Solved

Lotus iNotes - users cannot log into mail database

Posted on 2012-04-02
11
2,744 Views
Last Modified: 2013-11-16
Few days ago we installed brand new Domino 8.5.3 server in MS Windows 2008R2 environment.

Before Domino, user was powered by Lotus Foundations Server, from which we sucessfuly migrated users mail databases.

Also, we created self certificate for the server so it can use SSL for secure access.

However, the problem appered instantly which is this:

- Only domain administrator and one other user can use webmail access. Also, only those two users can use their Blackberry phones to access mail, and Lotus Traveler for Symbian powered devices.

- All other users are failing to use any of those services.
Accessing the mail server through web browser or BB results in reappearance of the login dialog and nothing happens. After few login inputs, server reports generic error "User not authenticated". Looking at the Domino Console shows no warrnings or errors, whatsoever. Also, checking of the server log file log.nsf shows that no error/warning entries are there.

The most confusing fact is that those two users can access those features (including mail databases of other users where ACL allows), and others can't.  Even if we register new users, all of them cannot access their mail databases through iNotes web access.

Any ideas would be most welcome.
0
Comment
Question by:dpohl
  • 4
  • 4
  • 2
11 Comments
 
LVL 10

Expert Comment

by:larsberntrop
ID: 37799836
How did you install?  Did you install a new domain or an additional server?

Sounds like you did a new install and so the new server cannot trust the users certified with the old certificate, because of how PKI works...

If you have a backup of the data directory and the notes.ini of the original server, you might try this:
Create a fresh 2008 server with the data directory and notes.ini in the intended place, and install Domino 8.5.3 over it.  It should upgrade and produce a running server.

Btw: I would not boast about a succesful migration if users cannot access their mail!
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 200 total points
ID: 37799864
For starters, I haven't a clue, yet. So I'll ask some questions and give some suggestions:
- did you upgrade all mail databases?
- did you modify the Internet password for a test user?
- can you set up domlog.nsf, the database that logs all HTTP requests? See Server document, Internet Protocols/HTTP, Enable logging to: Domlog.nsf Enabled, and restart the HTTP task; then check again what happens when a user logs in; in order to limit the size of this database, you have to set, in the Replication Options, Remove documents not modified in the last 7 days (or so)
- are you sure that it's the server that generates the Not authenticated?
- did you set up an Internet Site document on the server? See Configuration/Web/Internet Sites. How is security set up, on the Security tab?
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 37800108
DomLog can be used, but is costly in terms of performance.  better to use logging to textfiles.
0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 37800149
IMHO, in most cases, performance isn't the issue, and fast and simple access to the logs is appreciated...
0
 
LVL 4

Accepted Solution

by:
dpohl earned 0 total points
ID: 37802806
SOLVED! :-)

@sjef_bosman - Somehow I knew I could count on you!

Ok, let's answer those questions first

1. It was a clean Domino server installation. Before we removed LFS server from the network, we made some basic ACL changes to all databases (incl. mail, additional personal address books and few applications). I.e., Default and Everyone access was reseted to Manager access rights.
Server & web site config documents were as standard as possible. Also, certification keyring, SSL and webmail redirection configuration were created and working without any problem. No errors or warnings were posted to log (and server console).

2. After Domino installation, two accounts were created. First, default admin account and second, one general purpose account (like info@domain).

3. One of the backup mail databases were then copied to the server and reassigned to the g.p. account which showed that, basically, everything worked fine. Also, we made database (re)signing with new home server's id.

4. Also, after that, ACLs were adjusted to the meaningfull state (owner, domain servers, other server, admin group, and of course, default and everyone).

5. After that, tested these functions:
Notes client test - ok
Traveler (Symbian device) test - ok
Webmail access - ok
BlackBerry access - ok

And after those steps, we made the next one - defining Domino users. User registration, database reassignment, ACLs settings, Notes reconfiguration, etc. All clients were accessing, replicating and working with databases without any problem (if I don't count few irrelevant DAOS related details, but that's completely different theme). Also, users were instructed (and forced) to change their default Notes passwords which they did.

Everything worked fine... except BB and webmail.
Checking of user's entries in Domino address book (names.nsf), comparing everything possible (including even ID vault), we could not locate the problem. Even creating test users with "clean start" showed nothing.

After night of everything else but peacefull sleep, this morning I woke up with one idea...
The most obvious thing was forgotten - Internet password.

Even if two of us were looking at the Domino names database, checking differences between user records of those that worked, and those that didn't, we were blind to see that only those two users had the info of "last password change", unlike all other users. And since it wasn't configured in the policy, and haven't been defined as same as the default Notes password when we made a multiple user registration - it was empty.

And there it was - after one by one user changed their password form blank to something different - BB and webmail started to function as expected!

Anyway, thank you all for your ideas!
Also, thank you sjef_bosman as now I can see that if I wasn't to solve the problem by myself, your question about Internet password would give me the idea of where to check for the solution.

Thank you all, again!
Damir.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Author Comment

by:dpohl
ID: 37803790
I've requested that this question be closed as follows:

Accepted answer: 0 points for dpohl's comment #37802806
Assisted answer: 200 points for sjef_bosman's comment #37799864

for the following reason:

As it was described in my answer to questions from other experts, I discovered the problem by myself. Since I documented in detail what was the problem and where the solution was, I think I diserve some rewar points, right?
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 37803791
I object.  You do not seem to realize that my answer described EXACTLY that the crappy way in which you executed the migration was the root cause of the failure.
A little research into documentation provide by IBM, especially one of the many upgrade or deployment guides, combined with proper study of the Admin guide, would have made this a lot easier, and wrinkle free for your users. And with a lot less work for you, and fewer security risks. You did not get errors because everyone has the keys to everything.  You are lucky encryption was not used more by your users, or you would have had heaps of troubles.  I repeat: the fact that your setup works is more due to luck than your understanding of Domino.

Please, educate yourself, and at least run your deployment plan by an export before rollout. Good luck.
0
 
LVL 4

Author Comment

by:dpohl
ID: 37803838
@larsberntrop

I have to say that your reaction and your comment absolutely goes out of proportion.

First, your answer have no relevance to my question, as I was talking about migration from Lotus Foundations Server to the full featured Lotus Domino Server. LFS server is completely locked down version who's purpose in LFS environment is mail serving only, nothing more, nothing less. Everything else is controlled by SuSe Enterprise Server, which includes even way of encryption of databases. You CAN set different attributes directly on NFS databases, but after server restart in any case, all those settings will be set again by the system to the default values. So, please, don't talk about my Domino knowledge here, since it sound pretty offensive and rude.

However, as I said at the beginning of this post, you were talking about upgrading Lotus Domino, not moving NFS databases only from LFS environment to the Domino environment.

Anyway, FYI, BEFORE we moved databases physicaly from the LFS server, we did preparations considering encryption, so again - don't question my knowledge, but question your way of talking to someone you even don't know.

Also, I gave point to sjef_bosman only since his questions were showing the direction, even if I already solved the problem much before I red his and all other comments here. And I honestly aknowledge that the error was all ours (or mine, whatever will suite your mind) that we forgot to check the user's Internet password.

Thank you for your time to try and help me. I'm honestly gratefull for that which I showed in my post thanking to all of you two times.
0
 
LVL 10

Expert Comment

by:larsberntrop
ID: 37803973
I'm sorry, but I stand by my comments. Granted, upon reflection the notes.ini would have had to be edited to convert it from Unix style linebreaks to Windows style line breaks, but you could've still performed an Upgrade of the Foundations server by creating a new Windows server, copy the data directory andnotes.ini from LFS, and let Domino installer upgrade that.  The LFS specific design wil disappear when the 8.5.3 design updates are applied, perhaps with some checking with a designer client to see that all the old LFS cruft was removed.

Benefits: no need to recreate all the users, or sign all the dbs, encryption would have continued to work.

I'm sorry if my tone offended you. I'm perhaps too passionate about Domino...
0
 
LVL 4

Author Comment

by:dpohl
ID: 37804009
You're right for that matter - migration could be done the way you described now. But, first, the existing LFS server was used by only 14 users in total, and second - since we had to use the same hardware, and had no other resource for migration on the site, I think the way we did it was pretty reasonable.

Still, my question was pointing to the situation that appeared AFTER the installation of the Domino Server was already in place, so, as you are, I'm standing behind my answer to your objection - your suggestion, no matter how good your intentions were, was not answering anything but suggested how the migration should be done.

I accept your appology and somehow I'm sure we share the same level of passion for Lotus Domino.

I wish you all the best and hope to meet you on some other questions here, as a collegue and compatriot, and not someone who I have to calm down when he missunderstands my question, thinking, or whatever else. ;-)

Sincerly,
Damir.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now