Dear community,
we have lots of users working on two or more PCs / remote desktops and most of them use Notes Client on all of these devices.
We now upgraded Notes from 10 to 11 and we have many problems with checking passwords on IDs. Users get message "You have a different password on another copy of your id file." Users have no different password but they have used Notes on another device before. I know that the message appears because HCL has changed the algorithm of the password hash and HCL says that clearing the hash in person document and asking the user to change her password solves the problem.
But as we have lots of users, not everybody is willing to change the password.
To temporaly overcome this problem we want to disable password checking on ID files and this is what my question is about:
Is it possible to retain password checking against expiration but to disable checking against another password? I mean: the user should be forced to change the password when it is older than x days but the server / client should not check if the user as another ID with a different password.
I thought it should be the setting "Check password on notes id file" on security settings (the mouse over tells this will disable the 'different password checking') but disabling this option is only possible when also "Enforce password expiration" is set to disabled. The second option is not what we want to disable.
Greetings, Michael
Hello Michael,
"Check password on notes id file" & "Enforce password expiration" on security settings works together.
If you enable "Enforce password expiration", then you do not see "No" for "Check password on notes id file" field.
So, it is not possible to disable only "Check password on notes id file" with "Enforce password expiration" enabled.
Thanks & Regards
Chaitanya Y
Hi @Yalavarthy Chaitanya ,
thanks for your confirmation. This is exactly what we see.
Regards, Michael
Hi, Mark,
I would suggest enabling ID VAULT server notes.ini parameter
ENABLE_AUTORECOVERY_FROMBADPASSWORD=1
https://help.hcltechsw.com/domino/11.0.1/admin/vault_automatic_restart_id_sync.html
This will allow users sync their IDies, even if ID VAULT Copy has different name.
With this you will get, then all IDies has same password (last that user remembers).
Be aware that Password checking can impact HCL Nomad WEB if you use it, You have to have it disabled.
This parameter on server should solve your problem :)
Have a great day,
Vlad
Hi @Vladislav Tatarincev (HCL Ambassador) ,
thanks for your reply.
We have enabled the option ENABLE_AUTORECOVERY_FROMBADPASSWORD=1 earlier but this is not what we experience at the moment.
The option works if the id file on the client and the copy in the vault have different passwords. When the user uses the correct password that is stored on the client she can access the server and work normally. In the ddm you'll find an entry that id cannot be synchronised because the id stored in the vault has another password. When the user tries to log on to a fresh install and she is asked for the password, she has to use that one stored in the vault.
Our problem is that the user knows her password and enters it exaclty but the client says that there is another id with a differnt password (what is not true). It is the hash that is compared against the digest stored in the person document that does not match.
Kind regards, Michael
Hi, I was working on another case and found one more notes.ini that might also help, since you use Passwordchecking and reset.
https://help.hcl-software.com/domino/12.0.0/admin/conf_idvaultnotesinisettings_r.html
IDV_RESETPASSWORD_DIGEST=2
Updates the password digest field in a Person document after resetting a password in the ID vault.
Default
IDV_RESETPASSWORD_DIGEST=0 (No action)
Description
When you reset a password on a Notes ID in the vault and the Check password on Notes id file option is enabled in a user policy, use this setting on the Domino server with the ID vault to create an administration process request to update the password digest in the user's Person document to match the new password. Only ID files with this password digest can access the server after the administration process request is processed. For more information, see Resetting the password on an ID in a vault.