Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

NSL Support for Notes 11.0.1 on Citrix

Daniel Nashed  6 August 2020 12:16:08

Great news for Notes customers on Citrix!

NSL (Notes Shared Login) uses Windows Data Protection API (DP-API) to protect the internal long&secure password set to the Notes.ID when NSL is enabled.
In earlier releases the DP API was binding the encrypted data to the machine and it could not roam.
It's not 100% clear when this changed, but with current Windows version taking the encrypted file to another machine with a windows roaming profile will work.

That helped with an enhancement request on of my customers asked for in the late 9.0.1 code stream and they even got a hotfix.
The fix changes the location of the encrypted file from "LocalAppData" to "AppData" to allow roaming the notes.id along with the encrypted password.

EnableUsingAppDataForRoaming=1
SPR# RCCYAVPREM - Notes Shared Login Fails With The Error "Notes Shared Login Failed With This Id File" When Logging In To Notes Client



This was already helpful, but many customers are also using Notes clients on Citrix.
In those environments the only supported SSO was Notes Federated Loging (NFL) which is complex to setup for Notes clients (much easier and really recommended for Web clients).

So now that NSL is working with roaming profile we saw the potential to have it also enabled on Citrix.
NSL was explicitly disable for Citrix because of the mentioned limitations above and also earlier issues with corrupted Notes.IDs.

In case you have a file-server involved in serving Citrix user profiles, the following notes.ini parameter is recommended as well (the documentation has been lost in transition, but it's still on the IBM site).
The parameter disables memory mapped file operations with cause issues for example with ID Vault operations:

OS_DisableMMapFileCopy=1

SPR# PBIT84XBR8 is fixed in Notes 8.5.3 FP2 with Notes.ini
parameter "OS_DisableMMapFileCopy=1"


Starting with Notes 11.0.1 you can enable NSL also on Citrix -- if the standard NSL requirements full filled).

To allow NSL on Citrix, you have to set the following notes.ini parameter.

EnableNSLUnderCitrix=1


11.0.1 - RKRYBJYNR6 - Citrix Login: Enable NSL for Citrix if EnableNSLUnderCitrix INI is set

Christoph Adler from Panagenda is preparing a blog post as well for NSL working with Marvel client roaming (in combination with LocalAppData).
I will link the article as soon it is published.

A HCL technote is also on it's way. And I will link it also as soon it is available.
But this is too good to keep us waiting .. Chris is already using it in production and confirmed it works like a charm :-)

-- Daniel




Archives


  • [IBM Lotus Domino]
  • [Domino on Linux]
  • [Nash!Com]
  • [Daniel Nashed]