Wednesday, October 20, 2021

My Collabsphere Session on TOTP/MFA and HCL Domino R12

Great to be speaking again at Collabsphere. 

This was the first of my 2 sessions, feel free to download it and ask any questions about it.

Tuesday, October 19, 2021

SnTT - TOTP Needs an ID file in the ID Vault to Work, What if some are Missing?

Yes, of course, a properly managed Domino environment should have been using the ID Vault for several years now.

But we all have customers who, for one reason, or another, just never did it, or worse, think they did, but never checked it worked.

And then we hear from them out of the blue to help get TOTP installed and update their environment.

No big deal, right? Set up the ID Vault, and when people log in to their Notes client, their ID files get sent to the ID Vault. Newly registered people are also automatically added to the ID Vault.

But what do you do about people who solely use webmail/iNotes?

How do you get their IDs into the ID Vault?

This, I thought, would be an easy thing, but it turned out to be way more effort than first thought.

One option, I thought, would be to select the user in the Directory with the names.nsf open, right-click on their person document, and select upload ID to the ID Vault. A similar Action from the top menu bar option can be found in the Admin client when the Directory is not open.

Not so fast. 

First, the option and action did not appear. Second, even if they did appear, we had 2 problems: where were these people's ID files and the better issue was who had the passwords? 

You see, when you upload the ID files to the ID Vault, Domino asks for the password for the file being uploaded, and if it does not match, you are out of luck.

We could not resolve the 2nd problem. More on that in a minute.

The first problem, I reached out to HCL Support to find out what happened to the action/agents.

Turns out they were in the template but not in the database.

After reviewing it with HCL, we found the customer had edited the People view of the Directory and set it to not update with changes from future templates.

Changed that setting in Designer, the properties of the view, and then ran a replace design on the Directory, restarted the server, and now it worked and showed the action/agent items.

Now, back to the ID problem.

How does one register new users without wiping out all their details in their existing person document in the most optimal way?

I figured I needed to look at registering people with a text file and how to do it so as not to change their existing internet password or wipe out their mail file.

11 years ago, I wrote this post,, waiting for the moment it would be helpful again.

Well, that day has come. However, to be fair, I have used it a few times over the years.

I also was searching for how do you create a user but not create a mail file. This I did not get an answer to in my searches or when asking some people, so I decided I just had to work around the issue. If anyone knows, please let me know in the comments, and I will edit this post accordingly.

Using the spreadsheet I had created back in 2010, I started working out what the syntax should look like to get this completed.

After a few tests, ok, maybe a few more tests, I realized I needed to maintain the file names but change the file directory. That way, dummy mail files would be created, which could be deleted, saving their existing mail files. However, the person document would now show the wrong location for the person's mail. Hang on, we will fix that soon too.

These people needed ID files in the ID Vault but would never use them otherwise. The ID files require a password, but we do not want it to synch with their internet password because that would overwrite their existing one. Domino has a way to help us do this too, the explanation is below.

What does this spreadsheet look like before you copy the text to a .txt file? I figured I only needed to use a few fields, and this is what I used just 6 fields:


Now the fun part is you need a semi-colon (;) after any entry you want to enter, so my text file for registration ended up looking like 250 of these(see the 11-year-old blog post for details what goes in what order if you need more fields):


But you need one more essential thing before starting the registering process for everyone.

If you click on options from the Registration window menu, 
you will want to check the line that says "Allow Registration of previously registered people" and check the "Don't prompt for a duplicate person" option and select the most important option, "Update the existing address book entry.

When you use these settings, Domino will not stop for every duplicate user and just change precisely what we tell it to change in the person document.

In the registration form, you should make sure your ID Vault policy is set up for everyone.

As discussed earlier, we don't want to overwrite any existing Internet passwords; thus, you need to click on Password Options and uncheck "Set Internet Password"; otherwise, you will write over their current Internet password. HINT: Back up your Names.nsf before doing this, so if you do screw it up, you can get it all back quickly.

In the Mail tab of registration, you set the mail template to use and leave the mail file name field with just the directory name. The .txt file handles this.

Set the expiration date you want to use for everyone you are creating on the ID Info tab.

Now you import your .txt file, and Domino will tell you upfront if any of them have syntax issues.

Domino will then let you know if any person had issues or how many were completed when you run it.

Please test with 2-3 people first, make sure all fields and entries look right, and the mail file gets created where you specified.

So how do we change the mail file locations, which now were mail2 instead of mail for 250 people out of 500?

A few months back, I started adding scripts to under the snippets Admin Scripts area to help other admins and for just this purpose. 

I took one of the scripts, adapted it for the Mail File location field, and then selected the users to run it on, and in seconds they were all back to normal. 

I posted that new script as well in case anyone will need to do this at the openntf site.

Afterward, we had a few issues like:

  • Some people we were told were solely web users were not. This meant they lost their ID certificate and could not log in. Easy enough to fix by copying the new certificate into their person document and replacing the old one. 
  • A few people in our spreadsheet had mistyped an email or mail file name and a few similar names and file names that got by us in editing. Easily fixed, we had a backup to verify what they should have in their fields.

And there you have it, I know it sounds like a lot, but really, it is not that big of a deal.

Friday, October 8, 2021

SnTT - Changing Some, But Not All, User's Mail Templates

You know how to convert one person, you know how to convert a folder or a directory...But do you know how to convert just some people's templates in your company?

Well, here is my story, how I changed 250 out of 450 people's templates.

Feel free to do this another way, but this worked and worked well, once I figured out the syntax and other item details missing from the official documentation.

My hope is you, and future me will be able to benefit from this in the future.

This is the original R12 Detail:

Upgrade all mail databases listed in a text file

You can create a text file listing databases you want to upgrade and use it with the mail conversion utility to upgrade only those databases. For example, you can create the text file MAILLIST.TXT to list all the mail databases you want to upgrade and save it in the directory C:\TEMP. This example finds all databases listed in MAILLIST.TXT, determines whether the databases use a design template name that matches Mail*, and replaces the designs of the matching databases with mail9.ntf), the Notes® 9.0.1 Social Edition mail template.

load convert -f c:\temp\maillist.txt mail*.ntf mail9.ntf

First things to note that is ambiguous or wrong in the above documentation:

1) NOTE:C:\temp is a directory on the server, not your admin client workstation.

2) Instead of mail*.ntf you need to put the name of the template, not the file name(as shown, I think that is a typo copied from a different option on the page and not edited correctly)

3) There are many options for the conversion tool so check the documentation page for specifics you may need.

Now for the fun, how do you do this!

No, wait, before we run the magic convert command, we need to create the .txt file and fill it out properly.

You probably need an export of your Directory people so you can sort out who you need and the right details.

Open your Admin client and go to the Files Tab and find your Mail folder.

Select ALL (Ctrl-A)

Open a spreadsheet and paste it all in there.

Now we really don't need all of the data, right now, but I needed it for my second act.

I need to create IDs for people in the ID Vault as some people are solely web users and TOTP only works if you have an ID in the ID Vault. More from me about TOTP at Collabsphere.

Back to your data, I suggest copying columns A and B for the moment into a new tab of your spreadsheet, so as not to mess with the data in case you need it again.

Now you can remove the people you don't need to fix so the list is just people you need to convert their templates.

Next, add a column in front of the filename column which was column B.

In the first cell of the new column put in the mail folder name, commonly would look like this: mail\

Copy that the length of your list.

Now in Column D at the first cell, use the =CONCATENATE(B1,C1)

 and you will now have a visual entry similar to this:




Copy the D1 cell the length of your list.

Now select all the concatenated cells and copy them.

Open notepad or a text editor and paste them in there.

Save the file and give it a simple name, like templates.txt and save it to your server.

Now you are ready for the magic!

NOTE: TEST with 2 names and see if they run, if not, you have a typo in the command or a syntax one in the .txt file, or an incorrect directory name problem. Domino is pretty good here to tell you why it failed.

You need to stop the router to prevent any inbound mail issues/corruption.

Server console Type: Tell Router Quit

Next, at the Server Console type (make sure you use the old template name NOT filename followed by the .ntf name for the one you require): 

load convert -f -u e:\up\mailtest.txt stdr10mail mailX.ntf

-u will update the folders the user has created.

-f reads the names to update from the text file.

The server should start processing everyone.

Cool, right? 

UPDATE: Upgrade all previous users' mail designs listed in maillist.txt to Notes mail design if there is no mail template specified. Use: load convert -u -f maillist.txt * mailX.ntf

We also ran a program document to run updall -R overnight (DBMT should fix this but if it only runs on weekends, then you need a program document or just run it at the server console) just in case some people had inbox issues like only seeing new mails, not all of their other emails in their inbox, they may have been replicating at the time.

That's it, a little trial and error on my part to help all of you out there and let you go home earlier than I did the last few days.