Parameter:
HTTPEnableAuthNegotiateShort description: Enables SPNEGO/Kerberos authentication on the Domino HTTP stack – prerequisite for single sign-on against a Windows domain.
Profile
Parameter | HTTPEnableAuthNegotiate |
Category | Security / TLS |
Component | Server |
Available since | 12.0 |
Supported versions | 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | Server document (Internet Protocols → Domino Web Engine) |
Possible values | 0 = off (default), 1 = accept Negotiate/Kerberos |
Description
HTTPEnableAuthNegotiate=1 enables HTTP authentication via the SPNEGO/Negotiate mechanism. Browsers logged into an Active Directory domain can then authenticate transparently to Domino – without an additional login – provided a matching Service Principal Name (SPN) is configured in AD and a Kerberos keytab is available on the Domino server. This enables classic Windows SSO for Verse, iNotes, and any Domino web applications.For Negotiate to work, the Kerberos prerequisites must additionally be in place (keytab, SPN
HTTP/<fqdn>, time sync, correct DNS resolution).Example configuration
HTTPEnableAuthNegotiate=1
Notes & pitfalls
- Takes effect only after
restart task http.
- Requires a valid SPN (
HTTP/<server-fqdn>) and a keytab readable by Domino.
- Browsers must place the server in the trusted intranet zone (Edge/IE/Chrome) or list it in
network.negotiate-auth.trusted-uris(Firefox).
- For reverse-proxy setups, the proxy must pass
Authorization: Negotiate ...through – if TLS is terminated at the proxy, Kerberos constrained delegation is often required server-side.
- Pairs well with
HTTPDisableAuthBasic=1and an LTPA/SAML fallback.
- For cluster / multi-server setups, use a separate SPN per node or a service account with multiple SPNs.