I stumbled across this while uploading IDs to an ID vault. A few users fail with the reported error "Your public key does not match the one stored in the address book". In the address book for those users is, in fact, no public key at all. Yet the log shows them as active users (Notes client 6.5, Domino server 12.0.2FP5).
I don't understand how it is possible for them to authenticate to a server that does not have their public key in the NAB. Can anyone help? Is the fact that the public key in their ID file is certified by a trusted certifier sufficient?
If so, what else will break as a result? Mail encryption, of course (but they don't use Notes mail). Anything else?
Hello
Notes users access the domino server using the authentication information contained in their ID file.
Notes users can access even if the user document does not exist in domino directory.
However, it is also possible to check the public key for the security in the settings on the Security tab of the server document.
Regards,
Shigemitsu Tanaka
Yes, thank you. I was misremembering, I think, that the key stored in the person document is always checked, but of course it needn't be - the key is also in the authenticating ID file, and it is public - no secret there.
That being so, I wonder why it is required for upload of an ID to the ID Vault.
Thanks for your help.
Hi Andrew
Hope you are doing well
When you register new user with Notes ID file via Standard procedure by using cert ID the public key will be available in person Document => certificates tab.
as per your update, there is no Public key available in their person Document.
Please check and confirm if the flat users accounts are created for these users.
Please check does these users have notes ID files to access the Domino server.
Please check the Person Document => certificates tab of these user accounts for public Key.
Please check last modified user name and date. Does the public key removed by mistake.
Thanks & Regards
Nishant Shendre
Thank you, Nishant.
The users in question do have ID files, and it was by examining the certificates tab that I determined that there was no public key in their person document. I suppose it must have been deleted in error at some point, but not to worry. I can put it back.
I am not sure what you mean by "flat users accounts". Do you mean person records created for internet access with no Notes ID file associated? That is not the case.
Hi Andrew,
Thank you for reply.
You can copy the public key from user's active Notes ID file and paste it into Person Document => certificates tab => Notes certified public key field of the affected user.
procedure to copy the public key as follows
Procedure to Copy user's ID Public Key
a. In Domino Administrator client => Click to Configuration tab => Click to Tools tab => Expand "certification" option => Click ID properties => Select the user's ID
b. In "ID properties" window => Click to "your Identity" => "Your Certificates"
c. In "your certificates" window => Click "other actions" => "select "Mail, copy certificates (public key)"
d. In "Mail, copy certificates (public key)" window => Click "Copy certificate" button and paste it into Person Document => certificates tab => Notes certified public key field of the affected user.
Once you copied the public key then run "load updall -R names.nsf" on Domino console.
After that monitor the situation to check if the ID file of the affcted user is getting uploaded/ sync into ID vault database.
Regarding your concern about "flat users accounts". Do you mean person records created for internet access, yes your understanding is correct.
I hope the above information will help in answering your concern.
Thanks & Regards
Nishant Shendre