Link to home
Start Free TrialLog in
Avatar of madheeswar
madheeswarFlag for Singapore

asked on

Access Problem

Dear Experts,

Consider this as URGENT....
Version: 6.5.3
Server OS: Win 2K

Problem:
You are not authorized to perform this operation(Web)
You are not authorized (Notes)

Description:
This problem arrised one week back for a production server. This is SSL enabled. SSL certificate is expiered one week back and still users can access the site. All of a sudden, users are unable to access any of the database from web(Generally they access db's from web). we are unable to figureout what caused this problem.

Architecture:
Searver A and Server B are in one Location.
Server C is another Location.
All the 3 servers are replicating which each other and Server B is open for HTTP/HTTPS requests.
When Server B users access db's in Notes/Web, there is no problem. Problem is with other Servers users. It gives the above error.
When accessing from Notes, it prompted to created Cross Certificate. But when I see NAB, Cross Certificates are available.
Db is SSL enabled. Created a new copy from this db and disabled SSL and tested. same errors occur even without SSL.
Run Resticted LS agents are enabled to all. there is no Deny Access group.
Please let me know what are the possibilities and where are the places need to check. I am sitting in a remote place and may be able to implement suggestions by today evening or t'row morning. Please provide as much suggestions/solutions as possible.

thank you,
with rgds,
maddy.


Avatar of Sjef Bosman
Sjef Bosman
Flag of France image

Of course, there are no errors in log.nsf??
Avatar of madheeswar

ASKER

No Errors in Log.nsf...

But I do see some Access Denied msgs..
Have you rebooted the server at least once since disabling SSL ?
Are there any other cross certificates that may have expired ?

Were any Org Certificates changed ?

I hope this helps !


I have rebooted server and same problem...
I may need to check the Expiry dates of Cross Certificates
What happened .....?

Any other idea?
Just a suggestion: try to create a new user, with a new certificate, and see if that user can get through. Otherwise, I wouldn't know. Finding a solution for this problem wheh one is at an even more remote location is virtually impossible. Sorry...
I had hope ....

Now  .....gone ..
:(
Have you checked the IBM support  knowledgebase yet?

Please don't cry, I can't stand that...
Avatar of marilyng
marilyng

if accessing through http, then logs are written in domlog.nsf, if it's created, if not, create it.  If it was working, and now is NOT working and you didn't make any passthrough changes or whocan access server changes, then check firewall, DNS and see what those folks did.. also, if third server is off site,  trying hitting through internet first, you should get the login screen if you can hit it.

Then try hitting it using your local browser, try ip address, etc. If you can hit it from the internet, but not from a local client, then there is some tcp routing issues.

There is a Notesconnect  program in sandbox:
http://www-10.lotus.com/ldd/sandbox.nsf/ecc552f1ab6e46e4852568a90055c4cd/4a60b6779e52c19c8525679100832651?OpenDocument&Highlight=0,nconnect

That I've found useful for this.

But outwardly, you are not authorized... happening before login? After Login?
Things has changed dramatically now....
We did a new Copy of the database in a New Folder. While creating a new copy, we did not copied ACL.

Now it works fine ..... now we added Person Groups to the ACL with proper ACl rights (refered to Prod., db).
This database has Readers field ...

Only persons listed in that field are able to see the docs from web BEFORE...

Now, everyone can see and in the readers field, groups are listed correctly....

Any ideas?
After fiddling with the ACL, did you restart the HTML-task?
and also, when database is opened, a view will be displayed. This is an Emdedded view.
Since the docs are using Group Names, previously it is working.....Now what could be the problem?

Anything to do with $Groups view in NAB?
HTML task? What is it? is it not HTTP?
It's still early here... The HTTP-task of course, sorry... :$
That task caches ACL-information, so you sometimes need to restart it. Or refresh the cached info.
ok.. will try
HTTP has been re-started... still same problem.
Any Ideas?
check the old ACL for ROLES, if ROLES exist and these are what is referenced in the READERS fields, then that might be the problem.

TOL Readers fields need full abbreviated name of user: jane/ou/u, or the role: "[ThisRole]" (same exact case), or the group, I would have to check on correct group usage for list in readers fields.. maybe other EE's know this?

So, you have to see what is listed in the readers fields, and compare that with whatever Domino is using as your websession name/session name, and this is just theoretical - would have to test before I can say with any validity what works on the web. :)
> TOL Readers fields need full abbreviated name of user: jane/ou/u
Correct me if I'm wrong, but a Readers field should contain the canonicalized name
    CN=Jane/OU=ou/O=ACME

I would also assume that, if Roles were used in a Readers-field, someone without access AND without that role still wouldn't be able to see the document. But do check this anyway!
You're right.. it's section editors that need the abbreviated name... duh.  thanks.
The problem is ....
The folder where the database was residing is accessed only but some users.... don't know who did it.

And also, the groups are messed.

Now the problem shifted to Replicating........ Replication is not happening in two servers.... any reasons? error like Public key is not available kind of msg is coming in Server Console.
It seems to be messed up pretty badly. You might try to clear the Replication History and replicate manually (mainly the NAB). Otherwise, it won't hurt to restart the servers.
I will give it a try.
Sjef,
Original error msg in Domino Console:
1. "Error Connecting to the server ServerC: Server error : Your public key was not found in the name and address book"

2. "Unable to replicate with the server ServerC: Your public key was not found in the name and address book on remote server.

Any ideas where to check and how to solve this? Please respond urgently....

Thank you.
When did these errors occur? Server to server replication? Or you logging in?

This seems like you need to cross-certify (again). Or the ID that's used is not the ID generated by the server.
ASKER CERTIFIED SOLUTION
Avatar of marilyng
marilyng

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
The copy doesn't necessarily have to be a safe copy...
In Server C, there is no Public Key available in Server document.

the Server which I am connecting is having Public Key. when ever I do replication manually or Scheduled, the above said error comes in  log and it won;t replicate. I cleared replication history .. and still same problem..
Cross Certification is needed when there are no Cross Certificates ..... Correct?
And Server C is in Another Domain... is that OK?
Server B is /ABC
Server C is /ABC Systems
Any ideas?
Thank you..
See administrator help for grabbing the public key from the server ID and pasting it into the Server Document(?)  sjef- that right?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Paste a public key? I must say I never had to do that. If it's in the Admin Help, it'll probably be right...

By the way, the server's public key is only visible when the Server-form is in edit-mode.
ah, found it:  says to use adminp to do it.   which makes sense, otherwise you would have to grab the server id, and grab the public key using administrator.

Triggered by: The server recognizing that the Public Key field in the Server document is empty or out of date.
Carried out on: The administration server for the Domino Directory.
Carried out: According to the "Interval" setting in the Administration Process section of the Server document.
Result: The public key of the server ID is copied to the Public Key field of the Server document.
See also
Administration process requests