Use Existing Lotus Notes 8.5 Security Session via .NET Application

Question

I'm currently working on a .NET application that will be invoked from Lotus Notes 8.5. This .NET application is suppose to read some data from a Lotus Notes database, and export it to a file.

The code to connect to the Lotus Notes database is:

NotesSession ns = new NotesSession();
NotesView nv;
ns.Initialize("");
NotesDatabase nd = ns.GetDatabase("server", "file.nsf", false);
nv = nd.GetView("viewName");

Unfortunately, when ns.Initialize is invoked, the Lotus Notes component will prompt the user for their password. I understand that the method Initialize is overloaded, the user name and password can be provided. However, I will not know the username / password.

Since Lotus Notes will be open already, is there a way to access the Notes Database using the credentials of the user that is already logged into Lotus Notes? Essentially, I'd like to avoid having the user enter their Notes credentials again, but still access the database.

Answer 1

There is a setting that can be turned on in Notes in the User Security dialog. (You didn't mention the version of Lotus Notes. The dialog may be different if you're on an older version.) The setting is:

Don't prompt for a password from other Lotus Notes-based programs (reduces security).

Those last two words may be in parenthesis, but don't let that fool you. They are pretty important! The setting allows all programs running on that user's computer to use the Notes APIs without authentication. That opens the door for an email-borne piece of malware, amongst other threats. And never mind the fact that such threats have been rare in the Lotus Notes world. A big part of the reason for that is that keeping this setting disabled is the default.

From what I've said above, I'm sure you can understand why there isn't an easy way to do what you want to do!

The only way to disable the password prompt specifically for your application will be to use the Lotus Notes C API's feature set known as Extension Manager. I.e., you write a C source file that is compiled into a DLL. Your DLL must be installed on all users' machines, and an entry must be made in the notes.ini file in order to have it loaded when the Notes core DLLs run. The help files for the C API include some sample code showing how to do the Notes-specific part of this. You'd have to figure out the details of identifying the fact that it was invoked for your application, and (if I remember correctly) you would also have to write code to prompt the user for their password once and be responsible for securely storing it somewhere where your DLL can retrieve and decrypt it whenever it needs it.

Answer 2

I did find another way to perform this, without having to turn the "Don't prompt for a password from other Lotus Notes-based programs (reduces security)." check box on.

        System.Type objNotesType = System.Type.GetTypeFromProgID("Notes.NotesSession");
        dynamic ns = System.Activator.CreateInstance(objNotesType);

        dynamic nd = ns.GetDatabase(AppSettings.NotesServer, AppSettings.NotesReplicaID);
        if (nd.IsOpen != true) nd.OpenByReplicaID(nd.Server, AppSettings.NotesReplicaID);
        dynamic nv = nd.GetView(AppSettings.NotesView);

I've tested it, and it works. I am not prompted for a password, and when accessing the Notes Database, I am accessing it under the current user's credentials. Also, no COM references needed to be added to the project.