Alternative to the Domino HTTP Stack

When Lotus took Notes and decided to create Domino they obviously needed to add an HTTP server. For a while there was only one option as to which HTTP "stack" you could use. Then, as of Release 5, you had the option of using Microsoft's IIS server in its place. This article is going to discuss the whys and hows of doing this. Although it's been discussed before and is documented in more than one place it's sometimes poorly done and hard to follow. Hopefully this article will contain everything you should ever need to know if you decide to go down this IIS/Domino road.

Why use IIS?

Why would you want to use IIS instead of Domino's default HTTP stack? Well, simply because if we do it this way we can automatically authenticate users with Domino using their NT credentials. This saves both the user from having to remember yet another password combination and the administrators from having to remind/reset them at regular intervals. This can make it yet another "Keeping the boss happy" exercise. Of all the places I've worked they all seem to have the same problem managing user's passwords across different systems. Not a problem if you can show your boss that the next time they enter the intranet it will automatically know who they are. Trust me, it's a winner!

Once you're using IIS you have a whole new market of add-on applications that you can start using. This is down to the fact that a lot of software compaines target their products at the IIS market. For example, take GlobFX's amazing Flash Chart Generator. With IIS running you can start using the plugin to yet more praise from those higher up than you.

Is it hard to do set-up? Not at all, just five simple steps...

Before starting it is assumed that you will be starting on a clean install of Domino R5, on top of a Windows 2000 Server (NT 4 sp4 will also work though).

Step 1: Configuring the ISAPI filter:

1. From the server, start the Internet Services Manager, right-click the Web site for which you want to install Domino for IIS and select Properties.

2. Select the Home Directory tab. Set the option Application Protection to "Low (IIS Process)".


3. Now click the Configuration button. Select the App Mappings tab and Make sure that the option Cache ISAPI Applications is checked.


4. Click the Add button. In the Executable field, enter the full path name of the ISAPI extension file. This file is usually located in the Domino directory and is named NIISEXTN.DLL. For example, if you installed Domino in the default directories, the full path name is as follows:


Alternatively you can use the Browse button and find the file yourself.

5. In the Extension field, enter:


6. In the Verbs box, select Limit To, and enter GET,POST

7. Select Script Engine and deselect Check that the File Exists.

8. Click the OK button.



Step 2: Configuring security:

1. If you aren't still in it, start the Internet Services Manager and locate the Web site we are working with.

2. Right-click the Web site and select Properties.

3. Click the Directory Security tab.

4. Click Edit in the Anonymous Access and Authentication Control section.

5. Choose Integrated Windows authentication (NT Challenge/Response) only as below.


Note: Windows NT Challenge/Response, also called NTLM, is a Microsoft-specific protocol supported by Internet Explorer (IE). When a Web user makes a request to the site, IE, automatically sends to IIS the user's current NT logon account name. IIS verifies the name against the NT registry on the IIS server. When a user makes a Domino request, IIS passes to Domino the user's NT name and Domino validates the name using the same process as the native HTTP service.


Step 3: Configure virtual-directory mappings:

  1. Start the Internet Services Manager
  2. Locate and right-click the IIS Web site before selecting New - Virtual Directory
  3. For the Virtual Directory Alias, enter "icons" and click Next
  4. Enter the full path to the Domino icons directory, for example: c:\lotus\domino\data\domino\icons
  5. Click Next
  6. You do not need to change the default permission settings of Read and Script Access; however, you can make changes if desired
  7. Click Finish
  8. Repeat these steps for the Java applet directory. Specify "domjava" as the alias name and specify the path to the applet directory, for example: c:\lotus\domino\data\domino\java

You may also need to map other "non-standard" directories, see the Developer's Notes section below.



Step 4: Configure the Domino Server:

Depending on how you installed the Domino server you should have very little to do.

If it's a standard Domino install then the first thing to do is disable the HTTP task. You can do this at the console by typing "tell http quit" at the server console.


This will only stop it for the current server session though, so we need to make it permanent by removing HTTP from the ServerTasks line in the Notes.ini file.

If you are going to do a clean Domino install then you will be asked if you want to use IIS as the system's default HTTP stack during install. Say yes and that you want to use port 80.

As a final precaution, go to the Server Document, find the Internet Protocols tab, open the second of the sub-tabs ("Domino Web Engine"). Check the settings are the same as those illustrated below.


Also check that in the "Web" tab of the "Internet Ports" tab of the "Ports" tab the HTTP settings are the same as displayed below:



Step 5: Configure the Domino Users:

The final and probably the most important step is to make the necessary changes to the Person document in the Domino Directory (NAB) of every user that will be authenticating with this server.

For Domino to authenticate a Web user using NT Challenge/Response (NTLM), the user's NT domain and account name combination must be registered in Domino. If Domino is using Person documents in the Domino Directory to authenticate users, the documents must contain NT account names as aliases in the User Name field. For example, if Jake Howlett has a Notes ID in the "USR/EPSILON" Organisational Unit of the "EITS" Organisation and has an NT user account name of "jakehowl" in the "EPSILON" NT domain, the User name field in Jake Howlett's Person document needs to contain:

Jake Howlett/USR/EPSILON
Jake Howlett


This allows Domino to authenticate the NT user EPSILON\jakehowl as the Domino user Jake Howlett/USR/EPSILON.

Note that Domino does not use its own HTTP Internet password. IIS passes only the NT account name to Domino and Domino trusts that IIS verified the user's authenticity. Sorry there is now no need to worry about users who forget their Domino HTTP passwords.

Note that NT Challenge/Response uses the following guidelines: When NT Challenge/Response is the only authentication method enabled, only IE users can access the Web site. Anonymous access is not possible since IE automatically sends the user's NT account name of a logged in user upon every request. The Web user must be a registered NT user.

IMPORTANT: The first alias in the User Name field of the Person document must be the name that is used as the person's entry in the ACL of the "secured" database (as in the above example).


Note 1: Understanding Anonymous

If you've followed the above guide step-by-step you will be at a point where people not registered in the NAB or registered but without their NT credentials in the UserName field will have no access. Even if the ACL to your databases specifies that "Anonymous" user has access to the database they will not get in as IIS doesn't allow Anonymous access and hence forces all requests to be Authenticated in some way.

So how do I let the Anonymous user in?

Well, the first thing to do is turn on the "Anonymous access" setting so that IIS will allow people access without them having to authenticate.


Now, when a user requests a page to which the ACL allows Anonymous access, they will get in. They will not be authenticated at this point however. To do this and work out who they are you either need to append "&Login" to the URL or perform an operation for which Anonymous has no rights, i.e ?EditDocument. In these two scenarios the browser will authenticate with Domino via NT's Challenge/Reponse (NTLM) mechanism.

Note that this authentication is not session-based. It is only performed on a by-request basis. If you navigate to a URL without "&Login" from one that did they will return to being a user called "Anonymous". Similarly, if you go from Anonymous in an "OpenDocument" to an "EditDocument" you will be forced to Authenticate. Go back from here to "OpenDocument" and you will return to being Anonymous.

In the situation where users are forced to authenticate and Domino says no, as they don't have the right privileges, then the user will be presented with the following Login prompt.



Note 2. Things for developers to take account of:

1. The way in which IIS knows that a certain request is intended for the Domino server is the presence of the ".nsf" portion of the URL. This mean that you can no longer use URLs like:


Which uses the Replica ID of the database to replace the file path of the NSF file in a URL that would normally look like:


So, ALL databases that are to be accessed via the web and in which there may be URLs in this format. Must be re-engineered. Sad but true. An alternative is to use URLs of this format:


2. Depending on how and if you use the default Domino HTML directory on the file system (X:\Domino\Data\Domino\HTML\) you may need to move it or map to it. If you have an images folder within it then the URL to an image when using the Domino HTTP server is like so:


However, as there is no ".nsf" in this URL, IIS won't know that it should pass the request to Domino. The easiest way round this is to move the whole of the contents of the Domino HTML directory in to IIS's root folder (X:\Inetpub\wwwroot\). Alternatively you could map a folder called images to the images folder, but you would need to do this for all folders in Domino's root HTML directory.

Apart from that it should all be exactly the same. Happy surfing!



If you've got this far I assume you're interested in this approach. After all, using IIS isn't everybody's cup of tea. Personally I think it's a great time saver and something you should at least bring up as an idea in your next team meeting. Suggest a trial server maybe to see how useful it can be not having to sign in all the time. If the team nerd pipes up about how bad Microsoft prodcuts are you might want to suggest that they get a life.

I'll be back soon to discuss using those fancy Flash charts I mentioned earlier...


  1. I know that is only just a dream but....

    .... I would like to see Apache as the Domino http stack. But is only just a dream.

    .::AleX::. Dominocode.Net

      • avatar
      • Jan-Piet Mens
      • Tue 19 Nov 2002

      1/2 a dream comes true

      Have you tried this ? http://www.junkheap.net/projects/phpdom/

      • avatar
      • Jake Howlett
      • Tue 19 Nov 2002

      Not so quick, Alex

      I've used this method:


      On my home Windows server and it runs just as well as the IIS alternative.

      Jake -codestore

      • avatar
      • Kamal Rij
      • Tue 19 Nov 2002

      I think(?) R6 supports Apache's HTTP stack

      AFAIK,From one of the postings on the LDD R6 beta forum, apache was one of the supported HTTP stacka for Domino (along with IIS).

      On a similar note,I was really impressed by Chris Thorpe's use of Apache in front of Domino.


      Thanks for this article Jake.

      Show the rest of this thread

    • avatar
    • Chris Melikian
    • Tue 19 Nov 2002

    Domino generated content get's in the way....

    IIRC, This is all fine unless you want to use the built-in search in Domino. The URLs use the replica ID. You'd have to create custom search views for every database unless I'm mistaken.

    The IIS approach looks very limiting to me. Couldn't an ISAPI filter be developed to check for all URLs that have a 32 character string, lookup the db path in Domino catalog and issue a redirect? I know it's patch up job but couldn't a fall thru filter do this?

    Cheers, Chris.

    1. Re: Domino generated content get's in the way....

      We have been running this configuration for years and it works quite well.

      In regard to Domino's searching capability, it does work when integrated with the IIS web server. I have configured the old SearchSite method for searching across multiple databases. It works by returning URLs like so:

      http://www.DomainName.com/__86256c130071fdc3.nsf/0/64663417cbbfcda586256c4c00116 7df?OpenDocument&Highlight=0,test

      Show the rest of this thread

    • avatar
    • Yuval
    • Tue 19 Nov 2002

    Totaly different in R6 :-(

    Domino 6 On IIS have totaly new configuration so if you didn't implement yet, wait and do it on 6. from my expirience, R5 was better in this aspect.

    1. Re: Totaly different in R6 :-(

      Interesting stuff Jake...a couple of questions though...

      Other than the Authentication bit, are there any other reasons to consider IIS as the HTTP stack? - performance perhaps or is the no longer an issue with the new improved R6 HTTP stack? ;-)

      On the authentication front, won't the new ADSync service give the same results whilst still allowing us to run the domino HTTP stack?

    • avatar
    • Davy
    • Wed 20 Nov 2002

    install IIS before Domino

    OK, it's in the article if you read between the lines, but I thought I just mention it again for those that didn't bring their reading glasses..

    When installing IIS with Domino (R5), make sure you install IIS before you install Domino, the other way round will not always work..


  2. Well done!

    Jake -

    Thanks for a nice article. As an intellectual exercise, we tried to set up the Domino/IIS combination a couple of years ago... but foundered for want of decent documentation. This looks pretty easy to follow.


    • avatar
    • Tom Quinn
    • Wed 20 Nov 2002

    My findings...

    Good article Jake. We have had this running for 18 months or so at a client site so users do not have to log on to the company intranet. The biggest issues are: 1) we cannot use aliases which remove the .nsf, as IIS looks for this - this makes friendly URLs less friendly than we want, and 2) Performance - we have found that running IIS over domino does NOT run as quick as the native domino http stack, and falls over more often. We have tuned the server according to the MS IIS Performance tuning guidelines, but it is definitely not quite the same - we ended up adding more horsepower. One other issue - originally, our app had many design elements which were not available to public access users, so we found that the IIS>Domino conversations to pass authentication were numerous and caused the server to fall over - we had to look at which elements forced authentication very carefully to fix the issue.

    1. Re: My findings...

      Is there no way to setup a virtual site in IIS and have it transfer over to a SPECIFIC databasename.nsf file in Domino so we can have a cleaner URL?

  3. SSO and websphere?

    Is it possible to do this with SSO, and Websphere? I would like to run Domino, Websphere, and IIS on seperate boxes, and have them all use the IIS stack. If this is possible can I use the IIS stack for all seven of my Domino servers and still be able to log on once, and go anywhere?

  4. IIS Logs Truncated

    I am using IIS 5.0 with Notes 5.08. The url is working fine but the logs within IIS are being truncated. When the nsf link has an attachment, the IIS log just shows the original nsf location but truncates the attached file name. This is causing problems when we try to determine volume of traffic. If anyone has an idea, please let me know.

    Thanks, Kevin

    1. authentication

      We've been using IIS with all versions of R5 on NT4 & 2K. Its worked well & coped easily with a switch to Active Directory.

      Somewhere in the IIS configuration is a default domain for authentication setting. If you set that appropriately and enter domainless NT login names in the NAB Fullname field, everyone in that domain can login using just their login without the domain\ component. This is good because many people use / instead of \ and so fail to login but bad because (depending on the format of your login names) you can get clashes with other Fullname values.

      In our case more recent NT logins are often peoples' surname. We add the domain\login and the bare login value to the Fullname field. This is confusing but the real problem is that someone can be happily authenticating using their NT login until we add a new user whose domino name causes a clash with the existing user's NT login -then suddenly they can't login until we tell them to use the domain prefix. ****!

  5. Back to the agentmanager?


    It seems very easy to configure this IIS server for web traffic to my domino server. Does this also mean that the HTTP traffic is more scalable and powerfull because the more native domino tasks are used like the agentmanager.

    In our situation we use the HTTP task of domino and we have servere problems when twelve users are initiating the same action on the same time. We found that the HTTP task is using all its memory resources and probarbly this is a solution to our problem.

    What do you think?

    Thank in advance, Janno Roele (Atos Origin, the Netherlands)

  6. What are the Security Implications

    MS seems a lot more vulnerable to hacks than Domino. What are your thoughts?

    Are the instructions valid for R6?

    Thanks for the great article.


  7. For URL which don't have .nsf extension

    For the URL's which don't have .nsf and opened using the replica id can be redirected by creating your own exension .dll.In the .dll you can check for the exension .nsf and if it is not available you can add the extension

      • avatar
      • Jake Howlett
      • Fri 28 Mar 2003

      Re: For URL which don't have .nsf extension

      Have you done this? Can you do this for us? Can you show us somewhere that talks about it. Your message is a little cryptic and a little teasing... Jake

      Show the rest of this thread

    • avatar
    • Radu
    • Fri 30 May 2003

    Re: Alternative to the Domino HTTP Stack

    Hi there, great guide, thank you. I do have a problem. I've created a virtual directory in IIS and mapped it to a folder in the domino directory where I have few databases (.nsf). I set the VD enable directory browsing so when I type it's path in the address field of the browser I get to see it's content (the nsf and other files) yet when I click on a nsf file the browser responds with a 404 error - The page can not be found. It will display however other types of files such as html and it will attempt to save files of other types (.ntf, .box, etc.) when I click on them.

    Do you know what's wrong?

    Thanks in advance.

      • avatar
      • Jake Howlett
      • Sat 31 May 2003

      Re: Alternative to the Domino HTTP Stack

      Sounds like a bug to me Radu. In theory, if you have set it all up correctly, any URL with .nsf in it should be served via the Domino server.

      No idea why it wouldn't if you had allowed directory browsing. Sorry. Let us all know if you find out the answer.


      Show the rest of this thread

  8. Problem!

    Hi Jake,

    Thanks a lot for this wonderful article. It's really really helped me to setup Domino for IIS on my server. Thanks a lot for that. But I am facing a problem now :

    I use a script library to send mails in my work flow application. It worked fine with Domino HTTP stack. When I try run it on a Domino server which uses IIS server and SSO, it doesn't work. I started debugging the code and found that the error occurs in the following line :

    call maildoc.Send(False)

    Please help me to come out of this problem.

    Thanks in advance, Nalaka.

      • avatar
      • Jake Howlett
      • Mon 2 Jun 2003

      Re: Problem!

      Hi Nalaka,

      We had the same problem when using this approach at a client's. This was about 3 years ago though. Shame it's not been addressed.

      http://www-1.ibm.com/support/docview.wss?rs=203&q=iis+send+mail&uid=swg21101913& loc=en_US&cs=utf-8&lang=en+en

      The way we found to get round the problem was to create the document to be mailed directly in the mail.box DB on the server. All you need to do is document.save and it gets sent straightaway.

      Does that make sense/help you?


      Show the rest of this thread

  9. Domino Custom Login Forms

    Hi Jake,

    I have successfully implemented SSO. Now I want to use "Domino Custom Login Forms" instead of "Enter Network Password" dialog box. I am unable to do it cause it involves changes to the sso settings. Is there a way to do this without effecting the sso settings?

    with thanks and regards, Nalaka

  10. NT User Authentication

    This artical is really very good artical which helped me to configure IIS for Domino.

    I am having one query regarding user authentication in Domino.

    Query: Is it must to have Person Document in NAB for NT User to access secured document in Domino via ASP? Is there any alternative way to authenticate NT User for secure notes database without having his person document in NAB?

    Thanks and Regards,


    1. Re: NT User Authentication

      Hi Kiran,

      Yes, it's a must to have the users listed in the NAB.


      Show the rest of this thread

      • avatar
      • dipak teke
      • Thu 8 Jan 2004

      Re: NT User Authentication

      i did it last time.

    2. System i

      Jake ... Do you have any experience with frontending Domino on the System i with IIS. We would like to do this to provide SSO.

      Show the rest of this thread

  11. Domino R6.5 and ISS

    Great Article Jake.

    Have you (or anyone else) had any experience or tips for running domino R6.5 or R6.x with IIS.

    The niisextn.dll file doesn't exist in a clean install of R6.5!

    Any suggestions or ideas anyone.



    1. Re: Domino R6.5 and ISS

      Thank you Article Jake.

      Have you (or anyone else) had any experience or tips for running domino R6.5 or R6.x with IIS.

      The niisextn.dll file doesn't exist in a clean install of R6.5!

      if you (anyone) have DSAPI FILTER more appreciatable...

      Pls give Any suggestions...

      Best Regards, S. Manjula

      Show the rest of this thread

  12. no reply seemingly from niisext.dll

    We've successfully set this up on one server, but are having problems setting it up on another.

    The servers are virtually identical with the exception that the problem server has domino\data set up on the d drive and it alos used to be a proxy server.

    we can browse the web server, but wen asking for a .nsf, the browser states it is loading, but the page never loads. It doesn't even timeout - just loads for ever. The page never displays - just a blank.

    the IIS weblogs, show the GET request for the .nsf but nothing else

    Following a rebuild of the site, an error now appears...

    Domino for IIS extension initialization error 0x101. Unable to process request.

    I cannot find anything about this error.

    As the server is a production server, a full rebuild has not been considered.

    Is it possible that some old proxy setting is causing this?

    The machine is W2K SP4 with IIS 5 and Domino 5.0.12

  13. Leverage this solution for user friendly rejection

    I use IIS (on a Win 2K server) and Domino 6.5 to provide a better user experience.

    Instead of the user getting a logon prompt if they have inadequate permissions (or are not found in the NAB) they get a friendly web page explaining the position and what they might do about it.

    I'm assuming you are using IIS in a Windows Server (Domain) environment, so IIS will authenticate the user and pass to Domino the NT logon name, in the format Domain\Logon, which must exist in the NAB as one of your user names. Domino 'translates' the synonym back to the primary Notes name. In this way users are not presented with logon prompts.

    But if a user has inadequate permissions to access a database then they WOULD normally be promted for a logon - which doesn't help in an IIS environment because you're already logged on.

    To avoid this, follow these steps:

    1. Apart from the usual ACL entries, set the DEFAULT entry with NOACCESS but with Read AND Write public documents. Assign this ACL entry a ROLE of '[Unauthorised]' (or any other name you like).

    2. Ensure the initial launch page of your database is available to Public users.

    So far, this ensures that ANYONE will at least get to the launch page - which does not need to be a true launch or home page at all. Thus:

    3. In the public access home page, run an OnLoad function that checks the current user's role. Eg: if (document.getElementById("UserRole").innerText == "[Unauthorised]") ... which looks at the value of a CFD field in a named SPAN or DIV block that is set to 'display:none' in its style.

    4. If the user does not have the Role set then just forward them to the real home page via a simple 'window.top.location' or similar.

    5. Unauthorised users stay on the initial home page and you can make a DIV block visible that explains they do not have the necessary permissions, or that they could not be authenticated etc and what they should do about it.

    6. In this way, a user will never see a logon prompt (which just confuses them) when permissions are inadequate on a database.

    I use this all the time now and users end up with a much better experience!

  14. SSO and Two Domains

    Hi Jake,

    On my application server I have implemented SSO (Thanks to you for this article) and working fine.

    This is the problem :

    Our mail server is AUH01. It's a spoke server of PAR01 in Paris. My server AUH10 is a spoke server of AUH01.

    In my server (AUH10), SSO + Directory Assistance are enabled and working fine for AUH domain users.

    But when a PAR domain user (or any other domain user) tries to access a form in AUH10 through a web browser, it prompts a user name and password dialog box. Person Docs of these users have been changed for SSO with AUH login ids.

    Jake, what can be done to get rid of this password prompt now? Your help is highly appreciated. Thanks.

    Best regards, Nalaka.

      • avatar
      • eds
      • Fri 6 Jan 2006

      Re: SSO and Two Domains


      Was there any update on this problem?

      As I am facing the same problem.

      thanks eds

  15. Windows Server 2003?

    Has anyone had any luck making this work under Windows Server 2003? The IIS setup seems to be completely different, and none of the documentation (Noteshelp, revised IBM documentation, nor the Codestore guide) seem to apply.

    Any tips or pointers towards updated documentation would be much appreciated.


  16. Getting R6 <-> Windows AD SSO to work

    I got this working. I have collected some references at:http://dev.kanngard.net/Permalinks/ID_20050518142049.html

  17. Default Number of Rows

    Hi Guys, I know Domino has a display default of 1000 records for the web. Does IIS have something similar? I'm using IIS on my web server with Domino apps, but can't display more than 1000 records in the web view, even though I changed the default in the Domino Server Document to 0 (no limit).

    Any help? Thanks

      • avatar
      • Jake Howlett
      • Wed 16 Nov 2005

      Re: Default Number of Rows

      IIS won't have any such setting.

      Have you adding &Count=-1 to the end of the URL you're using?


  18. Problems with "?login"

    I just posted this on the notes.net forum: https://www-10.lotus.com/ldd/nd6forum.nsf/ShowMyTopicsAllThreadedweb/6c5665b17fd c723d852570d5005acbed?OpenDocument

    I have IIS & Domino on many servers... and everything is working fine... except when I use "?login" when my IIS web site hasn't "Anonymous" access allowed. (I received an error message from Domino: "Unknown Exception").

    Does someone have an idea? Thanks! Pascal

      • avatar
      • Jeroen
      • Mon 15 May 2006

      Re: Problems with &Login

      use session authentication in combination with IIS

    • avatar
    • Anonymous
    • Wed 10 Oct 2007

    This is great. Update please!

    I'm trying hard to convince our team to use IIS with Domino, but I can't find anything on Domino 7 and IIS. Everything out there seems to be about R5 and some stuff on ND6.

    If you could update this article, I would be very appreciative!

      • avatar
      • David Inglis
      • Thu 18 Jun 2009

      Updated Instructions For R7 and Server 2003

      See this page:


Your Comments


Navigate other articles in the category "Miscellaneous"

« Previous Article Next Article »
Blogathon 28th July 2002   The DomBlog Template v1.6

About This Article

Author: Jake Howlett
Category: Miscellaneous
Keywords: HTTP; IIS; SSO;


Print Friendly

Let's Get Social

About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »