When the Domino Certificate Authority and ID/password recovery features do not work correctly, they can be a source of great frustration to Notes/Domino administrators. Last month I wrote about the benefits of using these two features together. This new article will provide some additional information to help your implementation go smoothly. This information will for the most part apply to password recovery, whether or not you are using the Domino Certificate Authority. It will also discuss some improvements found in R7.
Resetting a password
Most of what is written about ID/password recovery (including my own articles) concerns how to set it up correctly. In practice, however, the feature is most common used to reset a forgotten password or restore a corrupted ID. The Notes documentation on these operations can be confusing, due to different meanings of the word "password."
There are two key ideas for users to understand about password reset.
- You will be entering a string of characters given to you by a Notes administrator. This string of characters is neither your password nor the administrator's password, but a special token, whose purpose is simply to let you set a new password. The Notes documentation calls this token the "recovery password," which has confused some users and administrators, who attempt to enter the administrator's password.
- You are not recovering the password you forgot. You are unlocking the ID so that you can reset the password to a new value.
A user who forgets their password should take the following steps:
- Start Notes normally.
- When prompted for the password (which you do not know) press Enter.
- Notes will show a dialog box stating that an incorrect password was entered. Press the button marked Recover Password.
- Select the ID file to reset. For this step, you must know the location of your ID file. It is usually called user.id or firstname_lastname.id, and is usually in the Notes\Data directory. In some organizations, the ID files are all kept in a shared network folder.
- You will see a list of "recovery administrators" -- people who can help you reset your password. The dialog box will also show you how many of these people you must call to complete the reset process.
- Call some of the administrators listed and ask them for your recovery password. Write down the recovery passwords carefully -- they are usually 16 characters long.
- Enter the recovery password(s) given to you by your administrator(s) in the "Enter Passwords" dialog box. When you have done so correctly, your ID will be unlocked and you will be prompted to enter a new Notes password.
- If you maintain more than one copy of your Notes ID file (e.g., on a laptop or USB memory stick), be sure to replace those copies with the updated ID file containing your new password.
To help a user reset a Notes ID password, an administrator should take the following steps:
- When a user calls asking for a recovery password, go to the server-based ID Recovery database.
- Find the latest backup ID for that user, and detach it to a temporary directory. The name of the file will usually be ~~tmpid.ide.
- Using Domino Administrator, choose the option Configuration / Certification / Extract Recovery Password. Enter your own password when prompted.
- You will be shown the recovery password for this user. It is usually 16 characters long, so read it carefully to the user.
Recovering an ID file
Recovering a lost or corrupted ID file is the same as resetting the password for an existing ID file, with one addition. Before the process can begin, ask a Notes administrator to send you the latest encrypted backup copy of your ID file (from the ID Recovery database).
Since you are locked out of your Notes workstation, the administrator cannot simply send the ID to you by e-mail. You will need to retrieve the backup ID file either by going to the administrator's office, using a co-worker's e-mail account or by getting the file put on a diskette or CD and having it sent to you by snail mail.
Once you have the backup ID file, install it into the Notes\ Data directory on your computer. If the file comes to you with a temporary name, such as ~~tmpid.ide, you should rename it to something more meaningful, such as firstname_lastname.id.
(If all IDs are stored in a shared network folder, the administrator may do some of these steps for you, by placing the ID file directly in the network folder. In some cases, administrators can put the ID file directly onto your C drive.)
Password reset can now proceed just as outlined above, as if you had forgotten the password for the ID.
Backup IDs in recovery database
When an administrator makes changes to recovery information in a certifier, that information is pushed out to each user's ID file. In turn, a new encrypted backup copy of the ID file is sent from each user to the ID Recovery database on the server. Both of these operations happen silently and automatically. In some instances, however, administrators have reported that Notes takes a long time to send users' backup ID files to the ID Recovery database. If this is the case, here are some tricks that may move things along.
- Each user's client location document must be set up correctly, pointing to their correct home/mail server, with correct settings on the Mail tab of the location document.
- In order for the backup ID to be sent to the server, Each user's Notes client must be idle for 10 minutes, after connecting to their home server, with no dialogs open.
- Each user's ID file must be stored on a local drive and must be writable. (There is conflicting information about whether the backup ID process supports ID files stored on shared network folders. I would assume that network folders are supported, but you should be aware of this question in the event you have unexplained problems.)
- If a user has left their workstation on for many days without the backup ID process completing, they should restart it.
- As a last resort, users can manually change their password, which may bump Notes to send their backup ID to the server.
Notes/Domino R7 contains two useful additions to the password recovery feature. The first is that the length of the recovery password is configurable, so it can be less than 16 characters. This is helpful if the users in your organization often forget their passwords, and if you are willing to sacrifice some security for convenience. The second enhancement is that there is better logging of Notes client operations during the silent process of sending new recovery information to user ID files, and the transmission of new backup IDs to the server. These log entries are found in the local log.nsf on each user's workstation.
One final word of advice that applies to all versions of Notes/Domino: Certifiers themselves, whether top-level or organization unit, cannot be reset by password recovery. So be sure to remember those certifier passwords. For further information, you can check out Domino Administrator 7 Help / Index / IDs / Recovering or Notes 7 Help / Index / Passwords / Recovering.
Chuck Connell is president of CHC-3 Consulting, which helps organizations with all aspects of Domino and Notes.