Lotus iNotes - users cannot log into mail database

Few days ago we installed brand new Domino 8.5.3 server in MS Windows 2008R2 environment.

Before Domino, user was powered by Lotus Foundations Server, from which we sucessfuly migrated users mail databases.

Also, we created self certificate for the server so it can use SSL for secure access.

However, the problem appered instantly which is this:

- Only domain administrator and one other user can use webmail access. Also, only those two users can use their Blackberry phones to access mail, and Lotus Traveler for Symbian powered devices.

- All other users are failing to use any of those services.
Accessing the mail server through web browser or BB results in reappearance of the login dialog and nothing happens. After few login inputs, server reports generic error "User not authenticated". Looking at the Domino Console shows no warrnings or errors, whatsoever. Also, checking of the server log file log.nsf shows that no error/warning entries are there.

The most confusing fact is that those two users can access those features (including mail databases of other users where ACL allows), and others can't.  Even if we register new users, all of them cannot access their mail databases through iNotes web access.

Any ideas would be most welcome.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

How did you install?  Did you install a new domain or an additional server?

Sounds like you did a new install and so the new server cannot trust the users certified with the old certificate, because of how PKI works...

If you have a backup of the data directory and the notes.ini of the original server, you might try this:
Create a fresh 2008 server with the data directory and notes.ini in the intended place, and install Domino 8.5.3 over it.  It should upgrade and produce a running server.

Btw: I would not boast about a succesful migration if users cannot access their mail!
Sjef BosmanGroupware ConsultantCommented:
For starters, I haven't a clue, yet. So I'll ask some questions and give some suggestions:
- did you upgrade all mail databases?
- did you modify the Internet password for a test user?
- can you set up domlog.nsf, the database that logs all HTTP requests? See Server document, Internet Protocols/HTTP, Enable logging to: Domlog.nsf Enabled, and restart the HTTP task; then check again what happens when a user logs in; in order to limit the size of this database, you have to set, in the Replication Options, Remove documents not modified in the last 7 days (or so)
- are you sure that it's the server that generates the Not authenticated?
- did you set up an Internet Site document on the server? See Configuration/Web/Internet Sites. How is security set up, on the Security tab?
DomLog can be used, but is costly in terms of performance.  better to use logging to textfiles.
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Sjef BosmanGroupware ConsultantCommented:
IMHO, in most cases, performance isn't the issue, and fast and simple access to the logs is appreciated...
dpohlCTOAuthor Commented:

@sjef_bosman - Somehow I knew I could count on you!

Ok, let's answer those questions first

1. It was a clean Domino server installation. Before we removed LFS server from the network, we made some basic ACL changes to all databases (incl. mail, additional personal address books and few applications). I.e., Default and Everyone access was reseted to Manager access rights.
Server & web site config documents were as standard as possible. Also, certification keyring, SSL and webmail redirection configuration were created and working without any problem. No errors or warnings were posted to log (and server console).

2. After Domino installation, two accounts were created. First, default admin account and second, one general purpose account (like info@domain).

3. One of the backup mail databases were then copied to the server and reassigned to the g.p. account which showed that, basically, everything worked fine. Also, we made database (re)signing with new home server's id.

4. Also, after that, ACLs were adjusted to the meaningfull state (owner, domain servers, other server, admin group, and of course, default and everyone).

5. After that, tested these functions:
Notes client test - ok
Traveler (Symbian device) test - ok
Webmail access - ok
BlackBerry access - ok

And after those steps, we made the next one - defining Domino users. User registration, database reassignment, ACLs settings, Notes reconfiguration, etc. All clients were accessing, replicating and working with databases without any problem (if I don't count few irrelevant DAOS related details, but that's completely different theme). Also, users were instructed (and forced) to change their default Notes passwords which they did.

Everything worked fine... except BB and webmail.
Checking of user's entries in Domino address book (names.nsf), comparing everything possible (including even ID vault), we could not locate the problem. Even creating test users with "clean start" showed nothing.

After night of everything else but peacefull sleep, this morning I woke up with one idea...
The most obvious thing was forgotten - Internet password.

Even if two of us were looking at the Domino names database, checking differences between user records of those that worked, and those that didn't, we were blind to see that only those two users had the info of "last password change", unlike all other users. And since it wasn't configured in the policy, and haven't been defined as same as the default Notes password when we made a multiple user registration - it was empty.

And there it was - after one by one user changed their password form blank to something different - BB and webmail started to function as expected!

Anyway, thank you all for your ideas!
Also, thank you sjef_bosman as now I can see that if I wasn't to solve the problem by myself, your question about Internet password would give me the idea of where to check for the solution.

Thank you all, again!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dpohlCTOAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for dpohl's comment #37802806
Assisted answer: 200 points for sjef_bosman's comment #37799864

for the following reason:

As it was described in my answer to questions from other experts, I discovered the problem by myself. Since I documented in detail what was the problem and where the solution was, I think I diserve some rewar points, right?
I object.  You do not seem to realize that my answer described EXACTLY that the crappy way in which you executed the migration was the root cause of the failure.
A little research into documentation provide by IBM, especially one of the many upgrade or deployment guides, combined with proper study of the Admin guide, would have made this a lot easier, and wrinkle free for your users. And with a lot less work for you, and fewer security risks. You did not get errors because everyone has the keys to everything.  You are lucky encryption was not used more by your users, or you would have had heaps of troubles.  I repeat: the fact that your setup works is more due to luck than your understanding of Domino.

Please, educate yourself, and at least run your deployment plan by an export before rollout. Good luck.
dpohlCTOAuthor Commented:

I have to say that your reaction and your comment absolutely goes out of proportion.

First, your answer have no relevance to my question, as I was talking about migration from Lotus Foundations Server to the full featured Lotus Domino Server. LFS server is completely locked down version who's purpose in LFS environment is mail serving only, nothing more, nothing less. Everything else is controlled by SuSe Enterprise Server, which includes even way of encryption of databases. You CAN set different attributes directly on NFS databases, but after server restart in any case, all those settings will be set again by the system to the default values. So, please, don't talk about my Domino knowledge here, since it sound pretty offensive and rude.

However, as I said at the beginning of this post, you were talking about upgrading Lotus Domino, not moving NFS databases only from LFS environment to the Domino environment.

Anyway, FYI, BEFORE we moved databases physicaly from the LFS server, we did preparations considering encryption, so again - don't question my knowledge, but question your way of talking to someone you even don't know.

Also, I gave point to sjef_bosman only since his questions were showing the direction, even if I already solved the problem much before I red his and all other comments here. And I honestly aknowledge that the error was all ours (or mine, whatever will suite your mind) that we forgot to check the user's Internet password.

Thank you for your time to try and help me. I'm honestly gratefull for that which I showed in my post thanking to all of you two times.
I'm sorry, but I stand by my comments. Granted, upon reflection the notes.ini would have had to be edited to convert it from Unix style linebreaks to Windows style line breaks, but you could've still performed an Upgrade of the Foundations server by creating a new Windows server, copy the data directory andnotes.ini from LFS, and let Domino installer upgrade that.  The LFS specific design wil disappear when the 8.5.3 design updates are applied, perhaps with some checking with a designer client to see that all the old LFS cruft was removed.

Benefits: no need to recreate all the users, or sign all the dbs, encryption would have continued to work.

I'm sorry if my tone offended you. I'm perhaps too passionate about Domino...
dpohlCTOAuthor Commented:
You're right for that matter - migration could be done the way you described now. But, first, the existing LFS server was used by only 14 users in total, and second - since we had to use the same hardware, and had no other resource for migration on the site, I think the way we did it was pretty reasonable.

Still, my question was pointing to the situation that appeared AFTER the installation of the Domino Server was already in place, so, as you are, I'm standing behind my answer to your objection - your suggestion, no matter how good your intentions were, was not answering anything but suggested how the migration should be done.

I accept your appology and somehow I'm sure we share the same level of passion for Lotus Domino.

I wish you all the best and hope to meet you on some other questions here, as a collegue and compatriot, and not someone who I have to calm down when he missunderstands my question, thinking, or whatever else. ;-)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Lotus IBM

From novice to tech pro — start learning today.