Please complete the details below then remove this line:
Domino/Notes Version: 12.0.2 FP5
Is it possible to determine what server a user is authenticating against? We have a user who is connecting to one of two production servers, but there is no person record for him in the Domino directory. His session shows there in the miscellaneous and usage logs.
There is a person record for him in the UAT environment (a separate domain - the person record was copy-pasted over for test purposes long ago), but there is no sign of his ever having connected to that server.
How would the server be finding his public key to authenticate him?
UAT server has a cross-certificate for the production Org, but Production servers have no cross-certification for UAT.
With regards to your first question “Is it possible to determine what server a user is authenticating against?”, the answer is “Yes”. If a user authenticates successfully without a Person document in the primary names.nsf, they are likely being verified through Directory Assistance (DA) via either a secondary Domino Directory or an external LDAP source. Since the UAT environment has a separate domain, the primary server will act according to the design of not having any person document and will still use either the Directory Assistance (DA) or an external LDAP source.
With your second question “How would the server be finding his public key to authenticate him?” When a Notes Client user authenticates without a local Person Document, the Domino server is bypassing the primary directory to find their Public Key through three specific fail-safes: Directory Assistance, which “walks” through secondary directories or LDAP folders to find the key; the ID Vault, which allows the server to verify the user’s identity via their stored ID file rather than a directory record; or Cross-Certificates, where the server trusts the user’s entire organization or organizational unit based on a pre-established certificate of trust. Essentially, if the server can verify the user’s “ID proof” through any of these auxiliary sources, the RSA handshake will succeed even if the user appears to be missing from the standard address book.
For more information, you may check below links for references:
I think the answer to how the authentication is occurring is the last one - not exactly cross-certification, but that the server and client share a root Org certifier. The cryptographic challenge/response is done at the certifier level, and since the user’s certificate is valid, and it vouches for the user’s identity, that is good enough for the server. The individual’s public key is only needed when encrypting or signing…
Neither DA nor LDAP is set up in this case, and although ID Vault is, it is not accessible to a 6.5 client, which this user is using (I ought to have mentioned that - sorry).
But from what you say it still appears that the answer to my first question is “No”. You have listed a number of ways that the user might be authenticating, but none of determining for a given authentication what method was actually used, and against what authenticating source. Am I missing something?
With a Notes client there is no separate “authenticate against a server” step. On accessing any server the client presents its id and the server checks if the id is good, if so, then checks the server ACL. The sequence repeats anew when the client accesses another server. Since the id in question is signed with the org certifier, it is considered good.
What you need to do is to check your servers’ ACL. The bare minimum would be to add that user to the servers’ DenyAccess group (ASAP) and then revisit your setup and eliminate access to IDs that are not in your directory.