Thursday, April 2, 2009

SnTT - The "You Cannot Authenticate Server" Error

Finally got to write this one down

I mentioned previously about my client that lost or corrupted their certifier IDs. you can't make this stuff up can you?

So way back when they had some person create their Lotus Domino infrastructure and used the name Bill & Ted as in
Adventure/Bill & Ted
for one of the server names.

Fine, not ideal, but you can work around it.

A few years later, their certifer IDs expired. And some one else came up with the brilliant idea to change the Organization name. Thus BillandTed was created.

Two problems ensued over time.
1) Not everyone was moved to the new Organization name for unknown reasons.
2) When other IDs expired, no one certified them properly or if they did they found the wrong certifier!

When we found them they warned us about this and I figured we would deal with it after the main project was completed. Well it is and we dealt with it.

One problem is you might see this error when playing with unknown certifiers:
server certificate error in Lotus Notes...NOT Domino

This threw me off the track a little. An odd message to say the least.

Searching the IBM Support toolbar I found this technote.

However, I do not agree, entirely with the recommendation. If indeed the cross certificates are bad, the ones found in the Notes/data/names.nsf fle under Advanced-Certificates then you can just delete them, hit Ctrl-shift-F9 and then start a new.

Either way you cross certify the new Organization name and if all is normal you get prompted for the cross certificate option to add it to your personal NAB.

Once we get everyone cleaned up, the CA (Certificate Authority) will be used and that should keep them out of trouble.

But wait, recent comments from the blogosphere about how in 8.5 you can not use ID Vault with the CA have come to light, see Paul Mooney's post for more details on how this all interacts.

Edited per Stepha's comments.

2 comments:

  1. Nice post and explanation. One little inaccuracy: They didn't change the Domain they changed the Organization. The Domain is behind the @ and not part of the certifier. We do however see that organization and certifier are named the same (except in IBM where the Domain is IBM[CountryCode] and the organization /IBM

    ReplyDelete
  2. Stephan, You are correct.

    I was thinking about the Notes Domain Name, which as you state is the O name. Which is NOT the same as the web addressing.

    Will edit so it is clearer.

    ReplyDelete