Access Problem

Dear Experts,

Consider this as URGENT....
Version: 6.5.3
Server OS: Win 2K

Problem:
You are not authorized to perform this operation(Web)
You are not authorized (Notes)

Description:
This problem arrised one week back for a production server. This is SSL enabled. SSL certificate is expiered one week back and still users can access the site. All of a sudden, users are unable to access any of the database from web(Generally they access db's from web). we are unable to figureout what caused this problem.

Architecture:
Searver A and Server B are in one Location.
Server C is another Location.
All the 3 servers are replicating which each other and Server B is open for HTTP/HTTPS requests.
When Server B users access db's in Notes/Web, there is no problem. Problem is with other Servers users. It gives the above error.
When accessing from Notes, it prompted to created Cross Certificate. But when I see NAB, Cross Certificates are available.
Db is SSL enabled. Created a new copy from this db and disabled SSL and tested. same errors occur even without SSL.
Run Resticted LS agents are enabled to all. there is no Deny Access group.
Please let me know what are the possibilities and where are the places need to check. I am sitting in a remote place and may be able to implement suggestions by today evening or t'row morning. Please provide as much suggestions/solutions as possible.

thank you,
with rgds,
maddy.


LVL 19
madheeswarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sjef BosmanGroupware ConsultantCommented:
Of course, there are no errors in log.nsf??
0
madheeswarAuthor Commented:
No Errors in Log.nsf...

But I do see some Access Denied msgs..
0
SysExpertCommented:
Have you rebooted the server at least once since disabling SSL ?
Are there any other cross certificates that may have expired ?

Were any Org Certificates changed ?

I hope this helps !


0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

madheeswarAuthor Commented:
I have rebooted server and same problem...
I may need to check the Expiry dates of Cross Certificates
0
madheeswarAuthor Commented:
What happened .....?

Any other idea?
0
Sjef BosmanGroupware ConsultantCommented:
Just a suggestion: try to create a new user, with a new certificate, and see if that user can get through. Otherwise, I wouldn't know. Finding a solution for this problem wheh one is at an even more remote location is virtually impossible. Sorry...
0
madheeswarAuthor Commented:
I had hope ....

Now  .....gone ..
:(
0
SysExpertCommented:
Have you checked the IBM support  knowledgebase yet?

0
Sjef BosmanGroupware ConsultantCommented:
Please don't cry, I can't stand that...
0
marilyngCommented:
if accessing through http, then logs are written in domlog.nsf, if it's created, if not, create it.  If it was working, and now is NOT working and you didn't make any passthrough changes or whocan access server changes, then check firewall, DNS and see what those folks did.. also, if third server is off site,  trying hitting through internet first, you should get the login screen if you can hit it.

Then try hitting it using your local browser, try ip address, etc. If you can hit it from the internet, but not from a local client, then there is some tcp routing issues.

There is a Notesconnect  program in sandbox:
http://www-10.lotus.com/ldd/sandbox.nsf/ecc552f1ab6e46e4852568a90055c4cd/4a60b6779e52c19c8525679100832651?OpenDocument&Highlight=0,nconnect

That I've found useful for this.

But outwardly, you are not authorized... happening before login? After Login?
0
madheeswarAuthor Commented:
Things has changed dramatically now....
We did a new Copy of the database in a New Folder. While creating a new copy, we did not copied ACL.

Now it works fine ..... now we added Person Groups to the ACL with proper ACl rights (refered to Prod., db).
This database has Readers field ...

Only persons listed in that field are able to see the docs from web BEFORE...

Now, everyone can see and in the readers field, groups are listed correctly....

Any ideas?
0
Sjef BosmanGroupware ConsultantCommented:
After fiddling with the ACL, did you restart the HTML-task?
0
madheeswarAuthor Commented:
and also, when database is opened, a view will be displayed. This is an Emdedded view.
Since the docs are using Group Names, previously it is working.....Now what could be the problem?

Anything to do with $Groups view in NAB?
0
madheeswarAuthor Commented:
HTML task? What is it? is it not HTTP?
0
Sjef BosmanGroupware ConsultantCommented:
It's still early here... The HTTP-task of course, sorry... :$
That task caches ACL-information, so you sometimes need to restart it. Or refresh the cached info.
0
madheeswarAuthor Commented:
ok.. will try
0
madheeswarAuthor Commented:
HTTP has been re-started... still same problem.
Any Ideas?
0
marilyngCommented:
check the old ACL for ROLES, if ROLES exist and these are what is referenced in the READERS fields, then that might be the problem.

TOL Readers fields need full abbreviated name of user: jane/ou/u, or the role: "[ThisRole]" (same exact case), or the group, I would have to check on correct group usage for list in readers fields.. maybe other EE's know this?

So, you have to see what is listed in the readers fields, and compare that with whatever Domino is using as your websession name/session name, and this is just theoretical - would have to test before I can say with any validity what works on the web. :)
0
Sjef BosmanGroupware ConsultantCommented:
> TOL Readers fields need full abbreviated name of user: jane/ou/u
Correct me if I'm wrong, but a Readers field should contain the canonicalized name
    CN=Jane/OU=ou/O=ACME

I would also assume that, if Roles were used in a Readers-field, someone without access AND without that role still wouldn't be able to see the document. But do check this anyway!
0
marilyngCommented:
You're right.. it's section editors that need the abbreviated name... duh.  thanks.
0
madheeswarAuthor Commented:
The problem is ....
The folder where the database was residing is accessed only but some users.... don't know who did it.

And also, the groups are messed.

Now the problem shifted to Replicating........ Replication is not happening in two servers.... any reasons? error like Public key is not available kind of msg is coming in Server Console.
0
Sjef BosmanGroupware ConsultantCommented:
It seems to be messed up pretty badly. You might try to clear the Replication History and replicate manually (mainly the NAB). Otherwise, it won't hurt to restart the servers.
0
madheeswarAuthor Commented:
I will give it a try.
0
madheeswarAuthor Commented:
Sjef,
Original error msg in Domino Console:
1. "Error Connecting to the server ServerC: Server error : Your public key was not found in the name and address book"

2. "Unable to replicate with the server ServerC: Your public key was not found in the name and address book on remote server.

Any ideas where to check and how to solve this? Please respond urgently....

Thank you.
0
Sjef BosmanGroupware ConsultantCommented:
When did these errors occur? Server to server replication? Or you logging in?

This seems like you need to cross-certify (again). Or the ID that's used is not the ID generated by the server.
0
marilyngCommented:
Ah, yes, agreed.  You need to cross-certify your public key with SERVER C's public key, and probably vice-versa.  Check Administration help for step by step  instructions.  Usually it means you have to send a safe copy of the server id to the other server and cross certify it,then you need to down the server and import the safe copy..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sjef BosmanGroupware ConsultantCommented:
The copy doesn't necessarily have to be a safe copy...
0
madheeswarAuthor Commented:
In Server C, there is no Public Key available in Server document.

the Server which I am connecting is having Public Key. when ever I do replication manually or Scheduled, the above said error comes in  log and it won;t replicate. I cleared replication history .. and still same problem..
Cross Certification is needed when there are no Cross Certificates ..... Correct?
And Server C is in Another Domain... is that OK?
Server B is /ABC
Server C is /ABC Systems
Any ideas?
Thank you..
0
marilyngCommented:
See administrator help for grabbing the public key from the server ID and pasting it into the Server Document(?)  sjef- that right?
0
Sjef BosmanGroupware ConsultantCommented:
To enable replication, servers need to be cross-certified. For manual replication, you have to be certified by both servers, i.e. certified in your real domain /ABC and cross-certified with the other domain /ABC Systems. Not cross-certified? Which means: no certificate issued by server C? Sorry, cannot pass.

Re-cross-certification won't hurt. If the previous Xref got lost, you'll just recreate it. If it still exists, it will be updated.
0
Sjef BosmanGroupware ConsultantCommented:
Paste a public key? I must say I never had to do that. If it's in the Admin Help, it'll probably be right...

By the way, the server's public key is only visible when the Server-form is in edit-mode.
0
marilyngCommented:
ah, found it:  says to use adminp to do it.   which makes sense, otherwise you would have to grab the server id, and grab the public key using administrator.

Triggered by: The server recognizing that the Public Key field in the Server document is empty or out of date.
Carried out on: The administration server for the Domino Directory.
Carried out: According to the "Interval" setting in the Administration Process section of the Server document.
Result: The public key of the server ID is copied to the Public Key field of the Server document.
See also
Administration process requests
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.