Sanity Check

First the good news.

I went to the Lotusphere 09 session on the new Domino 8.5 ID Vault feature and have read a number of articles about it like this one at Dominoblog.  In all the technical descriptions I've read / heard I think they miss the easiest way to describe it. In a nutshell, ID Vault  makes Notes Domino function as if there were no ID File. If you are in the habit of logging into Notes from multiple workstations (e.g. a desktop and a laptop) no doubt you've experienced the occasional pain when your Notes ID passwords get out of sync, especially if your administrator has turned password checking on as they should. Addressing this pain, the ID Vault will synchronizes your ID files automatically. Secondly, if your ID file was deleted or damaged, the Vault can be configured to automatically download a copy of your ID file to your workstation (great when setting up new users). Third, ID Vault simplifies the Help Desk when users forget their passwords. Just call your help desk and an authorized person can reset your ID password in a jiffy with a couple mouse clicks in Domino Administrator. Then the user simply logs in using the new password and all is well. In effect, your users could just forget the ID File even exists. That said, obviously this lowers security to some degree, but as long as your org isn't an army or a bank, it should be a good compromise for most. Its optional and you can continue using the existing ID recovery process for all or any subset of your users.

Setting up the ID Vault was a little hairy. Access to your Cert.ID file is required and the the copy I had on disk didn't match any password I had written down. Fortunately, if you've migrated your certifier to the CA process there is a copy of your Cert.id along with a computer generated password in a document in the ICL NSF used by the CA process. If you can accurately type the mega-long automatically generated password, properly distinguishing the ambiguous characters 0 and O as well as 1 and l (I suggest using a monotype font to display the password) you can recover access to your Cert.id and change the password to something humans can type. I was lucky. And I count this as one of my nine lives expired. This post would have stopped right here otherwise as there is no recourse except to recertify your entire environment which I imagine would not exactly be the most fulfilling experience and I quite honestly can't say I would have pursued that option turning a deaf ear to any talk of the ID Vault forthwith.

After finally setting up the ID Vault on the administrative server, I created a test security policy and using Dynamic Policies (another new Domino 8.5 feature I just learned about) I applied the Security policy to just me and my Director. I was impressed that both our ID's magically appeared in the vault within seconds of restarting Notes.

Now the ultimate test. I bravely and confidently deleted my ID file (Ok, I'm not that reckless. it went into the Windows Recycle Bin plus I have copies on a couple USB sticks , just in case). I started up Notes not knowing what would happen next. I entered my password and with only a slightly longer pause than normal up popped the Notes homepage. Checking in my Data directory, there was my user id restored, as if it never left. Cewl.

Now the bad news, part A.

I noticed that the date of our ID files inside the ID Vault was never more than 10 minutes old. I guessed that our ID files were being uploaded over and over. Lotus Support eventually confirmed this was the case and asked me to check for anything unusual in the Administrative database (Admin4.nsf) used by the AdminP process. Boy was there ever. There were thousands of HTTP password change requests in there, as frequently as every 10 minutes. I was informed that there was a conflict between the security policy setting that automatically syncs the Internet password in your person document when your Notes ID password changes. I was given SPR  JRED7SNU25 as a reference but not told in which release this issue would be addressed. I was hoping for 8.5.1 but nobody knows. That's not good as many of our users also rely on iNotes from home or when traveling. In effect this is two steps forward one step back; replacing the password sync issue between copies of Notes ID's with a new sync issue between Notes and HTTP passwords. In our case, this will prevent us from implementing ID Vault until this SPR is addressed.
I  temporarily changed the test security policy turning off the HTTP password sync and otherwise everything works with ID Vault as expected.

Bad news, part B.

Next, since we have 4-5 users on Macs runing Notes 8.5, I targeted one of them with the same policy.  His ID never uploaded to the vault. Another PMR and a few log files later it seems clear that ID Vault isn't functioning for MAC, at least not for us. If anyone knows any different, let me know.

UPDATE re Mac & ID Vault (June 30):  Since I am not getting much timely assistance from Lotus Support, I went ahead and applied this security policy to two other Mac users and their ID's uploaded the following day, so it does not appear to be an issue where the Mac8.5 client is not working with the ID Vault. It could be a case where the Mac users where it worked were clean installs and the one where it was not working was an upgrade install...just a guess, but I want to make it clear that if you have Macs, don't not implement because of my report of a problem with my initial test.

So, ID Vault in summary....great feature, we want it. But there's an SPR to address before we can use it in production here.