Understanding Security Differences Between Web and Notes Client Access

Notes and Web clients use two different types of security procedures when accessing the server. Notes authentication uses what is called Validation and Authentication, which is actually two security procedures that interact with the users' Notes ID. Web clients do not use an ID file to authenticate; Web authentication uses what is called Basic Authentication. Basic Authentication is a simpler procedure that authenticates against the Name and Internet Password in a Person document.

First, let's explore Notes authentication using the Validation and Authentication procedures. Validation is the first step in this process, and it is used to establish trust with the user's public key. Validation checks the certificate(s) located in the user's Notes ID file, using the public key stored in that ID file. If the certificate(s) is valid, then the public key is trusted and authentication begins. If validation is successful, the second procedure, authentication, verifies identities by using what is called a challenge/response procedure.

During Authentication, the server sends the user a random number. The user's workstation encrypts this number, using the private key stored in the user's ID file, and returns the encrypted number back to the server. With the public key, the server decrypts this number and—if it matches the original—the user is authenticated. This is a two-way street and the same process is reversed to authenticate the server to the user. Web users do not use a Notes ID to access Domino; instead, they use a different security method called Basic Authentication. This is a simple procedure that authenticates a user's login name and password against the name and Internet Password stored in the user's Person document in the directory. (You learn more about this process in the next section of this chapter.)

Both Notes and Web clients can access a server as Anonymous. Anonymous access does not validate, authenticate, or record database activity. In other words, you do not know who is accessing the system. You may want to apply Anonymous access to a home page, a catalog, or company information. Settings to allow Anonymous access to the server are located in the Server document. For Notes users this is found on the Security tab, and for Web users it can be set for the different protocols (HTTP, Mail, Directories, and so on) on the Ports/Internet Ports tab under Authentication Options. After allowing Anonymous access has been set at the server level, Anonymous can be added to the ACL.