Solved

Users with expired certificates in Domino Directory

Posted on 2011-03-01
16
1,479 Views
Last Modified: 2013-12-18
Hi,

In Lotus Notes, when I go to the NAB, People -> Certificate Expiration view, I see users with Expired certificates. But what I don't understand is that those people are connected to Sametime! Please refer to the image attached.

I thought that when the certificate is expired then the user cannot connect to the server.

Can somebody shed some light on this?

Thanks!
certificate-expiration-view.png
0
Comment
Question by:ralmada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 6

Expert Comment

by:bluemeln
ID: 35012522
Do the Sametime users also have newer certificates listed under "Expires in the next 90 days" or "Expires in the next 120 days" or under "Expires after more than 120 days?"
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35015243
Maybe the certificates were updated on users' ID files (not through Person document in address book) using another server, which does not replicate Certlog.nsf, which then wouldn't be reflected in that view on your server.

When you certify user ID file, you need to supply a certifier ID by first selecting the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors.
That is the server on which CERTLOG.NSF is updated.

http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin85.doc/H_MANAGING_CERTIFIER_IDS_7302_MIDTOPIC_293171126429240767.html
0
 
LVL 15

Expert Comment

by:akhafaf
ID: 35017850
     Hi there ralmada,,,,

Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .
Secondly, May I suggest that you just have the time to contact one or two of these users with the "Expired Certificates" and check what is really going on  in there Lotus notes client and Lotus Sametime client .
Finally,  I am attaching a procedure of how same time can be connected  to give you more information about it . ( it is from the information center of the sametime )
http://publib.boulder.ibm.com/infocenter/sametime/v8r5/index.jsp?topic=/com.ibm.help.sametime.v851.doc/welcome_851.html





           procedure.txt
Image.JPG
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 22

Expert Comment

by:mbonaci
ID: 35018088
> Firstly, I havent ever faced any problem with any of the users whose Certificates have expired .

That's because some "phenomenal" Domino admin registered users with expiration date somewhere in year 2100.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018248
Thanks guy for the fast responses.

@bluemeln, unfortunately not. they only show in the expired section.

I will read the other comments and get back to you shortly.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35018518
@mbonaci,

Thanks for your comment. so basically what you're saying is that the users certificates aren't expired, but the new recertification is not reflecting in NAB?

Also regarding your last comment, in my company certificates are set to expire in 50 years or so. Do you see this as a bad practice?
0
 
LVL 22

Accepted Solution

by:
mbonaci earned 500 total points
ID: 35025459
If the circumstances are as I described, yes, it's possible.

What would you do if an admin's ID file becomes compromised/lost/its password revealed to users?
Since you cannot simply change the password (password is inside ID file), you'd have to (if you're lucky enough to find out about it) place that user in Deny access group and register the him again with a different name.

On the other hand, if your ID expiration dates are one or two years, the lost ID file would soon cease to function.
0
 
LVL 11

Expert Comment

by:larsberntrop
ID: 35025549
Note that simply puttimng him in a Deny access group will often be just a beginning.  If the admin id in question has been used to enable agents or used to sign any code (very likely) all these signatures need to be found and it has to be resigned with the new ID to prevent problems.

Please read the admin documentation!  Also, a fine strategy is to prepare yourself for certification (Certfx has excellent products, and is not expensive, especially if you take advantage of the volume deals.) How I use it: even if you do not intend to take the exam, proper preparation wil show you what knowledge you currently miss.  Using the exam software you can prove you have an allround understanding, and you get pointers into which subjects you need to study more.  This save you from studying the admin manual about stuff you already know.
0
 
LVL 41

Author Closing Comment

by:ralmada
ID: 35026848
Thanks
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35026966
I do not understand how the accepted solution explains that the users showing under expired certificates are live on the system. The solution only addresses the best practice of short certification times.
0
 
LVL 11

Expert Comment

by:larsberntrop
ID: 35027374
quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027482
Although it would be better that the first post was accepted, I don't completely agree with the two of you. I mean, it's not that big of a deal.

Ralmada wanted the final confirmation that he understood the problem, so in the accepted post, I say "If the circumstances are as I described, yes, it's possible."

Because of that comment, if someone searches for a solution to the same problem and finds this accepted post, he would normally look above to see what circumstances I'm talking about.
0
 
LVL 6

Expert Comment

by:bluemeln
ID: 35027611
A good solution is self-contained, self-explanatory and complete. It should not require inference or additional research because many threads on this site contain falls leads, which is why there is the Accepted Solution. When a solution refers to a previous post, it should briefly restate the content of that post. It's good form.

If I was new to this discussion, I would have to read through the entire thread to figure out which explanation made the most sense. In addition, the solution is not really a solution but a probable explanation, which makes it harder to identify.

I am not disputing the assigned points, but for this support system to work, we need to stick to form.
0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35027891
I have to agree with this, it sure would've been better if the initial explanation was accepted.
0
 
LVL 41

Author Comment

by:ralmada
ID: 35028341
Thank you all for your time in trying to solve this issue. I really appreciate it.

@larsberntrop >>quite right. the answer is that the users were recertified, but the updated certificates were not stored in the NAB due to the recertifiers ignorance of Domino Administration.<<

That's indeed what has happened and that's what mbonaci indicated by agreeing to my last comment http:#a35018518. Probably I should have accepted my own comment as the answer and give him an assist, but that still doesn't change the fact that he was the only one that lead me to the solution.
I hope this clarify the reason for me accepting his comment.

Have a good day.

0
 
LVL 22

Expert Comment

by:mbonaci
ID: 35028371
Their point was that you should've accepted my first comment (35015243), with the detailed explanation of what happened, not yours, in which you ask for the confirmation.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Saving email w/ attachments using lotus notes 7 321
Word Pro Conversion utility 13 42
Work Space in Lotus Notes cannot found 6 177
attaching a file lotus notes 4 125
Problem "Can you help me recover my changes?  I double-clicked the attachment, made changes, and then hit Save before closing it.  But when I try to re-open it, my changes are missing!"    Solution This solution opens the Outlook Secure Temp Fold…
Article by: Rob
Notes 8.5 Archiving Steps and Tips This article covers setting up a Notes archive, and helps understand some of the menu choices making setting up and maintaining a Notes archive file easier.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question