Expired ID
I have a user that has a expired ID. I fumbled through and think I got him working but was wondering if someone had step by step process. How can I generate a new ID for them? Do I have to update the login profile or just the ID file?
This is Lotus 6.5 and Domino Admin 6.5. FYI, take it easy on me I am new to lotus and now maintaining it. LoL.
Software/Hardware used:
Software/Hardware used:
ASKED:
May 16, 2008 1:52 PM
UPDATED:
May 10, 2010 5:09 PM
Answer Wiki:
I have listed the process I use for recreating notes id's. Use the Admin client while completing the steps below.
1. Open your Domino Directory on your Admin server and go to the people and groups tab. Locate the user that needs a new ID file and cut (ctrl + x or edit - cut) the person doc from the address book.
2. Under Tools in the navigator on the right hand side of the client, click People, then Register. Check the Advanced check box. The only 2 sections you need to worry about on his form are the Basic and ID info sections. Fill out the form accordingly and make sure the spelling of the name matches exactly as it did before, any typos here will result in the user not being able to access db's. MAKE SURE you select "none" for the mail system. On the ID info tab in the register person form, be sure to select the correct certifier and uncheck "in domino directory" and select the check box "in file" and select the location where you would like to copy the id file to. Once you are done filling out the form click the green check mark to add the person to the registration queue and click the Register button.
3. Go back to the People and Groups tab and paste the original person doc back into the domino directory (ctrl + v or edit - paste). You will now see 2 person docs for the user. Open the person doc that you just created (one way to verify that you are in the correct person doc is to make sure the person doc does not list any mail file information). Click on the Certificates tab and highlight and copy the entire "notes certified public key".
4. Open the users other (original) person doc in edit mode and paste the key you copied from step 3 into the notes certified public key in this person doc. Save and Close.
5. Delete the "new" person doc (the one with no mail file information) from he domino directory and replicate the changes to the user home/mail server.
6. Replace the users current id with the one you just created. If the user has multiple machines/clients make sure you replace the id on those machines as well.
That should do it....
Thanks,
Derek
To see all answers submitted to the Answer Wiki: View Answer History.
You should not create a new ID when they expire. You should re-certify the existing ID. Review the Admin Help database document titled “Recertifying a user ID.” It provides the process.
In our environment, we have created an additional view in the Directory that shows IDs by certificate expiration date. If you do this, you can recertify people proactively. If you start with the People view and have the UserModifier role, you will be able to see the Actions – Recertify Selected People action. Choose the people who are going to expire sometime in the future and recertify them. The next time they log on, their ID will be re-certified. If you do this on a regular basis, user will never be prompted again to request to be recertified and you will not have user IDs expiring and causing headaches.
Good Luck.
Both solutions look good. I tested Derek’s and it works.
Brooklynegg, your suggestion it looks like I have something setup that shows expiring. Looks that that will work. Now when I recertify someone it does not disappear from list but I am going to give it some time maybe replication?
Domino Administrator > Configuration > Certificates > Certificate Expiration
According to what you have listed, it sounds that even if “ID” is expired when I “recertify” it will get the update. When the id is expired, the user cannot login unless I misunderstand.
I did read through the documentation in the help file thanks for pointing that out, it helped with understanding the maintenance.
FYI….
I am a new admin and have no experience…..
Derek, What if by accident you go to past and the user is no longer in your clipboard? LoL
How would you add it back?
The option to “Recertify” an existing user ID file is the preferred method. The reason for this is the built-in Notes/Domino PKI that is available for anyone in the Domino domain to use to encrypt and sign their emails.
When you re-certify a Notes user you are actually updating the certificate expiration dates that are used for this user. The admin may either re-certify the public key in the Domino directory or re-certify a local copy of the user’s id file as long as the password for that file is known. The Notes client will merge the new certificate information into the user’s current ID file from the directory when then next access the server.
When you create a new Notes Id file you have also created a new public/private key pair for that person. When you do that, they will no longer be able to open and read any old emails that may have been encrypted using the previous public/private key pair. If the users in the environment never use the Encryption feature then it is a moot point. Either method will work.
I agree that the preferred method is to simply recertify the id in the event that you have the users notes id file. It will save you time and is a much simpler process.
The question “how can I generate a new id file” was asked and that is what I provided an answer for. In the event that you do not have the users notes id file the instructions I provided would generate a new id file for the user. Sorry for any confusion this may have caused.
Maramor, If you lose the person doc that was attached to your clipboard the best thing to do would be to open a replica of your domino directory from another server and copy/paste the person doc from there.
I’ve done the recertify method which is quick and easy. If they don’t have an id, I’d re-register them to create one, then delete the ‘old’ person doc.
Bune lan
Derek, when I have needed to generate a new ID for an existing user, I simply re-register him using the identical spelling of his name. Domino detects that the user already exists, and prompts me for permission to update the existing entry. No cutting/pasting required.