Please complete the details below then remove this line:
Domino/Notes Version: 12.0.2 FP5
Is it possible to determine what server a user is authenticating against? We have a user who is connecting to one of two production servers, but there is no person record for him in the Domino directory. His session shows there in the miscellaneous and usage logs.
There is a person record for him in the UAT environment (a separate domain - the person record was copy-pasted over for test purposes long ago), but there is no sign of his ever having connected to that server.
How would the server be finding his public key to authenticate him?
UAT server has a cross-certificate for the production Org, but Production servers have no cross-certification for UAT.
With regards to your first question âIs it possible to determine what server a user is authenticating against?â, the answer is âYesâ. If a user authenticates successfully without a Person document in the primary names.nsf, they are likely being verified through Directory Assistance (DA) via either a secondary Domino Directory or an external LDAP source. Since the UAT environment has a separate domain, the primary server will act according to the design of not having any person document and will still use either the Directory Assistance (DA) or an external LDAP source.
With your second question âHow would the server be finding his public key to authenticate him?â When a Notes Client user authenticates without a local Person Document, the Domino server is bypassing the primary directory to find their Public Key through three specific fail-safes: Directory Assistance, which âwalksâ through secondary directories or LDAP folders to find the key; the ID Vault, which allows the server to verify the userâs identity via their stored ID file rather than a directory record; or Cross-Certificates, where the server trusts the userâs entire organization or organizational unit based on a pre-established certificate of trust. Essentially, if the server can verify the userâs âID proofâ through any of these auxiliary sources, the RSA handshake will succeed even if the user appears to be missing from the standard address book.
For more information, you may check below links for references:
I think the answer to how the authentication is occurring is the last one - not exactly cross-certification, but that the server and client share a root Org certifier. The cryptographic challenge/response is done at the certifier level, and since the userâs certificate is valid, and it vouches for the userâs identity, that is good enough for the server. The individualâs public key is only needed when encrypting or signingâŚ
Neither DA nor LDAP is set up in this case, and although ID Vault is, it is not accessible to a 6.5 client, which this user is using (I ought to have mentioned that - sorry).
But from what you say it still appears that the answer to my first question is âNoâ. You have listed a number of ways that the user might be authenticating, but none of determining for a given authentication what method was actually used, and against what authenticating source. Am I missing something?
With a Notes client there is no separate âauthenticate against a serverâ step. On accessing any server the client presents its id and the server checks if the id is good, if so, then checks the server ACL. The sequence repeats anew when the client accesses another server. Since the id in question is signed with the org certifier, it is considered good.
What you need to do is to check your serversâ ACL. The bare minimum would be to add that user to the serversâ DenyAccess group (ASAP) and then revisit your setup and eliminate access to IDs that are not in your directory.
If a user has a valid Notes ID in your domain they may be able to access the Domino server even if they do not have a Person document. If they are in a Deny Access group they will be Denied access, that group is listed in the Server doc correctly. Some organizations have a more complex Domino domain with cross certifications and such. This may not apply to them. I prefer to know that, when a person is removed from the Domino directory they will not longer be able to access the servers. I think a lot of non-Domino administrators also expect this. I prefer to set the security of the Domino servers, in the Server document so the user must be in the Domino directory. Security Tab: Access Server. Check the box âusers listed in all trusted directoriesâ. In the âandâ box, be sure to select the âLocalDomainServersâ group ( assuming all your servers are in this group), or add each Domino server here.