Domino Cross-Certifications

I have recently installed BES on a second, Domino Messaging Server box, which I need to cross-certify with the production Domino Enterprise server.

My problem is, the certifier password for the production server is unknown, therefore I can only cross-certify in one direction.  Unfortunately it does not appear to be the direction which is required:
"07/30/2007 12:51:56 PM  <BES Domino Server> from host [IP Address:4333] failed to authenticate: The server's Domino Directory does not contain any cross certificates capable of authenticating you."

I've been running a password utility against the original certifier, but I'm not too hopeful (it's already been running for 19 hours).

Is there some method in which I can perform cross-certification without this password (e.g. with other utilities, Console commands, etc.)?

Thank you
LVL 3
TTCTECHAsked:
Who is Participating?
 
qwaleteeCommented:
SysExpert,

This is not so if you have two different root (O) certificates in use in your domain.  The two O's would need to cross-cert.

TTCTECH, there is a way around this problem.  It is a bit of a trick.  Here's what you do.

1) Obtain both server IDs (BES and mail server) and place on your workstation.
2) Switch to the BES ID o your workstation
3) File -> Database -> Open
4) Choose the mail server server name and click OPEN
5) ****Notes should prompt you to create a cross certificate between "your ID" (the BES ID) and the mail server, giving you a choice of O, OU, or ID-level cross cert.  The cross cert created will always be from the BES's ID (not the BES's certfier), to whichever level of the server's side you want (O, OU, or just the server itself).  May as well make it to the O level
6) Switch IDs to the mail server ID, and repeat, but with the BES server in step 4

Now your local names.nsf. on your workstation, contains the cross-certs you need.  Just dump them in your Domino Directory.

In step 5, if you do not get prompted, then you may already have a local cross cert that is suitable.
0
 
SysExpertCommented:
You should be cross certifying via the Admin client, and usually the password on a Notes server is blank.

If you need to certify against the entire Domain or organization, then you should know the Certifier password for the Domain or organization.

Someone should have it, else how are they creating new users ?

I hope this helps !
0
 
TTCTECHAuthor Commented:
User registration is not am issue.

I don't recall if it is considered the Domain or Organization portion which is unknown (e.g. server XXXX/YYYY) where the "YYYY" is the unknown certifier password.

I thought I could get past this by creating WWWW/ZZZZ, but cross-certifying ZZZZ to YYYY still requires YYYY's password.
0
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

 
SysExpertCommented:
1) Why don't you put the BES server as part of the DOmino  Domain, that way no cross certification is needed.

2) You could cross certify at the server level, rather than the Domain or Org Level.

I hope this helps !
0
 
TTCTECHAuthor Commented:
Both server currently are in the same Notes Domain.

The production server can see the BES Domino server, but is not allowing it authentication.
0
 
SysExpertCommented:
1) If they are in the same domain then no cross certification is needed.

2) Did you follow all the Install instructions for the BES server including setting up the besadmin account and giving it the correct access on the Domino mail Server ?

The BES install guide is quite good if you read it thoroughly.

I hope this helps !

0
 
TTCTECHAuthor Commented:
Qwaletee,

I believe your method is going down the right path...

I got to step 5, and received the error:
"Server error: The server's Domino Directory does not contain any cross certificates capable of authenticating you"

Once again it seems to be difficult to certify using any non-direct route.

Thanks
0
 
TTCTECHAuthor Commented:
Do I maybe require a Connection Document between the two Domino servers?

Thanks
0
 
qwaleteeCommented:
Oh yes, forgot one thing.  You need to temporarily enable Anonymous access to each server.  May require a restart of Domino on the affected server to turn this on or off. OInce you do that, the server will no longer reject the connection request, and the client will be the one that has to make a decision whether to allow connection to an "uncertified" server, at which point, it will prompt you for certificate creation.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.