Lotus Domino R5 introduces new functionality, including the ability to integrate Domino and IIS. This feature lets Domino use IIS's HTTP services and function as an IIS extension. Let's explore the benefits of integrating Domino and IIS, walk through the configuration of this setup, and find out what Domino functionality you sacrifice by integrating Domino and IIS.
Why Integrate Domino and IIS?
First, some organizations want to use Domino, but they're already committed to IIS and don't want to support another HTTP stack. Integrating Domino and IIS lets these companies add Domino functionality to existing Web environments. Second, this setup can consolidate Web servers in a moderate load environment. Consolidating servers saves you time and money because you don't have to buy, set up, and manage additional Web servers. Third, this setup lets you take advantage of both Domino and IIS functionality. For example, you can simultaneously use IIS's Active Server Pages (ASP) and Domino's mail routing and database-content replication features.
When you integrate Domino and IIS, Domino uses both IIS extension mechanisms: Internet Server API (ISAPI) extensions and ISAPI filters. The ISAPI extensions tell Domino which DLL to use when a user's browser passes the server a URL with an .nsf file extension. The server passes the user's request to Domino, which processes it and prepares a response. Domino uses ISAPI filters to view, process, and, if necessary, modify the requests that come to the server.
Installing Domino in an IIS environment is fairly straightforward. First, you must install IIS 4.0 and Windows NT 4.0 with Service Pack 4 (SP4) on your system. SP4 contains NT 4.0 Option Pack updates to the IIS 4.0 code, so install SP4 after you install IIS 4.0.
Next, you install Domino R5. You have three Domino installation options: Domino Mail Server, Domino Enterprise Server, and Domino Application Server.
- Domino Mail Server provides only mail, calendaring, and discussion functionality and doesn't include other applications.
- Domino Enterprise Server offers application-level clustering, which isn't useful in a mixed Domino and IIS environment.
- Domino Application Server has an installation option, which includes Domino Mail Server.
Choose the Domino Application Server installation; then select custom installation options in the Customize dialog box. I recommend the Run Domino as an NT Service option, which installs Domino as a service (so that it starts when NT starts). Otherwise, the Domino server doesn't start until a user logs on to the server locally. Also, consider selecting the Notes Performance Monitor option, which adds a Notes counter to the NT Performance Monitor.
In addition, install the Domino Administrator code on the server. Although you can use a browser to manage the Domino server (via the URL http://server_name/webadmin.nsf), you must use the local file system to access the Domino databases (particularly the Domino directory) if your Domino server won't start. In Domino R5, Lotus separated the Domino Administrator code that you need to view and configure Domino and your application databases from the server code.
Before you continue with the Domino installation, check the following setup prerequisites. In most cases, particularly if you're setting up a new server, your system already meets these prerequisites.
First, ensure that the server's ID file doesn't have a password. If it does, the server will hang in IIS when you launch. Most servers don't have password protection because it requires an administrator to start the server. For security, most companies keep their servers in a physically secure room.
Second, check whether the server ID file is in the data directory (i.e., \lotus\domino\data). If the server ID file isn't in the data directory, the ServerKeyFile= line of the notes.ini file must contain the fully qualified path of the ID file.
Third, verify that the Domino HTTP task isn't set to automatically start when you launch the Domino server by checking the ServerTasks= line of the notes.ini file. If the task is set to launch automatically, it will conflict with IIS for TCP port 80. However, you can change the port for Domino from the default to let both HTTP stacks run on the same server. If you change the Domino port, users must enter the new port number as part of the URL to access the Web server's resources. Or, you must include the new port number in the HTML link that sends users to the Web server (e.g., http://server/resource:8080).
Finally, launch the Domino server alone to make sure that it starts correctly. The server console, which runs in a DOS window, sends you error messages if anything is seriously wrong with the server's configuration. To stop the Domino server, enter Q (for quit) or E (for exit) in the Domino server console window. If you selected the Run Domino as an NT Service option when you installed Domino, you can stop it via the Services applet in Control Panel.
Domino and IIS Configuration
Configuring Domino and IIS is simple and consists of only three steps. (You use the Microsoft Management Console—MMC—snap-in for IIS to configure your Web site.) The following instructions show you how to enable Domino and IIS to work together:
- Configure the ISAPI extension for Domino (i.e., niisextn.dll—aiisextn.dll for Alpha) in the Add/Edit Application Extension Mapping dialog box, which Screen 1 shows. You can go to this dialog box in the MMC by selecting the Web site you want to configure, clicking Properties, and selecting the Configuration for Application Settings option on the Home Directory tab. The Registry uses file associations to help the system determine which application to open for each file. Similarly, an ISAPI extension tells IIS to pass the URL to the defined Domino DLL when an incoming URL contains the .nsf file extension.
- Configure the ISAPI filter for Domino (i.e., niisfilt.dll—aiisfilt.dll for Alpha) in the Filter Properties dialog box, which Screen 2 shows. To reach this dialog box, select the Web site you want to configure, click Properties, and select the ISAPI Filter tab. Domino uses this filter to correctly interpret the special Domino URL (i.e., ?OpenServer), which provides a list of the databases on the Domino server that you can navigate, as Screen 3 shows. Although this feature is convenient, it's a security hole because it exposes the Domino server's contents and the Web site's structure. By default, Domino doesn't let users browse this URL. I had to modify the server document in the Domino directory to enable this feature. Be aware that ISAPI filters run in the memory allocated to IIS. If Domino crashes, it could take IIS down with it.
- Create two virtual directories so IIS can access Domino's icons and Java applets. Domino's icons refer to D:\lotus\domino\data\domino\icons, and Domino's Java applets (i.e., domjava) refer to D:\lotus\domino\ data\domino\java (using the default directory structure on the D drive).
You can apply these IIS configuration changes while IIS is running. Configuring Domino doesn't require stopping and restarting IIS.
If you experiment with an integrated Domino and IIS setup, you'll discover that this setup works fine without starting the Domino server. The IIS extensions successfully retrieve Domino server resources and send a response to the client. However, Lotus recommends that you keep the Domino server running when you're using only the ISAPI extensions to access Domino resources. The Domino server periodically runs several housekeeping tasks to maintain the server databases, including updating the database index. When you create and delete documents, the Domino server updates indexes in the background. If the Domino server isn't running, when you access Domino views (a list of documents that satisfy criteria based on the indexes), users can have problems accessing deleted documents, or, worse, the view might not list the most recently updated documents.
IIS Authentication and Domino Security
Integrating Domino and IIS requires you to seriously consider the security implications of this implementation. Before you expose the data on your Domino and IIS servers, you need to fully understand IIS's different authentication models and how they integrate with Domino security. You can use any or all of IIS's three security options:
- Anonymous Access—The user accesses the Web application through the Anonymous User Account dialog box and doesn't enter any credentials.
- Basic Authentication—The server verifies users' accounts and passwords against NT's SAM by passing the information via clear text between the client browser and the server. The server uses this option for browsers other than Internet Explorer (IE)—for example, Netscape—but IE can use this option if you disable NT Challenge/Response.
- NT Challenge/Response—The server verifies users' accounts and passwords against NT's SAM through an encrypted conversation between the client browser and the server (similar to an NT Workstation logon). This security option is available to only IE 3.0 and higher.
When the server passes the URL to Domino, Domino checks to see if the current user has sufficient security permissions for the request. If IIS allows anonymous access, Domino won't challenge the user for an account and password until anonymous access is insufficient to perform an action. Domino maintains a systemwide setting in the Domino directory that allows or disallows anonymous access (this setting is in the authentication options on the Ports and Internet Ports Web page). Whether Domino allows users anonymous access depends on this setting.
In addition, each Domino database has an ACL that controls who can access that database and what actions they can perform. Domino databases offer seven levels of access:
- No Access
- Depositor—You can create database documents, but you can't read any.
- Reader—You can read documents in the database.
- Author—You can create documents, and you can read and update the documents you create.
- Editor—You can create documents and edit other users' documents.
- Designer—You can create documents, edit other users' documents, and change the database application design.
- Manager—You have designer permissions and can change the ACL.
In the ACL, a special anonymous entry controls unauthenticated Web users' access level. If the anonymous entry isn't present, then the default entry (which controls access for Web and Notes clients) controls unauthenticated users' access. If users attempt to perform an operation in IIS or Domino that they're not allowed to perform anonymously, they must become authenticated before they can proceed. They become authenticated through IIS, and IIS verifies their authentication against NT's SAM.
If you enable NT Challenge/Response, the browser hashes the current user's account details and password and automatically passes this information to the server. If the browser's information isn't acceptable to the server, the browser prompts the user for alternative account and password information. (For example, if you're using Basic Authentication, the browser prompts the user for username and password information.)
After IIS authenticates the user, it passes only the username (not the password) to Domino using the form domain\user (or machine\user for standalone NT Server systems). If you're using Basic Authentication, IIS authenticates the name the user provides (i.e., user or domain\user) and passes this information to Domino in the form that the user supplies it.
Next, Domino searches the Domino directory databases to match the User Name field against the username IIS provides. You need to know your users' browsers and authentication types so that users know which username format to enter (either as the NT username or as domain\user). Otherwise, you as the administrator need to enter the usernames in both formats in the Domino directory for each person. When Domino finds a match in the directory for that username, Domino uses the first User Name entry for that Person record to match against the database ACL to find the user's access level.
Therefore, the first User Name entry for the user needs to be the hierachical Domino username, which is typically in the format FirstName LastName/Organization. This Domino username is listed in the Domino database ACLs (or in a group entry from the Domino directory), which provide the user's access level. A user's Person record also contains an Internet password. Domino ignores this field because IIS has already successfully authenticated the user.
Each Domino database contains an advanced setting—Maximum Internet Name and Password access—that can override the permissions on the ACL. This advanced setting represents the maximum database access over the Web, regardless of a user's permissions. This setting's default value is usually Editor. In addition, some Domino custom database applications use advanced security features that secure areas more finely grained than an individual database. In this case, look closely at the application's security design to determine how it fits in an integrated Domino and IIS environment.
What You Lose
When you integrate Domino and IIS, some Domino applications will behave differently than they would in a pure Domino environment. These changes are understandable, considering that Domino is using a different underlying HTTP stack. However, the integration will be totally transparent for most Domino applications. Figure out the impact of the changes, and run a pilot test before you implement an integrated Domino and IIS environment. An integrated Domino and IIS environment doesn't support the following Domino functionality:
- Domino Server API (DSAPI)—Lotus introduced DSAPI, the extensible API for a Domino Web server, in R5
- The httpd.cnf configuration file
- Domino Internet Cluster Manager—Lotus introduced this feature in R5; it provides Domino server clustering for Web clients
- Web configuration documents in Domino—IIS and NT handle virtual servers, realms, URL redirections, and file protection; however, the integrated Domino and IIS environment supports custom error pages in Domino
- Java servlets—You can use a third-party add-on for IIS to gain Java servlet support
- Non-Domino database elements, such as HTML and Common Gateway Interface (CGI)—IIS servers handle these elements; some CGI values differ between IIS and Domino
For more information about the differences, see Lotus Notes and Domino Advisor, "Domino Reaches Out to Internet Information Server," Windows NT Magazine, January 1999. Table 1 details which fields in the server configuration document in the Domino directory are in use when running with IIS, and their IIS equivalents if any.
Should You Integrate Domino and IIS?
Domino and IIS are great technologies. If your environment is strongly committed to IIS, Domino's new functionality means you no longer have to automatically rule out using Domino technology. To decide whether integrating Domino and IIS will benefit your environment, consider the function of an integrated environment, its security implications, and the Domino features you must sacrifice.