[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Access Problem

Posted on 2006-03-22
33
Medium Priority
?
330 Views
Last Modified: 2013-12-18
Dear Experts,

Consider this as URGENT....
Version: 6.5.3
Server OS: Win 2K

Problem:
You are not authorized to perform this operation(Web)
You are not authorized (Notes)

Description:
This problem arrised one week back for a production server. This is SSL enabled. SSL certificate is expiered one week back and still users can access the site. All of a sudden, users are unable to access any of the database from web(Generally they access db's from web). we are unable to figureout what caused this problem.

Architecture:
Searver A and Server B are in one Location.
Server C is another Location.
All the 3 servers are replicating which each other and Server B is open for HTTP/HTTPS requests.
When Server B users access db's in Notes/Web, there is no problem. Problem is with other Servers users. It gives the above error.
When accessing from Notes, it prompted to created Cross Certificate. But when I see NAB, Cross Certificates are available.
Db is SSL enabled. Created a new copy from this db and disabled SSL and tested. same errors occur even without SSL.
Run Resticted LS agents are enabled to all. there is no Deny Access group.
Please let me know what are the possibilities and where are the places need to check. I am sitting in a remote place and may be able to implement suggestions by today evening or t'row morning. Please provide as much suggestions/solutions as possible.

thank you,
with rgds,
maddy.


0
Comment
Question by:madheeswar
  • 13
  • 11
  • 6
  • +1
32 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16255364
Of course, there are no errors in log.nsf??
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16255554
No Errors in Log.nsf...

But I do see some Access Denied msgs..
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 16256707
Have you rebooted the server at least once since disabling SSL ?
Are there any other cross certificates that may have expired ?

Were any Org Certificates changed ?

I hope this helps !


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Author Comment

by:madheeswar
ID: 16256790
I have rebooted server and same problem...
I may need to check the Expiry dates of Cross Certificates
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16257658
What happened .....?

Any other idea?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16257948
Just a suggestion: try to create a new user, with a new certificate, and see if that user can get through. Otherwise, I wouldn't know. Finding a solution for this problem wheh one is at an even more remote location is virtually impossible. Sorry...
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16257986
I had hope ....

Now  .....gone ..
:(
0
 
LVL 63

Expert Comment

by:SysExpert
ID: 16258046
Have you checked the IBM support  knowledgebase yet?

0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16258073
Please don't cry, I can't stand that...
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16264728
if accessing through http, then logs are written in domlog.nsf, if it's created, if not, create it.  If it was working, and now is NOT working and you didn't make any passthrough changes or whocan access server changes, then check firewall, DNS and see what those folks did.. also, if third server is off site,  trying hitting through internet first, you should get the login screen if you can hit it.

Then try hitting it using your local browser, try ip address, etc. If you can hit it from the internet, but not from a local client, then there is some tcp routing issues.

There is a Notesconnect  program in sandbox:
http://www-10.lotus.com/ldd/sandbox.nsf/ecc552f1ab6e46e4852568a90055c4cd/4a60b6779e52c19c8525679100832651?OpenDocument&Highlight=0,nconnect

That I've found useful for this.

But outwardly, you are not authorized... happening before login? After Login?
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16267042
Things has changed dramatically now....
We did a new Copy of the database in a New Folder. While creating a new copy, we did not copied ACL.

Now it works fine ..... now we added Person Groups to the ACL with proper ACl rights (refered to Prod., db).
This database has Readers field ...

Only persons listed in that field are able to see the docs from web BEFORE...

Now, everyone can see and in the readers field, groups are listed correctly....

Any ideas?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16267232
After fiddling with the ACL, did you restart the HTML-task?
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16267242
and also, when database is opened, a view will be displayed. This is an Emdedded view.
Since the docs are using Group Names, previously it is working.....Now what could be the problem?

Anything to do with $Groups view in NAB?
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16267267
HTML task? What is it? is it not HTTP?
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16267304
It's still early here... The HTTP-task of course, sorry... :$
That task caches ACL-information, so you sometimes need to restart it. Or refresh the cached info.
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16267461
ok.. will try
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16268495
HTTP has been re-started... still same problem.
Any Ideas?
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16271934
check the old ACL for ROLES, if ROLES exist and these are what is referenced in the READERS fields, then that might be the problem.

TOL Readers fields need full abbreviated name of user: jane/ou/u, or the role: "[ThisRole]" (same exact case), or the group, I would have to check on correct group usage for list in readers fields.. maybe other EE's know this?

So, you have to see what is listed in the readers fields, and compare that with whatever Domino is using as your websession name/session name, and this is just theoretical - would have to test before I can say with any validity what works on the web. :)
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16274819
> TOL Readers fields need full abbreviated name of user: jane/ou/u
Correct me if I'm wrong, but a Readers field should contain the canonicalized name
    CN=Jane/OU=ou/O=ACME

I would also assume that, if Roles were used in a Readers-field, someone without access AND without that role still wouldn't be able to see the document. But do check this anyway!
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16276001
You're right.. it's section editors that need the abbreviated name... duh.  thanks.
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16299943
The problem is ....
The folder where the database was residing is accessed only but some users.... don't know who did it.

And also, the groups are messed.

Now the problem shifted to Replicating........ Replication is not happening in two servers.... any reasons? error like Public key is not available kind of msg is coming in Server Console.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16303294
It seems to be messed up pretty badly. You might try to clear the Replication History and replicate manually (mainly the NAB). Otherwise, it won't hurt to restart the servers.
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16308570
I will give it a try.
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16308909
Sjef,
Original error msg in Domino Console:
1. "Error Connecting to the server ServerC: Server error : Your public key was not found in the name and address book"

2. "Unable to replicate with the server ServerC: Your public key was not found in the name and address book on remote server.

Any ideas where to check and how to solve this? Please respond urgently....

Thank you.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16309221
When did these errors occur? Server to server replication? Or you logging in?

This seems like you need to cross-certify (again). Or the ID that's used is not the ID generated by the server.
0
 
LVL 18

Accepted Solution

by:
marilyng earned 600 total points
ID: 16316545
Ah, yes, agreed.  You need to cross-certify your public key with SERVER C's public key, and probably vice-versa.  Check Administration help for step by step  instructions.  Usually it means you have to send a safe copy of the server id to the other server and cross certify it,then you need to down the server and import the safe copy..
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16319266
The copy doesn't necessarily have to be a safe copy...
0
 
LVL 19

Author Comment

by:madheeswar
ID: 16319321
In Server C, there is no Public Key available in Server document.

the Server which I am connecting is having Public Key. when ever I do replication manually or Scheduled, the above said error comes in  log and it won;t replicate. I cleared replication history .. and still same problem..
Cross Certification is needed when there are no Cross Certificates ..... Correct?
And Server C is in Another Domain... is that OK?
Server B is /ABC
Server C is /ABC Systems
Any ideas?
Thank you..
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16320140
See administrator help for grabbing the public key from the server ID and pasting it into the Server Document(?)  sjef- that right?
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 600 total points
ID: 16320200
To enable replication, servers need to be cross-certified. For manual replication, you have to be certified by both servers, i.e. certified in your real domain /ABC and cross-certified with the other domain /ABC Systems. Not cross-certified? Which means: no certificate issued by server C? Sorry, cannot pass.

Re-cross-certification won't hurt. If the previous Xref got lost, you'll just recreate it. If it still exists, it will be updated.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 16320222
Paste a public key? I must say I never had to do that. If it's in the Admin Help, it'll probably be right...

By the way, the server's public key is only visible when the Server-form is in edit-mode.
0
 
LVL 18

Expert Comment

by:marilyng
ID: 16320264
ah, found it:  says to use adminp to do it.   which makes sense, otherwise you would have to grab the server id, and grab the public key using administrator.

Triggered by: The server recognizing that the Public Key field in the Server document is empty or out of date.
Carried out on: The administration server for the Domino Directory.
Carried out: According to the "Interval" setting in the Administration Process section of the Server document.
Result: The public key of the server ID is copied to the Public Key field of the Server document.
See also
Administration process requests
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question