Search This Blog

Thursday, September 24, 2020

Do you know how to fix the problem that Domino server is not able to decrypt fields in NotesDocument encrypted with its public key?

 Hello

I am expiriencing a problem that one of my Domino-servers can't read encrypted field(s) from SSO configuration documents. 

I did it tones of times in the past and I am sure I do everything correctly this time as well.

I've added notes.ini parameres to debug SSO and got this:

[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Reading configuration LtpaToken [last read on ], view ($WebSSOConfigs) has changed [last updated on 23.09.2020 01:36:40].

[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Looking for primary Name and Address Book.
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Found [1] Name and Address Book(s), opening first [names.nsf].
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Opened Directory [DHANDLE 0x000000D6], opening configuration view [($WebSSOConfigs)].
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Found view [NOTEID NT0000031E] for view [($WebSSOConfigs)], getting view collection.
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Opened view collection [DHANDLE 0x000000D1], searching for config [LtpaToken]
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Found note [NOTEID NT00006DB2] for config [LtpaToken], opening.
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> Opened note [DHANDLE 0x00000019] for config [LtpaToken], decrypting.
[59771:00002-4091922128] 24.09.2020 17:48:31,32 SSO API> ERROR: when reading configuration [You cannot access portions of this document because it is encrypted and was not intended for you, or you do not have the decryption key.].

The funny thing is that Domino Domain contains two servers and another Domino-server does not have any issues - the same Web SSO configuration document works OK there.

I would like to ask you to share any ideas what is worth to check in addition to resolve the problem.
Please fines some details below.

The SSO document contains two server names + my name in "Public Encryption keys" field:

The document is ecnrypted


SSO config is also pretty standard (both servers do not use Internet Documents):
   


As I said - all works well on the second server but the first server can't read SSO keys.

I know how RSA encryption works (at least I think so) and I double checked that public key in server document was exactly the same as it was in its server.id. 


Can you please advice what else to check/try?






No comments:

Post a Comment