Solved

Users with expired certificates in Domino Directory

Posted on 2011-03-01
16
1,455 Views
Last Modified: 2013-12-18
Hi,

In Lotus Notes, when I go to the NAB, People -> Certificate Expiration view, I see users with Expired certificates. But what I don't understand is that those people are connected to Sametime! Please refer to the image attached.

I thought that when the certificate is expired then the user cannot connect to the server.

Can somebody shed some light on this?

Thanks!
certificate-expiration-view.png
0
Comment
Question by:ralmada
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 35012522
Do the Sametime users also have newer certificates listed under "Expires in the next 90 days" or "Expires in the next 120 days" or under "Expires after more than 120 days?"
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35015243
Maybe the certificates were updated on users' ID files (not through Person document in address book) using another server, which does not replicate Certlog.nsf, which then wouldn't be reflected in that view on your server.

When you certify user ID file, you need to supply a certifier ID by first selecting the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors.
That is the server on which CERTLOG.NSF is updated.

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_MANAGING_CERTIFIER_IDS_7302_MIDTOPIC_293171126429240767.html
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 35017850
     Hi there ralmada,,,,

Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .
Secondly, May I suggest that you just have the time to contact one or two of these users with the "Expired Certificates" and check what is really going on  in there Lotus notes client and Lotus Sametime client .
Finally,  I am attaching a procedure of how same time can be connected  to give you more information about it . ( it is from the information center of the sametime )
http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/welcome_851.html





           procedure.txt
Image.JPG
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:mbonaci
ID: 35018088
> Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .

That's because some "phenomenal" Domino admin registered users with expiration date somewhere in year 2100.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018248
Thanks guy for the fast responses.

@bluemeln, unfortunately not. they only show in the expired section.

I will read the other comments and get back to you shortly.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018518
@mbonaci,

Thanks for your comment. so basically what you're saying is that the users certificates aren't expired, but the new recertification is not reflecting in NAB?

Also regarding your last comment, in my company certificates are set to expire in 50 years or so. Do you see this as a bad practice?
0
 
LVL 22

Accepted Solution

by:
mbonaci earned 500 total points
ID: 35025459
If the circumstances are as I described, yes, it's possible.

What would you do if an admin's ID file becomes compromised/lost/its password revealed to users?
Since you cannot simply change the password (password is inside ID file), you'd have to (if you're lucky enough to find out about it) place that user in Deny access group and register the him again with a different name.

On the other hand, if your ID expiration dates are one or two years, the lost ID file would soon cease to function.
0
 
LVL 11

Expert Comment

by:larsberntrop
ID: 35025549
Note that simply puttimng him in a Deny access group will often be just a beginning.  If the admin id in question has been used to enable agents or used to sign any code (very likely) all these signatures need to be found and it has to be resigned with the new ID to prevent problems.

Please read the admin documentation!  Also, a fine strategy is to prepare yourself for certification (Certfx has excellent products, and is not expensive, especially if you take advantage of the volume deals.) How I use it: even if you do not intend to take the exam, proper preparation wil show you what knowledge you currently miss.  Using the exam software you can prove you have an allround understanding, and you get pointers into which subjects you need to study more.  This save you from studying the admin manual about stuff you already know.
0
 
LVL 41

Author Closing Comment

by:ralmada
ID: 35026848
Thanks
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35026966
I do not understand how the accepted solution explains that the users showing under expired certificates are live on the system. The solution only addresses the best practice of short certification times.
0
 
LVL 11

Expert Comment

by:larsberntrop
ID: 35027374
quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027482
Although it would be better that the first post was accepted, I don't completely agree with the two of you. I mean, it's not that big of a deal.

Ralmada wanted the final confirmation that he understood the problem, so in the accepted post, I say "If the circumstances are as I described, yes, it's possible."

Because of that comment, if someone searches for a solution to the same problem and finds this accepted post, he would normally look above to see what circumstances I'm talking about.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027611
A good solution is self-contained, self-explanatory and complete. It should not require inference or additional research because many threads on this site contain falls leads, which is why there is the Accepted Solution. When a solution refers to a previous post, it should briefly restate the content of that post. It's good form.

If I was new to this discussion, I would have to read through the entire thread to figure out which explanation made the most sense. In addition, the solution is not really a solution but a probable explanation, which makes it harder to identify.

I am not disputing the assigned points, but for this support system to work, we need to stick to form.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027891
I have to agree with this, it sure would've been better if the initial explanation was accepted.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35028341
Thank you all for your time in trying to solve this issue. I really appreciate it.

@larsberntrop >>quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.<<

That's indeed what has happened and that's what mbonaci indicated by agreeing to my last comment http:#a35018518. Probably I should have accepted my own comment as the answer and give him an assist, but that still doesn't change the fact that he was the only one that lead me to the solution.
I hope this clarify the reason for me accepting his comment.

Have a good day.

0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35028371
Their point was that you should've accepted my first comment (35015243), with the detailed explanation of what happened, not yours, in which you ask for the confirmation.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For Desktop Techs: How to retain a user's Notes configuration data when swapping out the end user's computer. (Assuming that you are not upgrading to a completely different version of Notes client) All you need to do is: 1) install Notes o…
  In today’s Arena we can’t imagine our lives without Internet as we are highly used to of it. If we consider our life style just for only 2 min we found that face to face communication is swapped by e-communication.  Every Where from Works place to…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question