Please help with Synchronizing passwords NT >> Notes

Hello, this is my second post on this, sorry for that…but the problem is not solved.I have rolled out about 200 Notes 6 clients, and none of them are able to change the Notes password using the NT change password option. Single Logon works fine when the passwords are the same in both NT and Notes. When changing the password from Notes it also changes the NT password, but NT to Notes fails.

Is there something that should be done to get this working??

I have read the help, the redbook about Adsync etc.

What I also trying to understand is the proccess of the login and password change and what files and reg settings are used for single logon and password sync!

Any help is welcome!

Thanks in advance,

Marcel.

Subject: Please help with Synchronizing passwords NT >> Notes

Hi Marcel,

I’ve never worked with Notes and NT synchronisation, so, regarding to this post, i tried to…

I have two PCs. I installed W2K SP3 on each. First difference with your configuration, I don’t use a NT domain nor Active Directory, but a single Workgroup (don’t have time to install anything else).

On the first PC, I installed a Domino 6.0 Server, and declared a user named “Lionel”. His ID file password is “password”, and i store it in the Address Book.

On the second PC, my only W2K user is also named “Lionel”, and his password is also “password”.

I installed a Notes 6.0 Client with the single logon feature. I let everything else as default. I configured it so it get the ID file from the Domino Server. Then, i reboot…

I log in W2K with Lionel/password. I launched the Notes Client => I don’t have to enter the password again. Works fine…

I use my Notes client to change my password to ‘password2’ => The Notes client asked me to log off. OK.

I log on again on W2K using “password2”, and launched the Notes client => I don’t have to enter my Notes password. OK.

This time, i shut down my Notes client, and change the W2K password via Ctrl+Alt+Suppr to “password3”.

To be sure, i log off, log on again with “password3”, and launched my Notes client… and it worked fine…

This situation is really minimal, but maybe it can be a start point for your investigation…

Lionel

Subject: Please help with Synchronizing passwords NT >> Notes

Are you using Active Directory or a plain old NT-domain?

Subject: RE: Please help with Synchronizing passwords NT >> Notes

One of my custommers uses NT 2000 Advanced Server in a NT cluster, without Active Directory, we are using only one W2K PDC with active directory.Both same results. Can this cause any problems?

Grtz,

Marcel.

Subject: RE: Please help with Synchronizing passwords NT >> Notes

I have the same problem, someone told me that single logon works only with a Windows PDC. We use a Samba Server on Linux.

Any news?

Subject: No…

Well, I was confused too. So I have set up a few test environments. It simply won’t work, not on a NT4 workstation connected to a NT4 PDC, nor on a w2k machine connected to a W2k PDC. Someone told me that it was because I didn’t use nadsync. So I used that and synced all users. That wasn’t it, duhhh, but you have to try what people suggest…

Has anyone this up and running is my question for now??? Otherwise I can assume that it will never work…

Subject: RE: No…

In all versions of Notes I’ve seen, password sync only works one way, e.g. changing password in Notes also updates the NT password.

Was this supposed to function differently in Notes R6?

I know in R4.x and R5.x it was only one way.

Subject: Well that is the question

According to the Help for R6 and the presentation IBM gave with the Dutch introduction of R6, yes.And as long as IBM doesn´t disagree here I asume we´re right…

Sniplet from the Client Help:

To change your synchronized password

When synchronization is enabled, you can change your synchronized password at any time.

Whether you change your password through Windows or through Notes, the passwords synchronize so you can use the new password the next time you login to Windows or Notes.

<<<<<<<<<

To change it through Windows, refer to Windows Help. You can change your synchronized password through Windows only if your Windows and Notes passwords already match. Otherwise, you must change it through Notes. To change it through Notes, see Changing passwords.

Subject: RE: Well that is the question

In 6.0, you should be able to change your Notes password when you change your NT/AD password.

Can you respond to my 3/26 post? If you are changing the Network password there are places where things can go wrong.

Dave

IBM

Subject: RE: No…

6.5.1 solve the problem describe in the trend, except if you are using roaming user, that’s an other story!

Subject: Please help with Synchronizing passwords NT >> Notes

Assuming everything was installed properly for ‘Notes Single Logon’, Notes should handle network password changes. Keep in mind that only password changes to current network session are broadcast to the 'Network Provider’s. Changes to the password that happen in the Security DB (and take effect next time you log in) are not broadcast. Under the circumstances you describe, try locking the workstation and see what password the current Windows session is using.

Subject: RE: Please help with Synchronizing passwords NT >> Notes

Nop, NT is using the new password, Notes still the previous. This is realy very unpleasant for me because I recommended the upgrade to R6 to one of my custommers since they wanted to buy a password sync tool. And now they blame me for the wrong advise :-(What files,registry setings, ini’s etc are involved with the sync? So I can check if they are installed properly?

Thanks in advance,

Marcel.

Subject: RE: Please help with Synchronizing passwords NT >> Notes

Make sure that the ‘Lotus Notes Single Logon’ service is running on the machine. It must be running when you log into NT.

Is npnotes listed as a Network Provider?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order

Is npnotes a service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npnotes

Did you reboot after installation? Again, are you sure you are changing the password of the current NT sesssion? Do you only have one Notes installation on the machine? Is it mult-user? Or they roaming users?

Subject: RE: Please help with Synchronizing passwords NT >> Notes

David, thanks for spending your time on this.

All computers have only one installation of Notes, installed as single user. The Notes directory is c:\lotus\notes, the datadir is c:\data\lotus\notes\data.

There is only one notes.ini.

Lotus Notes Single Logon service is listed in the Services list and the path to the executable is C:\WINNT\System32\nslsvice.exe.

The service is started automaticly without any error. in the registry the Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order = LanmanWorkstation,npnotes

The Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npnotes is present, the file also exist.

Single logon works fine. After changing the password in NT I have checked the new password by locking the workstation and unlocking it with the new password. When starting Notes the message about the different password shows up, telling me to change the Notes password to enable Single Logon.

This happens on every workstation, wether it is an fresh copy of NT + Notes or an upgrade 5.011 to 6. Installed CF1 yesterday, also without any improvement on this.

Marcel.

Subject: Please IBM/Lotus/Iris/Others???

I know in this forum the use of urgent and capital letters are not done, but believe me, I would like to use it here…

Can anyone please tell if I am right:

When installing NT 2000 and Notes 6.01 with Single Logon there is nothing more to configure than having the passwords the same on the initial setup??

When the user changes the NT password by pressing CTRL-ALT-DEL, it should synchronize the Notes password, right?

Well, if so, it doesn’t! This is my experience, and also the meaning of some other consultants from totally different companies.

Could there be some security setting in NT or Notes that prevents the sync?

Is there a way to “debug” or log the sync process??

In the previous postings you can see what is already done…

Again, any help is welcome.

Thanks in advance,

Marcel (in name of a few desperate people…)

Subject: RE: Please IBM/Lotus/Iris/Others???

Please verify that the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\Notes\Path

points to the location of your client notes.ini & the nnotes.dll binary.

Please verify that notes.ini (in ‘HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\Notes\Path’) contains the variable:

KeyFilename

and that points to the Notes ID file you are trying to change.

Verify that the new passoword meets the necessary Notes ‘Quality’.

Keep in mind your previous NT password must match your current Notes ID password in order to change the Notes ID password in this manner (i.e. they must already be in sync).

Subject: RE: Please IBM/Lotus/Iris/Others???

Hello David, thanks for your response.In fact I checked all the suggestions that where given on this subject. On all the workstations we installed the notes.ini is moved to the notes data directory, so the HKEY_LOCAL_MACHINE\SOFTWARE\Lotus\Notes\Path didn’t point to the ini file. I have set up a new PC with W2K and notes 6.01, let the notes.ini stay in the notes program dir, but still we could not change the notes password through NT, although Single Logon was working fine.

The keyfile line is in the notes.ini, the password policy is set to 6 caracters (use length) like NT.

Do you know how to “debug” this?

I have read an subject on the Novell site where people had a similar problem with password sync to the Novell client. They mentioned a Win32 debugger.

I would realy like this problem solved.

Thanks in advance!

Marcel.

Subject: RE: Please IBM/Lotus/Iris/Others???

Have you verified that the password you are trying to use is valid for Notes by directly changing the Notes password in ‘User Security’? The reason I ask is I don’t believe that the Network Provider is currently supporting the ‘quality is length’ policy option. If you are going on length alone, it may not meet the necessary quality. Also, remember that you registered the user with a password quality that may not be equal to the policy quality. Keep in mind that policy settings are evaluated in the client so the user must use the client before any policy settings are set in the ID.

Dave

Subject: Complex

Well, the password seems to be complex enough. We tried this on a couple of PC’s: Change the password through Notes, and it will be accepted on both Notes and NT. For example wiSegUy20. We logged of and on, the single log-on passed the password through to Notes and all was fine. Now we pressed CTR-ALT-DEL to change it from Windows. Changed the password to wiSegUy21, logged of /on and Notes still has the old password.

Marcel.

Subject: RE: Complex

But, the Notes client is supporting the ‘Quality is length’ policy setting. The ‘Network Provider’ is not. Can you turn off that policy setting and verify that the Notes client can still change to the ‘complex’ passwords. Are you using passwords that are close to 6 characters? Your best test would be to lower the policy quality to something rather low. Verify that the new policy settings have been evaluated in the client (User Security) and then try to change the password via the Network Provider.