Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2091
  • Last Modified:

Domino Cross-Certifications

I have recently installed BES on a second, Domino Messaging Server box, which I need to cross-certify with the production Domino Enterprise server.

My problem is, the certifier password for the production server is unknown, therefore I can only cross-certify in one direction.  Unfortunately it does not appear to be the direction which is required:
"07/30/2007 12:51:56 PM  <BES Domino Server> from host [IP Address:4333] failed to authenticate: The server's Domino Directory does not contain any cross certificates capable of authenticating you."

I've been running a password utility against the original certifier, but I'm not too hopeful (it's already been running for 19 hours).

Is there some method in which I can perform cross-certification without this password (e.g. with other utilities, Console commands, etc.)?

Thank you
0
TTCTECH
Asked:
TTCTECH
  • 4
  • 3
  • 2
1 Solution
 
SysExpertCommented:
You should be cross certifying via the Admin client, and usually the password on a Notes server is blank.

If you need to certify against the entire Domain or organization, then you should know the Certifier password for the Domain or organization.

Someone should have it, else how are they creating new users ?

I hope this helps !
0
 
TTCTECHAuthor Commented:
User registration is not am issue.

I don't recall if it is considered the Domain or Organization portion which is unknown (e.g. server XXXX/YYYY) where the "YYYY" is the unknown certifier password.

I thought I could get past this by creating WWWW/ZZZZ, but cross-certifying ZZZZ to YYYY still requires YYYY's password.
0
 
SysExpertCommented:
1) Why don't you put the BES server as part of the DOmino  Domain, that way no cross certification is needed.

2) You could cross certify at the server level, rather than the Domain or Org Level.

I hope this helps !
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
TTCTECHAuthor Commented:
Both server currently are in the same Notes Domain.

The production server can see the BES Domino server, but is not allowing it authentication.
0
 
SysExpertCommented:
1) If they are in the same domain then no cross certification is needed.

2) Did you follow all the Install instructions for the BES server including setting up the besadmin account and giving it the correct access on the Domino mail Server ?

The BES install guide is quite good if you read it thoroughly.

I hope this helps !

0
 
qwaleteeCommented:
SysExpert,

This is not so if you have two different root (O) certificates in use in your domain.  The two O's would need to cross-cert.

TTCTECH, there is a way around this problem.  It is a bit of a trick.  Here's what you do.

1) Obtain both server IDs (BES and mail server) and place on your workstation.
2) Switch to the BES ID o your workstation
3) File -> Database -> Open
4) Choose the mail server server name and click OPEN
5) ****Notes should prompt you to create a cross certificate between "your ID" (the BES ID) and the mail server, giving you a choice of O, OU, or ID-level cross cert.  The cross cert created will always be from the BES's ID (not the BES's certfier), to whichever level of the server's side you want (O, OU, or just the server itself).  May as well make it to the O level
6) Switch IDs to the mail server ID, and repeat, but with the BES server in step 4

Now your local names.nsf. on your workstation, contains the cross-certs you need.  Just dump them in your Domino Directory.

In step 5, if you do not get prompted, then you may already have a local cross cert that is suitable.
0
 
TTCTECHAuthor Commented:
Qwaletee,

I believe your method is going down the right path...

I got to step 5, and received the error:
"Server error: The server's Domino Directory does not contain any cross certificates capable of authenticating you"

Once again it seems to be difficult to certify using any non-direct route.

Thanks
0
 
TTCTECHAuthor Commented:
Do I maybe require a Connection Document between the two Domino servers?

Thanks
0
 
qwaleteeCommented:
Oh yes, forgot one thing.  You need to temporarily enable Anonymous access to each server.  May require a restart of Domino on the affected server to turn this on or off. OInce you do that, the server will no longer reject the connection request, and the client will be the one that has to make a decision whether to allow connection to an "uncertified" server, at which point, it will prompt you for certificate creation.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now