Where can I find logged ID vault messages?
ID vault messages are logged as "Security Events" in the log.nsf
file. Open the log.nsf on your local client machine (or server machine)
and click on "Security Events" on the left side panel to find
the security logs.
Entries in the client log record actions taken on that client machine.
Entries in the server log record actions taken by that server. If you have
multiple replicas of the ID vault on multiple servers, you may have to
look on each replica to find the information you are interested in.
Can I see the ID vault error messages in the Domino Domain Monitor (DDM)?
Yes, all server error messages are also reported to DDM.
Logged messages for user actions
What is logged when the user entered
the wrong password after starting Notes?
Client log:
10/01/2008 01:52:11 PM ID for
'CN=Samantha Daryn/O=RECompany' could not be authenticated in vault 'O=third'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: Wrong Password. (Passwords are case sensitive - be sure to
use correct upper and lower case.) on remote server
Server log:
10/01/2008 01:52:11 PM ID for
'Samantha Daryn/RECompany' (IP Address 9.33.163.219:1295) in vault 'O=third'
was not downloaded because the wrong password was supplied. Error:
Wrong Password. (Passwords are case sensitive - be sure to use correct
upper and lower case.)
Note: This message is logged
whenever an incorrect password is entered. This may result because the
user simply mistyped his password, or because an attacker is trying to
guess the user's password. If this message is logged multiple times and/or
for multiple users around the same time period, you may want to investigate
the situation.
What is logged when the user provides a wrong password too many times?
Client log:
10/01/2008 04:11:15 PM ID for
'CN=Samantha Daryn/O=RECompany' could not be authenticated in vault 'O=newest'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: Wrong Password. (Passwords are case sensitive - be sure to
use correct upper and lower case.) on remote server
...
...
...
10/01/2008 04:11:23 PM ID for 'CN=Samantha Daryn/O=RECompany' could
not be authenticated in vault 'O=newest' on server 'CN=pm1/O=RECompany'.
'Samantha Daryn/RECompany' made request. Error: You have failed
to supply the correct password too many times. Please contact your system
administrator on remote server
Server log:
10/01/2008 04:11:15 PM ID for
'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2439) in vault 'O=newest'
was not downloaded because the wrong password was supplied. Error:
Wrong Password. (Passwords are case sensitive - be sure to use correct
upper and lower case.)
...
...
...
10/01/2008 04:11:23 PM ID failed
to authenticate in vault 'O=newest'. 'Samantha Daryn/RECompany' (IP
address 9.33.164.153:2439) made request. Error: You have failed to
supply the correct password too many times. Please contact your system
administrator.
Note: This message is logged whenever
an incorrect password is entered too many times. This may result because
the user mistyped or forgot his password, or because an attacker is trying
to guess the user's password. You may want to investigate the situation
if these messages are logged multiple times.
The default maximum number of consecutive
download attempts that are allowed in a day before attempts are denied
is 10. Consecutive failed attempted passwords are kept in the bad password
cache. Use the NOTES.INI variable "IDVault_Max_Auth_Failures"
to configure the maximum number of daily consecutive download attempts.
What is logged when the user changes something in his ID file (such as
adding a new document encryption key,) triggering a synchronization with
the vault?
Client log:
10/01/2008 02:00:28 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=third'
on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
Server log:
10/01/2008 02:00:28 PM ID successfully
synchronized with vault 'O=third' for 'Samantha Daryn/RECompany' (IP Address
9.33.163.219:1313).
What is logged when the user recovers from a forgotten password by using
the new password?
Client log:
10/01/2008 03:53:32 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' successfully synchronized with vault 'O=newest'
on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
Server log:
10/01/2008 03:53:31 PM ID successfully
synchronized with vault 'O=newest' for 'Samantha Daryn/RECompany' (IP Address
9.33.164.153:2406).
What is logged when the user lost
his ID file, but the Notes client automatically recovers from a lost ID
file?
Client log:
10/01/2008 03:37:36 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' successfully downloaded from vault 'O=newest'
on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
Server log:
10/01/2008 03:37:36 PM ID successfully
downloaded from vault 'O=newest' by 'Samantha Daryn/RECompany' (IP address
9.33.164.153:2350).
What is logged when the user lost
his ID and attempts to log in with his password to download a new copy
of his ID, but needs authorization to download his ID file?
Client log:
11/19/2008 12:01:51 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' failed to download from vault 'O=third'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: ID in vault has download count of zero on remote server
Server log:
11/19/2008 12:01:51 PM ID for
'Samantha Daryn/RECompany' (IP Address 9.33.162.148:1346) in vault 'O=third'
was not downloaded because it has a download count of zero and therefore
no more downloads of the ID are allowed . Error: ID in vault has
download count of zero
11/19/2008 12:01:51 PM ID failed to upload to vault 'O=third'. 'Samantha
Daryn/RECompany' (IP Address 9.33.162.148:1346) made request. Error:
ID in vault has download count of zero
Logged messages for Notes client
actions
What is logged when the Notes client (without Notes shared login enabled)
uploads a user's ID file for the first time?
Client log:
10/01/2008 03:26:52 PM ID for
'CN=Samantha Daryn/O=RECompany' could not be authenticated in vault 'O=newest'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: Entry not found in index on remote server
10/01/2008 03:27:12 PM ID 'C:\Program Files\Lotus\Notes\Data\user.id'
successfully uploaded/synchronized to vault 'O=newest' on server 'CN=pm1/O=RECompany'
by 'Samantha Daryn/RECompany'.
The error entry indicates that the client first tried synchronization with
the vault by looking for the user's entry in the vault to verify passwords
and it did not find the user's entry. The second entry indicates that the
ID file was properly uploaded.
Server log:
10/01/2008 03:26:45 PM Unable
to find ID for 'Samantha Daryn/RECompany' in vault 'O=newest'. Error:
Entry not found in index
10/01/2008 03:26:45 PM ID failed to authenticate in vault 'O=newest'.
'Samantha Daryn/RECompany' (IP address 9.33.164.153:2340) made request.
Error: Entry not found in index
10/01/2008 03:27:12 PM ID successfully synchronized with vault 'O=newest'
for 'Samantha Daryn/RECompany' (IP Address 9.33.164.153:2343).
What is logged when the Notes client is unable to upload the user's ID
file because the user's policy is missing or incorrect?
Nothing is logged anywhere because there
was no policy to tell the client to use the ID vault! Be aware that the
following steps must all take place in order for the ID file to be uploaded
the first time.
1. Proper effective policy must be created in the Directory.
2. It must replicate to the user's home server (delay depends on replication
configuration.)
3. The policy view must be updated (delay is about 1 minute if update task
is normally run.)
4. The policy cache must be refreshed (delay may be about 10 -15 minutes.)
5. User must authenticate with home server, notice new policy, and run
dynconfig to fetch new policy (delay can vary.)
6. Once client knows that it should use the ID vault it schedules an upload
sometime in the first 8 hours after it is started.
What is logged when the Notes client
performed a periodic synchronization with the vault (or the user did a
Switch ID), but no changes were found on either side?
Client log:
Nothing is logged.
Server log:
Nothing is logged.
What is logged when the Notes client
contacts an 8.5 server without a vault and is referred to a vault server?
Client log:
Nothing is logged.
Server log:
Nothing is logged.
What is logged when the Notes client
contacts the user's home server and all servers in the cluster to get a
referral, but the vault transaction fails because there is no referral
or all referral servers are down?
Client log:
Nothing is logged. However, setting
the NOTES.INI variable DEBUG_IDVAULT_SERVER_SELECTION=1 will log all the
attempts so that failures to perform vault transactions can be investigated.
Server log:
Nothing is logged.
Logged messages for ID vault administrator
actions
What is logged when an administrator
creates a new ID vault?
Client log:
10/01/2008 02:53:22 PM ID Vault
'newest' with description 'Newest test vault' successfully created on server
'CN=pm1/O=RECompany'.
Server log:
10/01/2008 02:53:20 PM ID Vault
'O=newest' on server 'CN=pm1/O=RECompany' successfully created by 'Ida
Engel/RECompany' (IP address 9.33.164.153:2266).
What is logged when an administrator
creates a new ID vault replica?
Client log:
10/01/2008 02:56:23 PM Adding
server Millie/RECompany as a vault host Millie/RECompany was
successfully added.
Server log:
10/01/2008 02:53:20 PM ID Vault
'O=newest' on server 'CN=pm1/O=RECompany' successfully created by 'Ida
Engel/RECompany' (IP address 9.33.164.153:2266).
What is logged when an administrator
deletes an ID vault replica?
Client log:
10/01/2008 02:27:38 PM Removing
the server Millie/RECompany as a vault host Millie/RECompany
was successfully removed.
Server log:
10/01/2008 02:27:38 PM ID Vault
replica 'O=third' successfully deleted on server 'CN=Millie/O=RECompany'
by 'Ida Engel/RECompany' (IP address 9.33.164.153:2238).
What is logged when an administrator
deletes the last ID vault replica?
Client log:
10/01/2008 02:49:53 PM Delete
Vault /third
Server log:
10/01/2008 02:49:47 PM ID Vault
'O=third' on server 'CN=pm1/O=RECompany' successfully deleted by 'Ida Engel/RECompany'
(IP address 9.33.164.153:2260).
What is logged when a new ID vault
administrator is added?
Client log:
10/01/2008 02:31:43 PM Adding
administrator Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully added.
Server log:
Nothing is logged on the server.
What is logged when an ID vault administrator is removed?
Client log:
10/01/2008 02:39:56 PM Adding
administrator Joe Blow/RECompany to this vault Joe Blow/RECompany
was successfully removed.
Server log:
Nothing is logged on the server.
Note: Client log should say "Removing administrator
Joe Blow/RECompany from this vault..."
What is logged when a Password Reset Authority is added?
Client log:
10/01/2008 03:04:50 PM
PasswordReset Authority/RECompany will be able to reset passwords
for users in organization /RECompany
Server log:
Nothing is logged on the server.
What is logged when a Password Reset Authority is removed?
Client log:
10/01/2008 02:44:00 PM
PasswordReset Authority/RECompany will no longer be able to reset
passwords for users in organization /RECompany
Server log:
Nothing is logged on the server.
What is logged when a new Vault Trust Certificate is added?
Client log:
10/01/2008 03:00:54 PM Creating
vault trust certificate for /RECompany /RECompany was successfully
added.
Server log:
Nothing is logged on the server.
What is logged when a Vault Trust Certificate is removed?
Client log:
10/01/2008 02:47:04 PM Removing
vault trust certificate for /Orgb /Orgb was successfully removed.
Server log:
Nothing is logged on the server.
What is logged when an ID vault operation is attempted but the Vault Trust
Certificate is missing?
Client log:
10/01/2008 04:16:08 PM ID 'C:\Program
Files\Lotus\Notes\Data\user.id' failed to synchronize with vault 'O=newest'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: Missing or invalid Vault Trust certificate. Check the log
file for details. on remote server
Server log:
10/01/2008 04:16:07 PM Missing
or invalid Vault Trust certificate from 'Samantha Daryn/RECompany' to '/newest':
Entry not found in index
10/01/2008 04:16:07 PM ID failed to upload to vault 'O=newest'. 'Samantha
Daryn/RECompany' (IP Address 9.33.164.153:2458) made request. Error:
Missing or invalid Vault Trust certificate. Check the log file for details.
What is logged when an administrator creates a new ID vault policy?
Client log:
Nothing is logged.
Server log:
Nothing is logged.
Logged messages for actions by other authorities
What is logged when a Password Reset
Authority resets a user's password?
Client log:
10/01/2008 03:49:53 PM Password for 'Samantha Daryn/RECompany' with
0 downloads was reset on server 'pm1/RECompany'.
Server log:
10/01/2008 03:49:53 PM Password
for 'Samantha Daryn/RECompany' with 0 downloads was reset by 'Ida Engel/RECompany'
(IP Address 9.33.164.153:2401) from process nserver.
What is logged when an administrator
without password reset authority attempts to reset a user's password?
Client log:
11/17/2008 12:39:28 PM Failed
to reset password for 'Samantha Daryn/RECompany' with 0 downloads on server
'pm1/RECompany'. Error: Missing or invalid Password Reset Trust certificate.
Check the log file for details. on remote server
Server log:
11/17/2008 12:39:28 PM Missing
or invalid Password Reset Trust certificate from 'Samantha Daryn/RECompany'
to 'John Smith/RECompany': Entry not found in index
11/17/2008 12:39:28 PM Failed to set download count for 'Samantha
Daryn/RECompany' to 0. 'John Smith/ReCompany' made request (IP Address
9.33.162.148:2316) from process nserver. Error: Missing or invalid
Password Reset Trust certificate. Check the log file for details.
What is logged when an password reset agent authority
without password reset rights attempts to reset a user's password?
Server log:
11/17/2008 12:39:28 PM Failed
to reset password for 'Samantha Daryn/RECompany' with 0 downloads on server
'pm1/RECompany'. Error: Missing or invalid Password Reset Trust certificate.
Check the log file for details. on remote server
Note: Check if you added the server as a "password reset agent authority" to the ID Vault, that should solve the issue.
What is logged when a self-service
password reset application has been used to reset a user's password successfully?
Server log:
11/17/2008 02:49:22 PM Password
for 'Samantha Daryn/RECompany' with 1 downloads was reset by 'pm1/RECompany'
(IP Address 9.33.162.148:2425) from process nserver.
11/17/2008 02:49:22 PM Password for 'Samantha Daryn/RECompany' with
1 downloads was reset on server 'CN=pm1/O=RECompany'.
What is logged when a self-service
password reset application is used to reset a user's password, but the
self-service agent has not been signed by a user with the appropriate self-service
password reset authority?
Server log:
11/17/2008 02:30:50 PM Failed
to reset password for 'Samantha Daryn/RECompany' with 1 downloads on server
'CN=pm1/O=RECompany'. Error: Agent containing ResetUserPassword method
must be signed by a designated Password Resetter.
What is logged when a self-service
password reset application is used to reset a user's password, but the
server on which the application resides does not have password reset authority?
Server log:
11/24/2008 12:30:13 PM Missing or invalid Password Reset Trust certificate
from 'Samantha Daryn/RECompany' to 'pm1/RECompany': Entry not found in
index
11/24/2008 12:30:13 PM Failed to set download count for 'Samantha
Daryn/RECompany' to 0. 'pm1/RECompany' made request (IP Address 9.33.162.148:2351)
from process nserver. Error: Missing or invalid Password Reset Trust
certificate. Check the log file for details.
11/24/2008 12:30:13 PM Failed to reset password for 'Samantha Daryn/RECompany'
with 1 downloads on server 'CN=pm1/O=RECompany'. Error: Missing or
invalid Password Reset Trust certificate. Check the log file for details.
on remote server
What is logged when an administrator
extracts a user's ID from the vault knowing their current password?
Client log:
10/01/2008 03:57:31 PM ID 'D:\notesfile\admin.id' successfully downloaded
from vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
10/01/2008 03:57:32 PM ID for 'Samantha Daryn/RECompany' was extracted
to 'D:\notesfile\foo.id' from vault 'O=newest' on server 'CN=pm1/O=RECompany'.
Server log:
10/01/2008 03:57:28 PM ID successfully downloaded from vault 'O=newest'
by 'Samantha Daryn/RECompany' (IP address 9.33.164.153:2418).
Note: The client logs two actions
- first an attempt to download the file, and then an extraction to the
specified file name.
The user's name mentioned above is the
owner of the ID file, not the administrator. The server cannot determine
the identity of the administrator because only the correct password is
used in the transaction to download the ID file.
What is logged when an auditor extracts
a user's ID from the vault?
Client log:
10/01/2008 04:03:47 PM ID 'D:\notesfile\admin.id' successfully downloaded
from vault 'O=newest' on server 'CN=pm1/O=RECompany' by 'Samantha Daryn/RECompany'.
10/01/2008 04:03:47 PM ID for 'Samantha Daryn/RECompany' was extracted
to 'D:\notesfile\foo.id' from vault 'O=newest' on server 'CN=pm1/O=RECompany'.
Server log:
10/01/2008 04:03:47 PM ID for 'Samantha Daryn/RECompany' successfully
extracted from vault 'O=newest' by auditor 'Ida Engel/RECompany' (IP address
9.33.165.38:4967).
Note: The client logs two actions
- first an attempt to download the file, and then an extraction to the
specified file name.
What is logged when an administrator
attempts to extract ID file from vault without using a password, but does
not have auditor privileges?
Client log:
10/01/2008 04:06:32 PM ID '' failed to download from vault 'O=newest'
on server 'CN=pm1/O=RECompany'. 'Samantha Daryn/RECompany' made request.
Error: You are not authorized to perform that operation on remote
server
10/01/2008 04:06:32 PM Failed to extract ID for 'Samantha Daryn/RECompany'
to 'D:\notesfile\foo.id' from vault 'O=newest' on server 'CN=pm1/O=RECompany'.
Error: You are not authorized to perform that operation on remote
server
Server log:
10/01/2008 04:06:32 PM ID for 'Samantha Daryn/RECompany' could not
be extracted from vault 'O=newest' by auditor 'John Smith/RECompany' (IP
address 9.33.165.38:4987). Error: You are not authorized to perform
that operation
Note: The client logs two actions
- first an attempt to download the file, and then an extraction to the
specified file name.