nginx reverse proxy SPNEGO SSO for Domino clusters

spnego cluster nginx reverse proxy http

  • 0 commenti
following is an adaption in English language of original Italian article by Daniele Grillo.

Hello everyone,
I share this Systems Engineering experience because I think it can benefit many people

this is the scenario:

I have two IBM Domino mail servers on Linux clustered
I have two IBM Domino application servers on Windows clustered

Customer request::

"I would like to enable SSO between browsers clients in  my company (IE, Firefox, Chrome) and my XPages applications that reside on clustered Domino servers on Window as well as my mail servers that resides on a Domino cluster on Linux to gain high reliability (HA)... how can I do?"

Here is my solution using NGINX as a revese proxy server:

Cluster deployment and SPNEGO SSO with two windows Domino server in cluster

Instructions on how to implement and activate SSO between AD and Domino and make sure that a browsers can be trustato without further request for credentials on your application and / or mail iNotes instance are in this article by Andrea Fontana (in Italian).

Note that the instructions are valid only if the Domino servers are  running on Windows platform inside the AD domain.

In our case we have two  clustered Domino Windows servers (hosting many XPages applications).
If we want to use a reverse proxy with a windows Domino Cluster, IBM best practice is to run the Domino windows service on both application server as a specific Active Directory user (ier admdomino.- thanks to Stefano Benassi for the tip!)

Done that, if the XPages applications are working at http://apps.acme.local web address, we'll log on out Active Directory server and type the command: :

SETSPN -a HTTP/apps.acme.local admdomino

Keep in mind that to make it works transparently on browsers some parameters need to be set on the user agent (o need to be pushed via AD policy):

Here are some notes to let browsers pass your with Windows credentials automatically


    *.acme.local must be set into TRUSTED SITE
   then  Local Zone --> Automatic Login only in Intranet Zone
   then Trusted Zone --> Automatic Logon with current username and Password


   type about:config into brrowser location bar than find keys
    and add  .acme.local


   Should both inherit settings from IE

NGINX (my choice of reverse proxy) implementation to manage Domino cluster in https or https is really simple; it's just need to define which servers are participating in the cluster and how to handle them (in our case with a a classic failover) with the upstream module

upstream apps {
   server max_fails=1 fail_timeout=5s;
   server backup;    

then with this settings we associate the address  http://apps.acme.local to cluster we just defined above
server {
   listen       80;
   server_name          apps.acme.local;
   client_max_body_size         100m;
   access_log          /var/log/nginx/apps_acme_local_access.log  main;
   error_log           /var/log/nginx/apps_acme_local_error.log;
   location / {
           proxy_set_header        X-Real-IP  $remote_addr;
           proxy_set_header         X-Forwarded-For $remote_addr;
           proxy_set_header         Host $host;
           proxy_set_header                X-Forwarded-Proto $scheme;
           proxy_pass         http://apps;

Inside of our Domino infrastructure we'll enable the internet sites and mke so that on internet site apps.acme.local both Domino (apps and apps2) will answer with an Ltpa token token that has windows AD integration enabled.

Image:nginx reverse proxy SPNEGO SSO for Domino clusters

Finally if on our own internal DNS server er'll make a HOST record resolving apps.acme.local to the IP address of our NGINX server will achieve two things: we'll put in a High Availability our web apps and enable SPNEGO on the application cluster, what we've just done is callled high availability :-)

Cluster deployment and SPNEGO SSO with two windows Domino server in cluster

here things are a bit more complicated, but thans to support from Giuseppe Grasso, we've found an elengand end efficient solution to to meet this demand from the customer:

"I want to make so that by typing  http://mail.acme.local we can get direct SPNEGO SSO  to my Linux mail server on the cluser"

Main issue here is that SPNEGO only works on Domino windows server. What can we do if the server is on Linux?
There are many roads (develop a custom DSAPI filter, login on Windows Server and then do a 301-redirect to the Linux server etc..)

A solution that not even I thought would possible with a NGINX revers proxy is this one:

"we let the user login on the Windows cluster to obtain the SSO trust, so that when we have obtained the ltpa token cookie we redirect the session to the mail linux cluster, in a way that is transparent for the end user"

This way to all is simple for the end user (no need to login on a different server), and this is what has been done the backend on NGINX:
upstream apps {
   server max_fails=1 fail_timeout=5s;
   server backup;

upstream mail {
   server max_fails=1 fail_timeout=5s;
   server backup;

map $http_cookie $authenticated {
   default http://apps;
   ~LtpaToken http://mail;

server {
   listen       80;
   server_name  mail.acme.local;
   client_max_body_size 100m;
   access_log  /var/log/nginx/mailSSO_acme_local_access.log  main;
   error_log   /var/log/nginx/mailSSO_acme_local_error.log;
   location / {
           proxy_set_header X-Real-IP  $remote_addr;
           proxy_set_header X-Forwarded-For $remote_addr;        
           proxy_set_header Host $host;
           proxy_set_header        X-Forwarded-Proto $scheme;
           proxy_pass $authenticated ;

First two upstream blocks defines the mail and apps clusters.
maps directive (this is the key point) check for  LtpaToken cookie presence ed set associa alla $authenticated variabile with the value of the stream where to redirect traffic.
Finally, proxy_pass $autenticato directive  performs a dynamic redirect depending on the value present in  $authenticated variabile!

Note that here like in the Windows scenario it's needed to first fix the active directory security with the appropriate command SETSPN:
SETSPN -a HTTP/mail.acme.local admdomino

and then set an internet site (associated with both windows and linux servers) to handle the address mail.acme.local

Image:nginx reverse proxy SPNEGO SSO for Domino clusters

The iNotes template iNotes redirect available on any Domino server can be leveraged to automatically redirect to user own mail box

Image:nginx reverse proxy SPNEGO SSO for Domino clusters

In all these steps the end user do not need know that in in the backed he  authenticated on the Windows server and end up on the Linxu server... it's all transparent!

The user will type http://mail.acme.local and NGINX will handle the rest

Finally For the only mail server I suggest to set these Notes.ini parameters
as per this IBM technote

See you soon

0 Commenti:

    Nessun Commento Trovato
Commenta articolo

Questo spazio web è stato creato da per un uso pubblico e gratuito. Qualsiasi tipo di collaborazione sarà ben accetta.
Per maggiori informazioni, scrivete a

About Dominopoint
Dominopoint social presence: