Integrating Domino R5 and IIS 4.0

Lotus Domino R5 introduces new functionality, including the ability to integrate Domino and IIS. This feature lets Domino use IIS's HTTP services and function as an IIS extension. Let's explore the benefits of integrating Domino and IIS, walk through the configuration of this setup, and find out what Domino functionality you sacrifice by integrating Domino and IIS.

Why Integrate Domino and IIS?
First, some organizations want to use Domino, but they're already committed to IIS and don't want to support another HTTP stack. Integrating Domino and IIS lets these companies add Domino functionality to existing Web environments. Second, this setup can consolidate Web servers in a moderate load environment. Consolidating servers saves you time and money because you don't have to buy, set up, and manage additional Web servers. Third, this setup lets you take advantage of both Domino and IIS functionality. For example, you can simultaneously use IIS's Active Server Pages (ASP) and Domino's mail routing and database-content replication features.

When you integrate Domino and IIS, Domino uses both IIS extension mechanisms: Internet Server API (ISAPI) extensions and ISAPI filters. The ISAPI extensions tell Domino which DLL to use when a user's browser passes the server a URL with an .nsf file extension. The server passes the user's request to Domino, which processes it and prepares a response. Domino uses ISAPI filters to view, process, and, if necessary, modify the requests that come to the server.

Before I explain how to integrate Domino and IIS, let's review Domino's basics. On the fly, Domino converts Lotus Notes' design elements (e.g., formatted documents and views) into HTML for browser clients. In Domino R5, the browser clients are easier to support because Lotus has ported traditional Notes client features into Java applets (e.g., the rich text editor field). Also, Domino R5 provides greater support for native HTML and JavaScript.

Installation
Installing Domino in an IIS environment is fairly straightforward. First, you must install IIS 4.0 and Windows NT 4.0 with Service Pack 4 (SP4) on your system. SP4 contains NT 4.0 Option Pack updates to the IIS 4.0 code, so install SP4 after you install IIS 4.0.

Next, you install Domino R5. You have three Domino installation options: Domino Mail Server, Domino Enterprise Server, and Domino Application Server.

Choose the Domino Application Server installation; then select custom installation options in the Customize dialog box. I recommend the Run Domino as an NT Service option, which installs Domino as a service (so that it starts when NT starts). Otherwise, the Domino server doesn't start until a user logs on to the server locally. Also, consider selecting the Notes Performance Monitor option, which adds a Notes counter to the NT Performance Monitor.

In addition, install the Domino Administrator code on the server. Although you can use a browser to manage the Domino server (via the URL http://server_name/webadmin.nsf), you must use the local file system to access the Domino databases (particularly the Domino directory) if your Domino server won't start. In Domino R5, Lotus separated the Domino Administrator code that you need to view and configure Domino and your application databases from the server code.

Prerequisites
Before you continue with the Domino installation, check the following setup prerequisites. In most cases, particularly if you're setting up a new server, your system already meets these prerequisites.

First, ensure that the server's ID file doesn't have a password. If it does, the server will hang in IIS when you launch. Most servers don't have password protection because it requires an administrator to start the server. For security, most companies keep their servers in a physically secure room.

Second, check whether the server ID file is in the data directory (i.e., lotusdominodata). If the server ID file isn't in the data directory, the ServerKeyFile= line of the notes.ini file must contain the fully qualified path of the ID file.

Third, verify that the Domino HTTP task isn't set to automatically start when you launch the Domino server by checking the ServerTasks= line of the notes.ini file. If the task is set to launch automatically, it will conflict with IIS for TCP port 80. However, you can change the port for Domino from the default to let both HTTP stacks run on the same server. If you change the Domino port, users must enter the new port number as part of the URL to access the Web server's resources. Or, you must include the new port number in the HTML link that sends users to the Web server (e.g., http://server/resource:8080).

Finally, launch the Domino server alone to make sure that it starts correctly. The server console, which runs in a DOS window, sends you error messages if anything is seriously wrong with the server's configuration. To stop the Domino server, enter Q (for quit) or E (for exit) in the Domino server console window. If you selected the Run Domino as an NT Service option when you installed Domino, you can stop it via the Services applet in Control Panel.

Domino and IIS Configuration
Configuring Domino and IIS is simple and consists of only three steps. (You use the Microsoft Management Console—MMC—snap-in for IIS to configure your Web site.) The following instructions show you how to enable Domino and IIS to work together:

You can apply these IIS configuration changes while IIS is running. Configuring Domino doesn't require stopping and restarting IIS.

If you experiment with an integrated Domino and IIS setup, you'll discover that this setup works fine without starting the Domino server. The IIS extensions successfully retrieve Domino server resources and send a response to the client. However, Lotus recommends that you keep the Domino server running when you're using only the ISAPI extensions to access Domino resources. The Domino server periodically runs several housekeeping tasks to maintain the server databases, including updating the database index. When you create and delete documents, the Domino server updates indexes in the background. If the Domino server isn't running, when you access Domino views (a list of documents that satisfy criteria based on the indexes), users can have problems accessing deleted documents, or, worse, the view might not list the most recently updated documents.

IIS Authentication and Domino Security
Integrating Domino and IIS requires you to seriously consider the security implications of this implementation. Before you expose the data on your Domino and IIS servers, you need to fully understand IIS's different authentication models and how they integrate with Domino security. You can use any or all of IIS's three security options:

When the server passes the URL to Domino, Domino checks to see if the current user has sufficient security permissions for the request. If IIS allows anonymous access, Domino won't challenge the user for an account and password until anonymous access is insufficient to perform an action. Domino maintains a systemwide setting in the Domino directory that allows or disallows anonymous access (this setting is in the authentication options on the Ports and Internet Ports Web page). Whether Domino allows users anonymous access depends on this setting.

In addition, each Domino database has an ACL that controls who can access that database and what actions they can perform. Domino databases offer seven levels of access:

In the ACL, a special anonymous entry controls unauthenticated Web users' access level. If the anonymous entry isn't present, then the default entry (which controls access for Web and Notes clients) controls unauthenticated users' access. If users attempt to perform an operation in IIS or Domino that they're not allowed to perform anonymously, they must become authenticated before they can proceed. They become authenticated through IIS, and IIS verifies their authentication against NT's SAM.

If you enable NT Challenge/Response, the browser hashes the current user's account details and password and automatically passes this information to the server. If the browser's information isn't acceptable to the server, the browser prompts the user for alternative account and password information. (For example, if you're using Basic Authentication, the browser prompts the user for username and password information.)

After IIS authenticates the user, it passes only the username (not the password) to Domino using the form domainuser (or machineuser for standalone NT Server systems). If you're using Basic Authentication, IIS authenticates the name the user provides (i.e., user or domainuser) and passes this information to Domino in the form that the user supplies it.

Next, Domino searches the Domino directory databases to match the User Name field against the username IIS provides. You need to know your users' browsers and authentication types so that users know which username format to enter (either as the NT username or as domainuser). Otherwise, you as the administrator need to enter the usernames in both formats in the Domino directory for each person. When Domino finds a match in the directory for that username, Domino uses the first User Name entry for that Person record to match against the database ACL to find the user's access level.

Therefore, the first User Name entry for the user needs to be the hierachical Domino username, which is typically in the format FirstName LastName/Organization. This Domino username is listed in the Domino database ACLs (or in a group entry from the Domino directory), which provide the user's access level. A user's Person record also contains an Internet password. Domino ignores this field because IIS has already successfully authenticated the user.

Each Domino database contains an advanced setting—Maximum Internet Name and Password access—that can override the permissions on the ACL. This advanced setting represents the maximum database access over the Web, regardless of a user's permissions. This setting's default value is usually Editor. In addition, some Domino custom database applications use advanced security features that secure areas more finely grained than an individual database. In this case, look closely at the application's security design to determine how it fits in an integrated Domino and IIS environment.

What You Lose
When you integrate Domino and IIS, some Domino applications will behave differently than they would in a pure Domino environment. These changes are understandable, considering that Domino is using a different underlying HTTP stack. However, the integration will be totally transparent for most Domino applications. Figure out the impact of the changes, and run a pilot test before you implement an integrated Domino and IIS environment. An integrated Domino and IIS environment doesn't support the following Domino functionality:

For more information about the differences, see Lotus Notes and Domino Advisor, "Domino Reaches Out to Internet Information Server," Windows NT Magazine, January 1999. Table 1 details which fields in the server configuration document in the Domino directory are in use when running with IIS, and their IIS equivalents if any.

Should You Integrate Domino and IIS?
Domino and IIS are great technologies. If your environment is strongly committed to IIS, Domino's new functionality means you no longer have to automatically rule out using Domino technology. To decide whether integrating Domino and IIS will benefit your environment, consider the function of an integrated environment, its security implications, and the Domino features you must sacrifice.