User ID files not being uploaded to the ID vault
If you are an administrator and have assigned a new vault policy to existing users, but do not see certain user IDs being uploaded to the vault, check the following:
1. Look through the client and server log.nsf for error messages and potential clues under "Security Events".
2. Have the necessary vault trust certificates been created? In the Domino Administrator, under the "People & Groups" tab, under "Certificates," check that the expected "Vault Trust Certificates" exist.
3. Is your test deployment user using Lotus Notes 8.5 or higher? To use a vault, Lotus Notes clients must run Release 8.5 or later.
4. Has the user been assigned to a vault through a policy? The user needs to have a policy that is vaulted. Run the "Policy Synopsis" command in the Domino Administrator to see what the user's policy is.
5. Has the test user authenticated with his home server? The test user needs to authenticate with the server. Otherwise, the Lotus Notes client will not know about the new policy. Check the user's local policy to see that the user has received the expected ID vault policy. If the user does not have a local policy, verify that the home/mail server defined in the user's location document is correct.
6. Has the user been using Lotus Notes? The user needs to be running Lotus Notes in order to upload the ID file to the vault server.
7. How much time has passed? The user's ID file is not immediately uploaded after the policy has been applied for performance reasons. The user's ID file will be automatically uploaded in the background while the user is running the Notes client at a randomly selected time (an average of four hours, up to eight hours). To force an upload to occur immediately, you can switch ID to the same ID (File - Security - Switch ID.)
8. Is the user accessing mail through iNotes? To enable the use of ID vault for Lotus iNotes users, you must enable "Allow Notes-based programs to use the Notes ID vault" on the ID Vault tab of the Security policy setting document. When the user accesses an 8.51 or higher Domino mail server and performs a secure mail operation over iNotes, such as sending a signed message or reading an encrypted message, the ID file will be automatically uploaded to the ID vault.
The following notes.ini variables may be enabled to collect more detailed information in the console logs.
Server:
Client:
Using a password reset application with the ID vault
If you are an administrator having trouble deploying a password reset application for use with the ID vault, try the following:
1. Check that the basic ID vault and user have been set up correctly.
To do this, you may can try resetting the user's password in the Notes Administrator. This will ensure that (1) the user's ID is indeed in the vault and that (2) an ID vault policy has been applied to the user.
(This may be especially pertinent if you are seeing the "Entry not found in Index" error in the server log.)
- The message "The Notes ID ... is not vaulted." indicates that an ID vault policy has not been applied to the user.
- The message "User's ID has not been uploaded to the Notes ID vault." indicates the user's ID is not in the ID vault yet.
2. Check the rights of the password reset agent signer. (If not already signed, sign the agent using Domino Designer.)
- In the Server document (in the Domino Directory) of the server(s) on which the agent will run, check that the agent signer has "Run restricted LotusScript/Java agents" access.
- In the ID vault wizard in the Domino Administrator, check that the
signer of the password reset agent is an authorized password resetter with "Password reset agent authority."
- In the ID vault wizard in the Domino Administrator, check that the
server(s) on which the agent will run is an authorized password resetter.
3. In Domino Designer, check the security settings of the agent.
- Under "Properties - Security" settings of the agent, double check that "Run as web user" has not been checked.
4. Within the agent code, check that ResetUserPassword is called with the correct server name and user name values.
- Is the user's full name being used? For example "John Smith/Acme" and not just "John Smith."