Note These steps do not apply to authentication using an Extended Directory Catalog.

1. Test that authentication using directory assistance alone is working.

• Temporarily disable the directory catalog. Remove the directory catalog file name from the server's primary IBM® Lotus® Domino™ Directory. Remove the directory catalog file name from the Directory Profile and from the Basics tab of the Server document; the file name is probably stored in only one of these locations but if it is in both locations, remove the name from both.
• Restart the appropriate Internet protocol server task. For example, for a Web server, restart the HTTP task.
• Verify that the server can authenticate to each secondary Domino Directory configured in the directory assistance database that you want to use for authentication. If authentication fails, go to step 2. If authentication is successful, go to step 3.

If you are trusting for authentication only some of the aggregated directories, make sure you've created a Directory Assistance document for each of the directories to trust in which the users to authenticate are registered. In each Directory Assistance document, verify that you've done the following:
• Set "Trusted for credentials" to Yes for at least one naming rule in the Directory Assistance document. The rule or rules should correspond to the names of the Web users you want to authenticate.
• Enter the secondary directory's IBM® Lotus® Notes® domain in the "Domain Name" field. Do not enter: the name of the directory catalog, the name of the server's primary domain, or a domain name that is used in another Directory Assistance document. If you created the secondary directory manually and it's not associated with a Notes domain, make up a unique domain name.
• In the Replicas tab of the Directory Assistance document, make sure one of the replicas specified is the same replica of the secondary directory specified in the "Directories to include" field in the directory catalog Configuration document.

Do not specify a replica of the directory catalog.

4. In the "Additional fields to include" field of the directory catalog Configuration document, do the following:

• If you are accessing mail over HTTP, add the HTTPpassword field.
• If you are also accessing mail over IMAP/POP3, add MailServer, MailFile, and MailSystem fields in the "Additional fields to include" field.

6. If the server on which you ran the Dircat task is not the server doing the authentication, make sure you've created a replica of the populated directory catalog on the server, added the directory catalog file name to either the Directory Profile or the Basics tab of the Server document, and then restarted the server.

7. If you use name-and-password authentication, and you choose the server authentication option "Fewer name variations with higher security," make sure users provide either their hierarchical names or common names for authentication rather than first names, last names, or short names only.

8. If you include groups of users in database ACLs on the server, store those groups in the server's primary Domino Directory and/or in one directory configured in the directory assistance database that is enabled for group authorization.

See also

Name-and-password authentication for Internet/intranet clients
Directory catalogs -- Troubleshooting

Glossary