Log_Authentication – Enables Auth Logging (HCL Domino)

Parameter: Log_Authentication

Short description: Activates authentication logging on the server or Notes client — logs every successful Authenticate call with name and key size.

Profile

Parameter	`Log_Authentication`
Category	Logging / Debug
Component	Server, Client
Available since	9.0.1 (and earlier)
Supported versions	9.0.1, 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	`0` = disabled (default), `1` = enabled

Description

With Log_Authentication=1, HCL Domino or the Notes client activates authentication logging for Notes/Domino-native authentications (NRPC, i.e. Notes client → server, server → server). For each successful authentication, an entry is generated containing, among other things:

the authenticated name (e.g. CN=Jane Ochoa/O=Acme)

key strengths (T = sender's key size, S = receiver's key size)

auth status bits (E, A, L)

whether an Internet certificate or Notes ID was used

The output only appears when an output channel is also active — typically Debug_Console=1 (server console) or Debug_Outfile=... (file). Without these companion parameters, no output is visible.

The parameter is helpful for diagnosing authentication problems, e.g. when a server does not accept an expected connection or a client unexpectedly connects as anonymous instead of authenticated. It complements WEBAUTH_VERBOSE_TRACE (HTTP/web auth) with the NRPC view.

Example configuration

Server-side in the notes.ini:


Log_Authentication=1
Debug_Console=1
Debug_Outfile=c:\debug\auth.txt

Runtime activation without server restart:


set config Log_Authentication=1
set config Debug_Console=1
set config Debug_Outfile=c:\debug\auth.txt

Client-side, similarly in the notes.ini of the Notes client.

Deactivate again after analysis:


set config Log_Authentication=0

Notes & pitfalls

Only affects NRPC authentications, not HTTP/web/SAML — use WEBAUTH_VERBOSE_TRACE or DEBUG_SAML for those.

Without Debug_Console=1 or Debug_Outfile=…, no output is visible.

Generates at least one log entry per connection — on heavily used hub servers, very large logs accumulate quickly. Do not leave permanently active.

On the Notes client, the logging may write security-relevant traces (names of authenticated servers) to a file — review before delivering to support.

Entry format: Authenticate: <name> followed by a line with T:.. E:.. S:..:.. A:..:.. L:..:..:.. (see HCL docs for the exact meaning of the bits).

Sources (HCL Product Documentation)

HCL Notes and Domino Wiki – "Log_Authentication" (ds-infolib): ds-infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/Log_Authentication

HCL Notes and Domino Wiki – "NOTES.INI Settings" (overview, ds-infolib): ds-infolib.hcltechsw.com/ldd/dominowiki.nsf/dx/NOTES.INI_Settingsd901

HCL Domino 14.5.1 – NOTES.INI Settings (overview): help.hcl-software.com/domino/14.5.1/admin/conf_notesinisettings_c.html