This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Olga Opnibergikle
Mar 21, 2013, 1:36 PM
14 Posts

Security Policy issue Notes 9.0 SocialEdition

  • Category: Notes Client
  • Platform: Windows
  • Release: 9.0
  • Role: Administrator,Developer,End User
  • Tags: Policy,Security,Policies,Shared Login,Sametime
  • Replies: 7

We are using Shared Logon for all our users. But now when installing the IBM Social Edition 9.0 (non beta version) it stopped working (Beta version worked fine with Shared Logon).
This setting amongst other settings is enabled via security and desktop setting policy documents on a Domino 8.5.3 server.

Various policy settings has been applied to the fresh install of 9.0 (like Managed Replica, etc) but not the Shared Logon security setting.

In addition to this issue there where also Sametime settings that are no longer working like AutoLogin.

The settings for Shared Login and Sametime are still working nicely for users with 8.5.3 clients.

(print screens can be provided).

Thanks!
Rasmus Spendrup

~Dean Umkrother
Mar 21, 2013, 3:14 PM
74 Posts
Checking with development <>
Security/kl
~Evelyn Minhipikonyli
Mar 21, 2013, 3:28 PM
1 Posts
Questions for Rasmus: RE: Security Policy issue Notes 9.0 SocialEdition
Hello and thank you for the quick installation of Social Edition.

A couple of requests to start:

  • Post a screenshot of the User Security Panel - Security Basics tab for an affected user
  • Post a screenshot of  the policy in  Security Settings - Password Management - Notes Shared Login
  • Use Admin client to get a Policy Synopsis for affected user
  • How does this fail?  Does the user get a password prompt?  Then what?
  • For an affected user, in their PNAB, look in the hidden view $Policies, open the effective policy for the user - specifically one of the security settings - and screen shot the value NSLon and NSLAllow
Thanks,

Kevin Lynch (Domino Security Dev)

~Olga Opnibergikle
Mar 22, 2013, 9:06 AM
14 Posts
RE
Hi Kevin,

What happens is that the user gets prompted to login with the ID password, an password not updated since the day we turned on Shared Logon. (so no-one remembers this password (issue number one)).

When ID password is located and entered then the user gets instructed to change the password (as it's to old). And after that the client uses the standard Notes-ID/Password logon routine instead of sing the MS AD password and not prompting which is how the policy is set on the server.

Thank you for your quick response!

Synopsis:

Policy Synopsis for Rasmus Spendrup/Dometic Holding AB/Sweden/Dometic Group from Domino Directory on server SEMOTML02/Dometic Group created at 03/22/2013 10:03 AM


Effective Policy for:  Rasmus Spendrup/Dometic Holding AB/Sweden/Dometic Group
Derived from the following policies:
*/Dometic Holding AB/Sweden/Dometic Group
*/Sweden/Dometic Group
*/Dometic Group
*

= Value was enforced in the specified settings document.
Security Settings:
AECL does not have a value set
AlwaysSetItems has the following values from settings document DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdSync
PwdNoOtherPrompt
NSLOn
NSLAllow
NSLActNotif
NSLDeactNotif
UseCustomPolicy
PwdChk
PwdAlwHTTP
PwdExp
PasswordChangeInterval
PasswordGracePeriod
PwdHistCnt
PWExpWarnDays
PWExpWarn
ILEnforce
ILMaxTries
ILExpMinutes
ILClearMinutes
PasswordQuality
PwdQltyIsLen
ENCSTDPref
ENCSTDAllowed
KeyItterations
ChgPwdInit
PwdCNAllow
PwdLenMin
PwdLenMax
PwdQtyMin
PwdAlphaMin
PwdUppMin
PwdLowMin
PwdNumMin
PwdPuncMin
PwdCombineMin
PwdCombine
PwdRepMax
PwdUniMin
PwdNotStart
PwdNotEnd
NSLActText
NSLDeactText
DisplayAECL
ECLUpdMode
ECLUpdFreq
PKReq
PKUMinWidth
PKUMaxWidth
PKUDefWidth
PKUMaxAge
PKUMinDate
PKUGenDays
PKUOldKeyDays
ENCNotAllowed
FIPSENCOn
CertExpWarnDays
CertExpWarn
OCSPCheck
OCSPDefRsp
OCSPAllowDefRsp
OCSPClockSkew
OCSPCertStatus
OCSPLogInfo
CopyAllTrustDefaults
$TrustLinkIds
$dtLinksUpdate
EXPIRED_SIGNATURE_POLICY
UNSIGNED_PLUGIN_POLICY
UNTRUSTED_SIGNATURE_POLICY
IBM_JAR_SIGN_CERTIFICATE
TSAEXPIRED_SIGNATURE_POLICY
HOME_PORTAL_SERVER
HOME_PORTAL_AUTH_URL
HOME_PORTAL_AUTH_TYPE
VTName
PwdHelpDesk
PwdChgPostReset
IDVAppsOK
VaultAllowAutoDL
VaultAllowAutoDays
VaultAllowAutoHours
VaultAllowAutoDLText
CertExpWarn does not have a value set
CertExpWarnDays = 21  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ChgPwdInit = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
Comments has a value that is not printable set in DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
CopyAllTrustDefaults does not have a value set
DONT_SET_STRING = Don't set value  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
DlgPxyActions does not have a value set
DlgPxyCookies does not have a value set
DlgPxyCtxt does not have a value set
DlgPxyHeaders does not have a value set
DlgPxyMIMETypes does not have a value set
DlgPxyURL does not have a value set
ECLUpdFreq = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ECLUpdMode = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ENCNotAllowed does not have a value set
ENCSTDAllowed does not have a value set
ENCSTDPref = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
EXPIRED_SIGNATURE_POLICY = PROMPT  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
FIPSENCOn = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
HOME_PORTAL_AUTH_TYPE = J2EE-FORM  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
HOME_PORTAL_AUTH_URL does not have a value set
HOME_PORTAL_SERVER = wps  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
IBM_JAR_SIGN_CERTIFICATE = ALLOW  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
IDVAppsOK = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ILClearMinutes = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ILClearNum = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ILEnforce does not have a value set
ILExpMinutes = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ILExpNum = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
ILMaxTries = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
INIFlg does not have a value set
InternetAddress does not have a value set
KeyItterations = 5000  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
NSLActNotif = 2  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
NSLActText does not have a value set
NSLAllow = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
NSLDeactNotif = 2  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
NSLDeactText does not have a value set
NSLOn = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
NSLOnEntry does not have a value set
NotifOptions has the following values from settings document DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
System dialog | 1
No notification | 2
Custom message dialog | 3
OCSPAllowDefRsp does not have a value set
OCSPCertStatus = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
OCSPCheck does not have a value set
OCSPClockSkew = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
OCSPDefRsp does not have a value set
OCSPLogInfo = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
OriginalModTime = 08/08/2005 08:32:40 AM  from Dometic Group assigned in policy */Dometic Group
PKUDefWidth = 1024  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUGenDays = 180  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUMaxAge = 36500  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUMaxWidth = 1024  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUMinDate = 08/01/1977  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUMinWidth = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PKUOldKeyDays = 365  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PWExpWarn does not have a value set
PWExpWarnDays = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
Parameters does not have a value set
PasswordChangeInterval = 365  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PasswordGracePeriod = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PasswordQuality = 8  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdAlphaMin does not have a value set
PwdAlwHTTP = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdCNAllow = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdChgPostReset = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdChk = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdCombine does not have a value set
PwdCombineHA = 5  from Dometic Group assigned in policy */Dometic Group
PwdCombineMin does not have a value set
PwdExp = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdHelpDesk does not have a value set
PwdHistCnt = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdLenMax does not have a value set
PwdLenMin does not have a value set
PwdLowMin does not have a value set
PwdNoOtherPrompt = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdNotEnd does not have a value set
PwdNotStart does not have a value set
PwdNumMin does not have a value set
PwdPuncMin does not have a value set
PwdQltyIsLen does not have a value set
PwdQtyMin does not have a value set
PwdRepMax does not have a value set
PwdSync = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
PwdUniMin does not have a value set
PwdUppMin does not have a value set
PwdWPCSharing = 0  from Dometic Group assigned in policy */Dometic Group
PxyActions does not have a value set
PxyCookies does not have a value set
PxyCtxt does not have a value set
PxyHeaders does not have a value set
PxyMIMETypes does not have a value set
PxyURL does not have a value set
SaveOptions = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
TSAEXPIRED_SIGNATURE_POLICY = ALLOW  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
Type = PolicySecurity  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
UNSIGNED_PLUGIN_POLICY = PROMPT  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
UNTRUSTED_SIGNATURE_POLICY = PROMPT  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
UseCustomPolicy = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
VTName = O=DGIDVault  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
VaultAllowAutoDL = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
VaultAllowAutoDLText does not have a value set
VaultAllowAutoDays = 1  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
VaultAllowAutoHours = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group
tmpHideNSLOnBut = 0  from DGIDVault and Microsoft AD password assigned in policy */Dometic Holding AB/Sweden/Dometic Group

 

 

~George Chuluplopjip
Mar 22, 2013, 9:11 PM
4 Posts
Check the policy - the local policy does not match with server policy
Hi Rasmus,
Thanks for the information. It appears from the screenshots that the user's local policy is not matching up with the policy on the server. (NSLOn and NSLAllow in the local pnab do not match the values in the policy synopsis.)
Is this a complete new install, or an upgrade over an existing copy of Notes?

Can you double check that the policies at the admin server and the user's home mail server are correct and match? You can compare the actual policies and/or the policy synopsis for an affected user from both servers.

Another thing to try is to have an affected user authenticate to their home server (by opening a database on the home server listed in their location document) to get the current policy. Check if the NSLOn and NSLAllow values are updated in the local pnab.
~Olga Opnibergikle
Mar 25, 2013, 4:28 PM
14 Posts
RE: Security Policy issue Notes 9.0 SocialEdition

Hi,

Please read my answers below:


Thanks for the information. - My pleasure :)

It appears from the screenshots that the user's local policy is not matching up with the policy on the server. (NSLOn and NSLAllow in the local pnab do not match the values in the policy synopsis.)
Is this a complete new install, or an upgrade over an existing copy of Notes? - This is a completely new installation with all traces of the old beta client removed before installing the new version.

Can you double check that the policies at the admin server and the user's home mail server are correct and match? You can compare the actual policies and/or the policy synopsis for an affected user from both servers.

- It's the same server.

Another thing to try is to have an affected user authenticate to their home server (by opening a database on the home server listed in their location document) to get the current policy. Check if the NSLOn and NSLAllow values are updated in the local pnab.

- I've done that 100 times now, running ndyncfg.exe repeatedly, opening the NAB on the server multiple times and restarting the client. I still have the same issue as before. Again, nothing is changed on my ID or OU or on the Policy documents on the server between the installations. (Added to that, I'm the only on our server who get prompted the password question each morning, so clearly something is very wrong).

Thank you for following up!

/Rasmus 

~George Chuluplopjip
Mar 27, 2013, 6:22 PM
4 Posts
More information
Hi Rasmus,

At this point, it is difficult for us to guess or troubleshoot the issue without more config/debug data. This was tested and we are unable to reproduce the issue.

Can you gather and send the following information? nkho@us.ibm.com

Turn on console logging, enable debug_dynconfig=1 and debug_policy=1 on your client, restart, and access the home mail server.  Send us your console log,  pnab and a stripped down copy of the NAB with just the policy settings.
~Olga Opnibergikle
Mar 28, 2013, 2:34 PM
14 Posts
RE: Security Policy issue Notes 9.0 SocialEdition

Hi Nancy,

Thank you. It actually resolved itself when I did an update of my Windows password.

You can close the case.

Rasmus


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal