Use case - ID Vault and user coming back from holiday :-)

HCL Domino Domino Forum
1

Hello,

Today I was discussing with a customer the scenario of users coming back from holiday and not remembering their AD and Notes password. The support scenario seems a bit complex and I was wondering if anybody has a better way to fix the problem.

Assumptions:

Users logs on Windows XP with AD credentials

All clients run Notes 8.5.1 and the Lotus Notes Single Logon service is running

Shared login is enabled in the user security settings client

Usage of the new Notes Shared Login is not an options. Users need to change machines while sharing the same data directory (personal H: drive)

Steps:

  1. User tries to logon windows XP 5 times, password cannot be remembered and the AD account is locked out

  2. User calls helpdesk to get AD credentials reset

  3. Helpdesk reset AD account, assigns new password and enforce that AD password should be changed on login

  4. Helpdesk reset Notes password using ID vault and assigns same password as AD

  5. Users logs on AD with the new password and is forced to change it immediately

  6. After logging in and changing password user starts the Notes client

  7. User is informed that Windows Password and Notes Password do not match and is prompted for changing the password after login. The user MUST answer no to this (see note A)

  8. Then user must expand the password dialog (green plus sign) and enter 1 wrong password

  9. Notes clients detects the wrong password and retrieves the new ID/Password assigned by HelpDesk using ID vault

  10. Finally the user is able to login with the password provided by HelpDesk

  11. Once more the user is prompted with the message that says that Windows Password and Notes Password do not match. Also here the user must answer NO!

  12. Finally the user logs in the client and a message stating that the password should be changed is presented (this is due to policy that says password should be changed after password reset)

  13. The users changes the password and the pre-holiday situation is re-established. Both AD and Notes use the same passwords and Notes Single Logon service prevents the password dialog.

Questions:

  1. Is it possible to avoid the need of entering 1 wrong password before the ID vault recovered password is pushed to the user?

  2. Not sure, but it seems to me that if the custom message in the password dialog box (green plus sign) is not displayed, the recovered password from ID vault is never pushed to the user

  3. Is it possible to avoid the message that asks to sync windows password with notes password

Thanks

Note A

If the user does not answer No to the first question regarding re-sync of password with Windows, the password recovered from ID vault does not work.

If the user does not answer No to the secon question regarding re-sync of password with Window, he/she will be forced to change the password twice

2

Subject: From the N/D wiki ID vault interoperability FAQ

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-interoperability

Notes shared login (new feature)

Notes shared login is designed to work with the ID vault. In the case that a user loses his or her ID file, a password will need to be set for that user in the ID vault (if not already set) so that the user may download the ID file. After the ID file is obtained by the user, Notes shared login will automatically begin protecting the ID file again.

Notes Single Logon

Using Notes Single Logon (introduced in an earlier release) with the ID vault is not a supported configuration. If you would like to use the ID vault, use the new Notes shared login feature instead.

Have you considered using the new file system roaming feature instead of a shared h: drive for the data directory? That should allow you to use the new version of NSL, and eliminate the problem of synchronizing passwords between Windows and Notes.

dave

3

Subject: shared drive not supported for NSL

Users need to change machines while sharing the same data directory (personal H: drive)

Only local drives are supported for Notes Single Logon. If the notes.ini or Notes ID are not local, password changes will not always work.