Unexpected behavior when extracting ID from vault

HCL Domino Domino Forum
1

I created a test environment with one server, two administrators, and three users. I configured ID Vaults for the O certifier and one of the OU certifiers (East) and added the two administrators as vault administrators to both.

When I log on as one of the users under the East OU whose ID has been added to the East ID vault, I am able to extract ID files from the vault, even though the user is not an authorized vault administrator. In one case, I received an unusual error when attempting to connect to the server using an ID extracted from the vault:

"An internal error occurred during: “”.

You must inintialize [sic] the server before using it!"

I checked the ACL of the East ID vault and confirmed that the user who was able to extract the ID file did not have access. Since the ID file is not in the person document and the user cannot access the vault to retrieve it, I can’t tell how he would have been able to get it.

2

Subject: Need More Information

Thanks so much for getting back to us with this problem.

Admin tools to extract IDs from the vault were not complete in the first beta.

In the final release, the Admin client tool “Extract ID from Vault…” will allow any administrator who knows the password associated with the ID file to extract the file. Having the password reset can only be done by a trusted password reset authority. Password guessing by the administrator is prevented by locking out recovery of an ID file if the password is incorrectly guessed a small number of times. The code to support this service was not complete in the first beta.

In the final release, the same tool can be used by a valid Vault Admin with special privs to extract an ID without knowing its password. The code to support this service was not in the first beta.

We would still like to investigate your problem. Unfortunately, from the description of the problem it is not at all clear what was attempted and what the result was. Could you please provide additional information:

  1. You said that a user “extracted” an ID. Did the user use the “Extract ID from Vault…” tool in the Admin client?

  2. If not what exactly did they do?

  3. If so, what was entered in the tools dialog box? Did it display the user name properly for the owner of the ID file? Did they enter the ID file’s password correctly?

  4. What exactly was the result? Was an ID file written to disk? When it was used to run a Notes client, did it prompt for a password? Was the password accepted? When a server access was attempted, what exactly happened?

Thanks