IBM is hosting an Open Mic conference call with Lotus Development and Support Engineering to discuss “ID Vault and Notes Shared Logon”.
The Open Mic call will be held on Wednesday, October 20. The call will take place at 10:00 AM EDT (14:00 GMT) and will last for one hour. This call is designed to be an open question & answer format, so bring your questions.
Refer to the following technote for phone and web conference details:
Technote: 1432993
Title: Open Mic call: Customer Choice ID Vault & Notes Shared Logon - 20 October 2010
Hi,we have implemented ID Vault just a few days ago in the following environment:
Domino Admin server - R8.5.2 on iSeries
Domino Mail server - R8.5.1 FP4 on iSeries
Domino Admin client R8.5.1 FP4 on Windows
Notes clients R8.5.1 FP2 and FP4 and R8.5.2 for Windows and Linux (Ubuntu)
After a 1st. attempt to implement, where following the Wizard, did not set up the trust or assigned additional administrators.
I am getting ID’s in the Vault.
I had to afterwards manually set up the Trust, and assign Vault Administrators, and assign the Vailt to the Org Policy of ours.
But - I can not see the Vault Policy assignment through the Vault Management interface -
using the Domino Admin client, I go the Vault Administration on the Configuration tab, I choose the Vault and press Manage
I press “Next” and choose “Create or Edit Vault Policy Settings” and press “Next”
I select “Edit an existing Policy” and press “Next”
When I select my only Org Policy, which I have used to assign the Vault to users, the following message i displayed under the selection window, and no “assign” button is available
“Policy *// has a Security Settings document, , without a vault name. Click ‘Add Vault Name’ to add the vault name / to *//.”
As I mentioned - it seems to work, even though not all clients had reported their ID file yet, but the Vault Manager can not see the assignment which I set up.
If we switch from SSO to shared login and windows is now controlling the password, why do we need the additional overhead of an ID Vault ? If a user forgets their password then the help desk support would quickly reset it at the network level supporting the Notes login. There doesn’t seem to be a need for the ID Vault unless there is a reason. - Thanks.
Subject: Accidentally deleted ID files. Crashed hard drives. Computers gone missing.
Life is uncertain. Backups of critical data – like ID files – are important, and the Notes ID vault gives you an encrypted, up-to-date backup of your ID files that is more feature-rich and easier to use and administer than ID file recovery.
I want to configure ID vault. Do I have to use an organization policy or I can use an explicit policy? I would like to limit using ID vault just for our department which uses the same certifier as the rest of the organization.
Will shared login be supported for Citrix Notes Clients? If yes, when?
Can shared login be enabled for users who are using both a local and Citrix Notes client, i.e. we know that it will not work for Citrix but would there be any problems if it is enabled for the local Notes client?
As long as NSL is configured as “optional” instead of “mandatory” for a user, that user can NSL-enable one copy of their ID file on one system and leave another (on Citrix, for example) password-protected.
Potential future features in this space may have fewer limitations than NSL, but the Microsoft API used by the current feature will not work on Citrix.
I am just in the proces of upgrading my clients to 8.5.1. I was going to incorporate the NSL, the users id files are on a network drive, after some testing though I found out that the user cannot log onto a different computer as the id file is tied to the first computer that the NSL was turned on.So my question is should or can I use ID vault with users having their id file on a network drive. If so is there documentation on this. Also since turning off NSL the users have to enter a very complex password now for notes. Is there a way to take the complexity out of the password.
Why are ID files living on network drives? That has always been an unstable configuration prone to countless problems that I would discourage folks from using whenever possible.
You can use the ID vault regardless of whether or not you have NSL enabled in your environment.
You can specify minimum password requirements through security policy settings applied to those users.
We are currently rolling out 8.5.1 FP3. Thanks to ID vault, users can run Notes on other computers. Their local data (like bookmarks and workspace) will not roam although we may investigate Domino roaming at a later stage.
Our security people would like Notes to use SSO with Windows, because “Kerberos has not been broken and when it does become necessary, we can have everyone use two-factor authentication (dongle with certificate) because all apps that have SSO with Windows will automatically keep working”.
Would this be possible at some point in the future ? Use other computers and have SSO with Windows ? With a certificate dongle ?
We have installed 8.5.2 on AIX Domino server and have upgraded all of our clients from 8.0.2 to 8.5.2. We have noticed that after 2 weeks we still only have 187 ID’s in the vault yet have over 250 clients. Everyone is tagged to the same security document, we have one server and one Cert ID. Is there a way to manualy push or load the client’s ID into the Vault? or some way to see what has gone wrong ?
log.nsf files on the vault server and the clients can yield interesting information, and even more information can be acquired by setting notes.ini variables:
There is also information on the first pane of the User Security Dialog showing what vault is being used as well as a button that will force the client to resync with the vault immediately:
"This ID file has been backed up into vault: [ID vault sync] "
Apologies for a post so soon to the OpenMic . . . I was wondering if speakers could touch on if/how you can use ID Vault(s) in a cross-domain set-up.
e.g. we have an Extranet running on an external Domino domain, with its own NAB (which contains no people, except admin IDs). Our Extranet logins are stored in a separate ‘Extranet NAB’.
The ‘Extranet NAB’ (customers & suppliers) & the NAB for our internal Domino domain (company staff) are then consolidated into a single EDC, which is served up to provide an LDAP for the Extranet using Directory Assistance.
My Qn is can we apply ID Vault logins to this Extranet environment, considering that all the Person docs are not in the Primary Domino Directory for the domain, nor are they in a writable NAB, because the EDC surfaced to the Extranet via DA is built from 2 x separate NABs.
If anyone followed the above and could comment on this in the OpenMic that’d be great!
Subject: A single vault cannot “cover” more than one Domino (mail/directory) domain, but multiple vaults can be used in an environment with multiple domains<>
