ID Update Error After Resigning ID

Mindwatering Incorporated

Author: Tripp W Black

Created: 05/18/2011 at 10:01 PM

 

Category:
Using Lotus Notes
Issue Troubleshooting

Issue:
User has been recertified as a simply renewal, a OU move, or a name change. It seems successful, but afterwards the user has this message:
"Error updating local ID file: The information in the supplied certificates from the Address Book entry is out of date"
In addition, the user's access to secure fields my no longer work.

Probably Causes and Solutions:
The ID's public key is newer than the server. Typically, when a public key mismatch is detected, the new key in the Domino Directory on the person document is applied to the ID. However, this system aborts this when it detects that the ID is somehow newer than the Directory.

This can happen from one of these scenarios below:
1. Notes Administrator made a mistake. The user was recertified/renamed/moved in the organization hierarchy, but accidentally using the "Local" (workstation) server's Domino Directory. If there was a copy of the person doc in someone's Personal Address Book, it would succeed. However, it would never be able to replicate back up as they are the same application/database. The public key needs to be pasted from the ID into the person doc.

2. Notes Administrator may or may not have made a mistake. The user was recertified/renamed/moved in the organization hierarchy, and the current/selected server was not the "Administrative Server for the Domain". Typically, they accidentally did the recertification against a test box that has the same O cert.id. This test box is a different domain. To fix, simply copy the public key from the ID or the test system's person doc over the "real server's" person doc.

3. Another variation of #2, they did it against the proper server, but the Domino Directory didn't replicate the Person doc change to the mail/application Domino server where the user is getting the error.
This can happen if:
- a. Replication is broken between two servers, in which case this is probably getting to be a widespread issue. Look for replication failure messages in the logs.
- b. The user is part of secondary Directory Assistance database trusted for authentication and it's not updating properly from the "sister company's" Domain/Domino directory.
- c. The secondary DA database isn't being collected properly into a Directory Catalog and the person document in the directory catalog has an old person doc that the server sees. In which case, verify that the catalog is being updated regularly.

4. The server has suffered a drive failure and was restored to a version of the Domino Directory/Domain of an earlier date/time before this recertification takes place. The person doc is obviously old and predates the new public key. Simply copy the public key from the ID over the one in the person doc.

Notes:
Domain = Domino Directory - collection of servers and users that share a common Domino Directory

The public key can be pulled via the ID properties using either the regular Lotus Notes client or the Admin client.
For the Lotus Notes client, do --> File --> Security --> User Security --> Enter user password if prompted --> Your Identity --> Your Certificates --> Other - Choose the option to export or copy the public key.
For the Admin client, do --> Configuration tab --> Tools (on right) --> ID properties --> Select the ID --> Enter user password --> Choose the option to export or copy the public key.


previous page