Skip to main content link. Accesskey S
  • HCL Logo
  • HCL Notes and Domino wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Lotus Domino > Domino security > Troubleshooting ID vault test deployments
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Notes URLs

Notes URLs The launching of Notes URLs is the mechanism the client uses to create bookmarks and launch components. This document describes various configurations of that URL and the results of launching them. Format: notes:serverdbviewdocument?Commandparamsvalues Server Examples: NPD1, ...

IBM's phase 1 deployment of the Notes ID vault

IBM has begun its internal deployment of the Notes ID vault, the new Notes ID file recovery and management feature in Lotus Notes and Domino 8.5. This article provides a window on phase 1 of our ID vault deployment during which we deployed the ID vault in one of the domains used by the Lotus ...

Security Assertion Markup Language (SAML) Notes Federated Login

This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team

Adding an ID vault password reset authority from a different organization

If a password reset authority is in an organization different from the organization assigned to your vault, you may need to take additional steps in order for the password reset authority to be able to reset passwords successfully. If not already created, you will need to create crosscertificates ...

Upgrading from Notes client single logon to Notes shared login

Lotus Notes 8.5 supports both Notes client single logon (introduced in an earlier release) and Notes shared login (new in 8.5). Notes single logon is not a supported configuration if you use the ID vault. Therefore, if you use the ID vault, use Notes shared login instead, which is designed to work ...
Community articleTroubleshooting ID vault test deployments
Added by Michael Stewart on April 27, 2021 | Version 1
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
No abstract provided.
Tags: Notes ID Vault
User ID files not being uploaded to the ID vault

If you are an administrator and have assigned a new vault policy to existing users, but do not see certain user IDs being uploaded to the vault, check the following:

1. Look through the client and server log.nsf for error messages and potential clues under "Security Events".

2. Have the necessary vault trust certificates been created? In the Domino Administrator, under the "People & Groups" tab, under "Certificates," check that the expected "Vault Trust Certificates" exist.

3. Is your test deployment user using Lotus Notes 8.5 or higher? To use a vault, Lotus Notes clients must run Release 8.5 or later.

4. Has the user been assigned to a vault through a policy? The user needs to have a policy that is vaulted. Run the "Policy Synopsis" command in the Domino Administrator to see what the user's policy is.

5. Has the test user authenticated with his home server? The test user needs to authenticate with the server. Otherwise, the Lotus Notes client will not know about the new policy. Check the user's local policy to see that the user has received the expected ID vault policy. If the user does not have a local policy, verify that the home/mail server defined in the user's location document is correct.

6. Has the user been using Lotus Notes? The user needs to be running Lotus Notes in order to upload the ID file to the vault server.

7. How much time has passed? The user's ID file is not immediately uploaded after the policy has been applied for performance reasons. The user's ID file will be automatically uploaded in the background while the user is running the Notes client at a randomly selected time (an average of four hours, up to eight hours). To force an upload to occur immediately, you can switch ID to the same ID (File - Security - Switch ID.)

8. Is the user accessing mail through iNotes? To enable the use of ID vault for Lotus iNotes users, you must enable "Allow Notes-based programs to use the Notes ID vault" on the ID Vault tab of the Security policy setting document. When the user accesses an 8.51 or higher Domino mail server and performs a secure mail operation over iNotes, such as sending a signed message or reading an encrypted message, the ID file will be automatically uploaded to the ID vault.


The following notes.ini variables may be enabled to collect more detailed information in the console logs.
Server:
  • DEBUG_IDV_CONNECT
  • DEBUG_IDV_TRUSTCERT
  • DEBUG_IDV_UPDATE

Client:
  • DEBUG_IDV_TRACE
  • DEBUG_IDV_TRUSTCERT
  • DEBUG_IDVAULT_SERVER_SELECTION

Using a password reset application with the ID vault

If you are an administrator having trouble deploying a password reset application for use with the ID vault, try the following:

1. Check that the basic ID vault and user have been set up correctly.
To do this, you may can try resetting the user's password in the Notes Administrator. This will ensure that (1) the user's ID is indeed in the vault and that (2) an ID vault policy has been applied to the user.
(This may be especially pertinent if you are seeing the "Entry not found in Index" error in the server log.)
- The message "The Notes ID ... is not vaulted." indicates that an ID vault policy has not been applied to the user.
- The message "User's ID has not been uploaded to the Notes ID vault." indicates the user's ID is not in the ID vault yet.

2. Check the rights of the password reset agent signer. (If not already signed, sign the agent using Domino Designer.)
- In the Server document (in the Domino Directory) of the server(s) on which the agent will run, check that the agent signer has "Run restricted LotusScript/Java agents" access.
- In the ID vault wizard in the Domino Administrator, check that the signer of the password reset agent is an authorized password resetter with "Password reset agent authority."
- In the ID vault wizard in the Domino Administrator, check that the server(s) on which the agent will run is an authorized password resetter.

3. In Domino Designer, check the security settings of the agent.
- Under "Properties - Security" settings of the agent, double check that "Run as web user" has not been checked.

4. Within the agent code, check that ResetUserPassword is called with the correct server name and user name values.
- Is the user's full name being used? For example "John Smith/Acme" and not just "John Smith."

  • Actions Show Menu▼


expanded Attachments (0)
collapsed Attachments (0)
Edit the article to add or modify attachments.
expanded Versions (1)
collapsed Versions (1)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (1)Apr 27, 2021, 6:49:01 PMMichael Stewart  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL Software
  • Privacy
  • Accessibility