrong posting. That’s the only downside of Julian’s Greasemonkey script: I sometimes don’t pay attention to what that reply link belongs to …
“… if I enable this will I then see the standard login form?”
Yes.
“Do you know where this form is hidden on the server?”
If I remember right, it is hidden very well: Inside the Domino server’s code. Creating customized login forms is exactly what domcfg.nsf is for.
“What is the benefit of having this disabled? And do you know if it’s disabled by default?”
Session authentication is disabled by default. Session authentication is more basic, in that it doesn’t require cookies. User name and password are send along with each and every request (in Base64 encoded form). When using session authentication, user name and password are transmitted only once (as clear text) and Domino will generate a cookie, that authenticates you for the reminder of the session. From then on, only the cookie is passed along between browser and server. Session authentication is also more flexible, as it can be set up to be used across multiple servers. It allows you to have a customized login page where you can provide more information and take full control over the design. However, JavaScript events and WebQueryOpen and WebQuerySave agents are not executed for this special form. In most cases, session authentication should be considered the better choice.
However, Stan’s comment still applies. If you happen to preview your local replica, server settings will not apply.
Subject: Security in Domino - popup password box
I assume, that the login popup you see is not really a windows dialog, but a standard browser dialog. If you happen to use Internet Explorer, this might look a lot like it was OS related, but accessing the page with a different browser should display a different window. If so, this means that your site no longer uses forms based (or session) authentication, but simple authentication.
This is either configured server-wide in the server document (Internet Protocols → Domino Web Engine) or per web site document, if you specified to load Internet configurations form Internet site documents. If the latter is the case, make sure, that you either access the site through one of the mapped host names, or to define this Internet site as the default for all requests, that cannot be mapped otherwise (all in the Internet site document).
Just creating the domcfg.nsf database should not have any influence on that. ACL entries in square brackets have a meaning for templates only (those entries will appear - without the brackets - in every new database you create from the template).
Subject: RE: Security in Domino - popup password box
Thanks for your reply. I have checked the server config document and Session Authentication is disabled - if I enable this will I then see the standard login form? Do you know where this form is hidden on the server?
What is the benefit of having this disabled? And do you know if it’s disabled by default?
Thanks so much for you help.
Matt