Roaming with LND 8.5

hcl-bot · June 30, 2008, 5:39pm

Hello!

We are using LND 7.0.2 since 18 months with 12.500 roaming user on 7.0.2 MultiUser Clients. There was no Notes KnowHow before this in our organisation.

In this 18 months we encountered several problems with the roaming user.id and want to know wether some of them are solved in 8.5 especialy considering the new feature “id vault” or not. We are retesting these issues with LND 8.5 Beta1 but maybe you have already the answers.

The configuration:

We have a centralised installation on two clusters with two members each.

“Check Passwords” is enabled for all users and servers.

“Compare Notes public keys” is enabled for all users and servers.

“Update Internet password when Notes client password changes” is enabled.

Cleanup is due to network bandwidth considerations not enabled.

It is not uncommon that a user has more than one workstation configured with his notes account.

Our issues are:

1.) A password- or key-change on the userid file on one workstation dose not reflect on the others. Therefore the user has to take some action as changing the password again or cleanup the Notes client manually.

=> see also SPR#DJOE745G2M

→ is there a change in Notes 8.5? The newest (and changed) userid is in the idvault - why not using it?

2.) After the administrator triggered a rename in the directory and the adminp stored this information in the person document and waits for the users very next login the user roames to a clean (no notes configuration and data) workstation, the user is locked out of the system with the error “public key in directory not found”.

If we would have configured cleanup this would be the default situation for renaming a user.

=> see also SPR#CPON7DAK2L

→ is there a change in Notes 8.5?

3.) Using a security settings document to trigger a keyrollover we observed multiple keyrollover requests for one user in some situations (details in the SPR#FJAD72DFW4). If those request are confirmed by the admin it happens that they are not processed in a proper sequence causing the user to be locked out till an administrator restarts the correct keyrollover request.

=> see also SPR#FJAD72DFW4

→ is there a change in Notes 8.5?

4.) Under certain situations the initial login of a roaming user with the userid stored in the directory results in a replication conflict for its person document. As I don’t know any SPR for this I’ll explain it here.

Roaming user is registrated and the userid is in its person document. The users homeserver is the roamingserver but not the administration server of the directory. At initial login the userid gets detached from the person document on the homeserver and at the same time some adminp requests (e.g. Update Client Information, Change User Password and Change HTTP Password Requests) are carried out on the administration server, causing a replication/save conflict after replicating the directory of the home- and admin-server.

→ is there a change in Notes 8.5? Is it possible to store the userid in the idvault at registrationtime and make the client to use it for the login? Is it possible to store the userid in the personal adressbook at registration time but NOT in the public Domino directory?

=> see also SPR#RCFE5T9TTS and SPR#DSCK67HN2R

Thank you very much in advance

Harald Svab

hcl-bot · July 2, 2008, 6:42am

Subject: Comments on four cases

Using the ID vault will address this issue. As Katherine indicated, it will be available for testing in the beta refresh build.
We will look into this as time permits. We can’t make any promiseds for getting this addressed in 8.5. There is a known workaround.
This has been reviewed and will be not be fixed in 8.5. The Administrator can manually delete AdminP requests from the ‘certify new public key view’ in the servers admin4.nsf.
The ID created when registering a user can be saved into the public NAB, ID Vault or to disk. When using the ID vault, the new ID will be copied to the client as part of Notes setup. When configured to store the ID in the personal address book, the ID store operation occurs as part of Notes setup and not during user registration.

hcl-bot · June 30, 2008, 6:50pm

Subject: Case 1 password change tested and tried to resolve via idvault password reset

Short story: results in “You have a different password on another copy of your ID file …”

Registrate a roaming user with id file in directory and personal adressbook.

Login on workstation A, logoff and login again set password to X.

Login on another workstation B (we simulated this by renaming the %userprofile%\Local Settings\Lotus directory to …\Lotus_1)

Change password to Y

Get back to workstation A (rename the Lotus directory back)

Try to login with password Y → Error: “Wrong password”

Try to login with password X → works local but on any access to the server the user gets the error “You have a different password on another copy of your ID file …”

Consider the user contacts the support because he thinks he just forgot the password

Support uses idvault to reset the password to Z

User tries to login on workstation A with password Z
→ at first there is an irritating messagebox asking if the user realy wants to switch the ID file
→ then login works localy but on any attempt to connect with the server the user gets the error “You have a different password on another copy of your ID file …”

FYI: Password Reset works of course on workstation B and after a successful login on workstation B (and the resulting AdminP request “Change User Password …”) the user is able to login on workstation A from step 9 either.

How is this considered to be handled?

hcl-bot · July 1, 2008, 9:56am

Subject: The ID file merge was not complete in 8.5 beta

We’re still working on the password sync between copies of ID files for 8.5 GA. It will be available for testing in the beta refresh build.

hcl-bot · July 1, 2008, 6:38pm

Subject: Sounds promising

Thank you very much for that information.

Any comments for 8.5 on the other issues we had with 7.0.2?

Should we retest these with 8.5 Beta 1?