Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Needs Clarification
Workspace Domino
Categories Security
Created by Guest
Created on Jul 8, 2022

Forbid access to Domino server if id file password does not match ID Vault

There should be a new option to forbid access to Domino server for Notes client users using ID files with passwords that don't match the password in ID Vault.


Justification:

Currently it is complicated to forbid access to Domino from Notes client for someone who has taken over the ID file and password of the existing user. Consider the scenario where the administrator is leaving the organisation and takes copies of valid id files with passwords along. With the new option resetting the passwords in ID Vault would be a simple way to cope with such situation. Of course there are some other ways - like key roll-over and then comparing public keys and/or using password checking - but using the ID Vault for this purpose would be so much simpler and quick to deploy. Option to check password against the ID Vault is already available for Internet Protocols - why not for the Notes client?

Some other considerations:

- the option should be configurable per server

- maybe this option should work only if the server has its own replica of the id vault

- it should be possible to have a configurable names/groups of users excluded from this check


  • Attach files
  • Guest
    Reply
    |
    Sep 7, 2022

    @Thomas Hampel
    Thank you for your answer. Well, I mentioned 'password checking' myself in the above idea. In fact I use it together with IDV_RESETPASSWORD_DIGEST=2 in server notes.ini

    There are however some known issues between "check password on Notes ids" and id vault with webmail (at least with iNotes). Please have a look at SPR #RCAA8SFV9A - still not fixed in 12.0.1 FP1 - I've just learnt about it the hard way in the mixed Notes client and iNotes users environment in which encryption is used a lot and password expiry is required. The issue in short is that changing the password to Notes id (stored in id vault) via iNotes does not update password digest in user's record in NAB.

    Anyway, I think that basing server access for Notes clients upon match of password with ID Vault would be a very natural solution.


  • Admin
    Thomas Hampel
    Reply
    |
    Aug 2, 2022

    How about enabling the existing feature "Check Password on NotesID's "
    https://help.hcltechsw.com/domino/12.0.0/admin/conf_settinguppasswordverification_t.html