User can't accept password recovery information

I have an interesting and isolated problem with two users and password recovery. Both users have exactly the same problem: When they receive the password recovery E-Mail and try to accept recovery information, they get this message:

“The recovery information could not be accepted because it is older than your current recovery information”

Each user happens to be the only user under their certifier (the result of layoffs) so I can’t verify if others on that certifier are having the same problem.

Other information is all users were recently recertified becaue they were all about the expire. The process went on perfectly.

All servers and clients are 6.0.1CF1.

I can’t seem to figure this one out mostly because the message doesn’t make sense. How can the information I just sent be older than what you got last time from the same certifier? Also, I can assure you that one of the user and certifier ID pairs are very old and original files.

Any clues?

Thanks for the help.

Subject: User can’t accept password recovery information

Is the certifier creating the new recovery information an ancestor of the ID file that is trying to accept the recovery information?

Subject: RE: User can’t accept password recovery information

Yes it is.Names changed to protect ID

Bob Smith/TX/US/MyCompany

is trying to accept recovery information from

/TX/US/MyCompany

The certifier is the original and it worked fine under R5. This problem only started after upgrading to ND6.

Subject: RE: User can’t accept password recovery information

Michael, did you have any luck resolving this issue? If so please could you share it as I have a similar problem.

Subject: RE: User can’t accept password recovery information

The only change in that space between R5 and ND6 is that the “older than” comparison became “older than or equal to”, in order to prevent the automatic update of recovery information from happening on almost every authentication.

In ND6, clients should automatically check for and download new recovery information (appx once a day) when authenticating to their home servers – no explicit export or user action is required. It is possible that those two clients had already downloaded new recovery information during authentication before reading the email message but after it was sent, and hence refused to accept a copy of the information that was exported earlier than what they received.

When those two users try to recover their IDs, are they prompted with the current list of recovery authorities? If so, they probably downloaded the updated information before they received your email message with that information.

dave

Subject: RE: User can’t accept password recovery information

There is seemingly conflicting information in the R6 online help for the Admin client on this issue. In the help document titled “ID Recovery”, a bulleted list describes the three ways to add recovery information to a user’s ID file. I quote:

"-At registration, administrators create the ID file with a certifier ID that contains recovery information.

-Administrators export recovery information from the certifier ID file and have the user accept it.

-(Only for servers using the server-based certification authority) Users authenticate to their home server after an administrator has added recovery information to the certifier."

Note the last point: “Only for servers using the server-based certification authority.”

Later in the same article comes this statement:

“You can set up ID recovery for user IDs at any time. If you do so before you register users, ID recovery information is automatically added to user IDs the first time that users authenticate with their home servers. If you set up ID recovery information after you have registered Notes users, recovery information is automatically added to the user IDs the next time users authenticate with their home servers.”

This seems to indicate that recovery information is added automatically without regard to using the server-based CA. If that’s the case, what’s the point of the administrator exporting this information manually to user if it’s going to happen automatically anyway?

So, which is it? Do you have to have the CA process in place for automatically adding recovery info to users’ ID files or don’t you? The online help doesn’t do a good job of clarifying this.

I set up the recovery process in a classroom environment this week (R6.0.2) without having the CA process in place, adn the recovery info was automatically added to users’ ID files. Unaware of this, I tried exporting the data, only to get the same error message reported by the originator of this thread.