Monday, August 11, 2014

Using your Operating System Login for IBM Notes can "Poison" your IDs (and how to fix it)

For years, we've had it easy with Notes. We've had our ID files stored safely on a secure drive and whenever a user moved to a new desktop, we could simply copy their original ID over to their new machine and do most of the setup without them.

All that changed somewhere between Windows 7, Notes 9 and getting Notes to use the Operating System login. It's a good change, don't get me wrong and it certainly protects the users privacy and makes things more secure. Unfortunately it also renders all of our ID's "Poisonous" and now we can't reuse them.

Instead when opening an ID file on a new client installation, just after agreeing to "copy the file to the Notes data directory", we get messages telling us that Notes cannot open the ID File.   Eventually I tried other ID files only to find the same problem.

Fixing the Problem
As it turns out, there's a surprisingly easy fix for this. Simply generate a password protected copy of the ID from the existing installation.

  1. On the working version of the Notes Client for your user that is moving, select File, Security, User Security.
  2. You'll be prompted to enter their Windows Password, get  them to do this and click Ok.
  3. On the User Security screen, click Copy ID...

  4. Choose a location to save your ID.
  5. You will be prompted to enter a password for this new ID

  6. Once your ID is saved, you'll be able to use it on new installations.

What happens when you don't have an existing installation to pick from?
So this procedure works very well if you're moving an existing user but what if their hard disk got corrupted and they're forced to move without their ID?

I haven't tried this method but I've read about it in several forums...

Apparently you can delete the user from the NAB (using the delete key not the Domino delete user function).
I've also heard it said that you can do this by updating rather than deleting the NAB Entry.

Next, create a new user with the same name, same short name and same internet address.
Make sure that you choose a different mailbox name though or things could get ugly when it gets overwritten.

Choose to store the ID on disk and complete the registration process.

Go into the NAB record and change the person's mail file back to the desired location.

You should now have a working ID.

One thing to remember though, creating a new ID will allow you to set up a user and access mail but it won't let you get to any encrypted mail. Those are linked more closely with the original ID.