We are experiencing a major issue in our organization. Recently, users started getting warning that their user ids are expiring soon each time they logon to check their mail on Lotus Notes. We also noticed that some of the users ID Files have expired.
But when we renewed or recertified any of the expired or expiring ID files, when the users attempt to login they would get the error message below:
"The subject’s public key in the certificate is not the one stored in our ID file for that entry. Check the local log file for details.
Do you want to access the server anyway?"
And when the user clicks on “Yes” button another error message appears as detailed below:
“Server Error: The signature on the certificate was found to be invalid. Check the log file for details.”
And when we check the log file we don’t see any further details other the error messages above.
We don’t know how we can resolve this problem. We have searched the Domino forums and the net but didn’t get much help. Please kindly assist.
Subject: Sounds like you have public key checking turned on plus out-of-sync certs in the directory
I’d recommend setting public key checking to “log only” and examining your renewal/recertification process. You should never re-register a user and give them a new ID file with the same name – that new ID will have different keys from the old one and lead to a host of problems simliar to the ones that you’ve described. I believe that the Domino Administrator guide walks you through the steps needed to perform the process correctly.
Subject: RE: Sounds like you have public key checking turned on plus out-of-sync certs in the directory
Hi Dave,
Thanks a lot for your response to my post. Please can you elaborate more on what you wrote i.e
“You should never re-register a user and give them a new ID file with the same name – that new ID will have different keys from the old one and lead to a host of problems similar to the ones that you’ve described.”
Again, how do I set public key checking to “log only”? Have searched the Administrator help but couldn’t see any documentation on that.
The admin help explains how to register new users and how to recertify or rename existing users. Re-registering an existing user generates a new ID file for the user with new keys that are, by definitioin, different from the old keys. This prevents the re-registered user from using their new ID file to access any of their old encrypted documents or locally encrypted databases, as well as desynchronizing all sorts of information.
Starting in 8.0, public key checking can be configured to only log mismatches. Check out the admin help, or experiment for yourself – it’s in the server doc under the security tab in the “security settings” section – “Compare public keys”.