Dennis' Domino Blog
« IBM WebSphere Application Server JAX-RPC WS-Security/JAX-WS Runtime Security Bypass VulnerabilityLotussquash 2011, 2e editie op 30 juni »

Security enhancements in iNotes 8.5.2 may require configuration changes in environments with reverse proxies

  06/17/11 10:27 am, by , Categories: Administration, IBM, Lotus, security, Netscaler
I was playing with the application firewall in the citrix netscaler and I found a cookie I had never seen before to get blocked.

Some quick googling gave me this Technote swg21453878. Please read it if you are using firewall/reverse proxy products in from of iNotes (or webadmin for that matter).

Technote (troubleshooting)


Some security enhancements were introduced in iNotes 8.5.2 to prevent potential Cross Site Request Forgery (CSRF) attacks, and as part of these security enhancements, there are special considerations that should be made in environments that utilize reverse proxies. Upon sending POST requests to Domino, users may encounter 400 errors on the iNotes console, and administrators may see messages similar to the following on the console:

"iNotes XSS Security: Invalid Request, missing expected nonce value; with Referer: '%s'. Request not processed, throwing exception." "iNotes XSS Security: Invalid Request, unexpected nonce value; with Referer: '%s'. Request not processed, throwing exception."

To mitigate these issues, the following two changes should be noted and accounted for:

1) When using basic authentication (Disabled session authentication), we now will utilize the ShimmerS cookie. Previously, this cookie was only used when Domino was set up for session authentication, but now, it is used no matter what authentication scheme is used.

2) There is a new extended header field that iNotes utilizes named "X-IBM-INOTES-NONCE". This header field must be allowed to pass freely between the client and server for iNotes to function properly.

In addition to these considerations, please note that some products (including Juniper VPNs) utilize mechanisms that cache or obfuscate cookies so that they are not held in their original form in the browser. Exceptions need to be made for the ShimmerS cookie for iNotes to function properly.

Resolving the problem

Take steps to allow the ShimmerS cookie and the "X-IBM-INOTES-NONCE" field to pass freely and untouched between the browser and Domino.
This entry was posted by and is filed under Administration, IBM, Lotus, security, Netscaler.


User ratings
5 star:
4 star:
3 star:
2 star:
1 star:
1 rating
Average user rating:
4.0 stars
Comment from: Gehan De Silva
Hi Im working with a citrix netscaler and trying to get clientless vpn working with INotes. I get the point where i authenticate get redirected to my mailfile 'Loading IBM INotes...' but then the page breaks. Did you get Inotes with clientless vpn on the netscaler ?
12/19/11 @ 08:26 am
Comment from: Jeroen Jacobs
4 stars
Facing a similar issue under NetScaler. What exactly did you need to change on NetScaler to make it work?
08/30/13 @ 01:49 pm

©2017 by Dennis van Remortel

Contact | Help | Blog theme by Asevo | multiple blogs | webhosting