Technote Number: 1097872
Problem:
The issue can occur for one of the following reasons:
A Person document does not exist for the registering administrator on the
administration server, or a field in the Person document is incorrect. For
example, the Person document is either missing the hierarchical name in the
user name field, or is not the first name listed in the user name field.
The Person document for any of the password recovery administrators (other than
the password recovery administrator who is registering the new user) has an
expired certificate. A good indication of this problem would be when only one
administrator can successfully make password recovery work. When any other
administrator registers users, the password recovery database is not updated.
This is because the Person document for the registering administrator is
assumed to be fine and is not checked.
The registering administrator must have the CreateUser role checked in the
Access Control List (ACL) of the Administration server's Domino directory.
The administrator must be listed in the 'Administrators' field of the
Administration server's Server document. Or, similarly, this issue can be the
result of the user name on the Administrator's Person document not matching the
name listed in the administrator Group document.
For example, John Doe/Acme is listed in the group "Admins". Admins is listed
in the Server document Administrators field. However, the Person document for
John Doe/Acme actually appears in the Domino Directory as Jonathan Doe. This
is because the first name of the user name field of the Person document lists
Jonathan Doe. This issue can be resolved by placing the correct name (that is,
John Doe/Acme) first in the User Name field of the Person document to match the
name listed in the admin group document.
Check the public key of the Certifier ID and compare it to the public key
contained in its Certificate document in the Domino Directory. Make sure they
match. Do the same for your admin ID public key; compare it to the public key
in its Person document in the Domino Directory.
After you have checked to make sure the public key for all administrators
listed in the Password Recovery list are in the Domino Directory with the
correct public key. Copy those users to your Personal Address Book and attempt
to register a user again. Note: This worked in one case where an administrator
noticed that one user was causing this problem. This administrator noticed
that he had an old copy of that administrator in his Personal Address Book.
Copying over all administrators allowed registration to work again. This
customer was able to delete those users out of his address book and
registration continued to work.
Background:
When a user is registered, Notes checks the local Personal Address Book on the
client first to see if there are any administrator's Person documents present.
If there are, it then looks at the public key(s). If there is a problem with
this Person document, the local client log file will log an error similar to
"Your certificate has expired." If administrator Person documents are not
found on the local Personal Address Book, then the public Domino directory on
the server specified in the Location document is checked for administrator
Person documents. If there is a problem with any administrator Person
document, then the new registered user ID will not be sent to the password
recovery database. In the public Domino directory access control list (ACL),
the role CreateUser should also be checked. The administrator's name should
also appear in the Administration server's Server document as an Administrator.
Look in the system temporary (temp) directory on the administration client for
~~tmpidx.idb files (where x is a number from 0-9). On the Windows NT platform,
this directory will be c:\temp. These tmpidx files are temporary user ID files
that the system creates when a user is registered. This is where the ID file
is actually copied from when it is sent to the Password Recovery database. Try
and clear these files out of the temp directory, then register one user and see
if the new ID is then placed in the Password Recovery database. Look on the
server console as well. The router will report that a message was sent from
the Administrator's name to the Password Recovery database.
Additionally, make sure that the administrator's ID has the rights on the
operating system to create files in the temp directory. More >
|  |
|
|
|
|
|