Solved

Users with expired certificates in Domino Directory

Posted on 2011-03-01
16
1,398 Views
Last Modified: 2013-12-18
Hi,

In Lotus Notes, when I go to the NAB, People -> Certificate Expiration view, I see users with Expired certificates. But what I don't understand is that those people are connected to Sametime! Please refer to the image attached.

I thought that when the certificate is expired then the user cannot connect to the server.

Can somebody shed some light on this?

Thanks!
certificate-expiration-view.png
0
Comment
Question by:ralmada
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 35012522
Do the Sametime users also have newer certificates listed under "Expires in the next 90 days" or "Expires in the next 120 days" or under "Expires after more than 120 days?"
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35015243
Maybe the certificates were updated on users' ID files (not through Person document in address book) using another server, which does not replicate Certlog.nsf, which then wouldn't be reflected in that view on your server.

When you certify user ID file, you need to supply a certifier ID by first selecting the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors.
That is the server on which CERTLOG.NSF is updated.

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_MANAGING_CERTIFIER_IDS_7302_MIDTOPIC_293171126429240767.html
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 35017850
     Hi there ralmada,,,,

Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .
Secondly, May I suggest that you just have the time to contact one or two of these users with the "Expired Certificates" and check what is really going on  in there Lotus notes client and Lotus Sametime client .
Finally,  I am attaching a procedure of how same time can be connected  to give you more information about it . ( it is from the information center of the sametime )
http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/welcome_851.html





           procedure.txt
Image.JPG
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35018088
> Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .

That's because some "phenomenal" Domino admin registered users with expiration date somewhere in year 2100.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018248
Thanks guy for the fast responses.

@bluemeln, unfortunately not. they only show in the expired section.

I will read the other comments and get back to you shortly.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018518
@mbonaci,

Thanks for your comment. so basically what you're saying is that the users certificates aren't expired, but the new recertification is not reflecting in NAB?

Also regarding your last comment, in my company certificates are set to expire in 50 years or so. Do you see this as a bad practice?
0
 
LVL 22

Accepted Solution

by:
mbonaci earned 500 total points
ID: 35025459
If the circumstances are as I described, yes, it's possible.

What would you do if an admin's ID file becomes compromised/lost/its password revealed to users?
Since you cannot simply change the password (password is inside ID file), you'd have to (if you're lucky enough to find out about it) place that user in Deny access group and register the him again with a different name.

On the other hand, if your ID expiration dates are one or two years, the lost ID file would soon cease to function.
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 35025549
Note that simply puttimng him in a Deny access group will often be just a beginning.  If the admin id in question has been used to enable agents or used to sign any code (very likely) all these signatures need to be found and it has to be resigned with the new ID to prevent problems.

Please read the admin documentation!  Also, a fine strategy is to prepare yourself for certification (Certfx has excellent products, and is not expensive, especially if you take advantage of the volume deals.) How I use it: even if you do not intend to take the exam, proper preparation wil show you what knowledge you currently miss.  Using the exam software you can prove you have an allround understanding, and you get pointers into which subjects you need to study more.  This save you from studying the admin manual about stuff you already know.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 41

Author Closing Comment

by:ralmada
ID: 35026848
Thanks
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35026966
I do not understand how the accepted solution explains that the users showing under expired certificates are live on the system. The solution only addresses the best practice of short certification times.
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 35027374
quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027482
Although it would be better that the first post was accepted, I don't completely agree with the two of you. I mean, it's not that big of a deal.

Ralmada wanted the final confirmation that he understood the problem, so in the accepted post, I say "If the circumstances are as I described, yes, it's possible."

Because of that comment, if someone searches for a solution to the same problem and finds this accepted post, he would normally look above to see what circumstances I'm talking about.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027611
A good solution is self-contained, self-explanatory and complete. It should not require inference or additional research because many threads on this site contain falls leads, which is why there is the Accepted Solution. When a solution refers to a previous post, it should briefly restate the content of that post. It's good form.

If I was new to this discussion, I would have to read through the entire thread to figure out which explanation made the most sense. In addition, the solution is not really a solution but a probable explanation, which makes it harder to identify.

I am not disputing the assigned points, but for this support system to work, we need to stick to form.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027891
I have to agree with this, it sure would've been better if the initial explanation was accepted.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35028341
Thank you all for your time in trying to solve this issue. I really appreciate it.

@larsberntrop >>quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.<<

That's indeed what has happened and that's what mbonaci indicated by agreeing to my last comment http:#a35018518. Probably I should have accepted my own comment as the answer and give him an assist, but that still doesn't change the fact that he was the only one that lead me to the solution.
I hope this clarify the reason for me accepting his comment.

Have a good day.

0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35028371
Their point was that you should've accepted my first comment (35015243), with the detailed explanation of what happened, not yours, in which you ask for the confirmation.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now