ID vault notes.ini settings
The following notes.ini settings pertain to the ID vault.
ENABLE_AUTORECOVERY_FROMBADPASSWORD
Syntax
ENABLE_AUTORECOVERY_FROMBADPASSWORD=1
Default
None
Description
Replace the ID file in the ID vault with the local ID on the Notes client when synchronization remains stopped for longer than seven days due to mismatched passwords between the local and vault ID files. For more information, see Enabling automatic restart of ID file synchronization.
Applies to
Vault servers
IDVAULT_COUNT1
Syntax
IDVAULT_COUNT1=number
Default
None
Description
Number of Notes sessions since the Notes client last synced with the ID vault. This is a session counter that increments when the Notes client starts and zeroes out when the client syncs. This setting is used with IDVAULT_STAMP1.
Administrators don't control this setting.
Applies to
Notes clients
IDVAULT_RESYNC_INTERVAL
Syntax
IDVAULT_RESYNC_INTERVAL=<minutes>
Default
480 (8 Hours)
Description
This setting controls how soon after the last successful sync with the ID vault Notes clients attempt to sync again. The IDVAULT_STAMP1 setting records the time of the last successful sync.
The lower the IDVAULT_RESYNC_INTERVAL value the sooner changes are synced. This setting also controls the balance between resources used on the server. The higher the value the less balance between resources.
IDVAULT_RESYNC_INTERVAL=300
- When users don't run their Notes clients for extended periods, sync occurs automatically when they restart their clients. Weekends, holidays, and company shutdowns are taken into account so that a "sync storm" does not occur after those events.
- To prevent a heavy load on the server when the ID vault is first enabled for a large group of users, we stagger the time that each user attempts their first sync with the vault for the Notes session. This time is a random point between 1 poll cycle (default 5 mins) and the IDVAULT_RESYNC_INTERVAL value.
Applies to
Notes clients
IDVAULT_STAMP1
Syntax
IDVAULT_STAMP1=Date/Time
Default
None
Description
Last time a Notes client synchronized with the ID vault.
If it has been more than 24 hours since the last sync and IDVAULT_COUNT1 is greater than 4, then the client synchronizes immediately.
Otherwise, the IDVAULT_RESYNC_INTERVAL value added to this value determines when the client next attempts to sync with the vault to check for changes.
Administrators don't control this setting.
Applies to
Notes clients
IDV_ENABLE_VAULT_SCAN
Syntax
IDV_ENABLE_VAULT_SCAN=value
IDV_ENABLE_VAULT_SCAN=1
enables maintenance of ID file synchronizationIDV_ENABLE_VAULT_SCAN=0
disables maintenance of ID file synchronization
Default
IDV_ENABLE_VAULT_SCAN=1
Description
Controls whether the Query Vault
(qvault
) command can be
run. For more information on this command, see Monitoring ID synchronization.
Applies to
Vault servers, Domino Administrator clients
IDV_POLL_INTERVAL
Syntax
IDV_POLL_INTERVAL=<milliseconds>
Default
5000 ms (5 seconds)
Description
The maximum time allowed for an ID download from the ID vault to the Notes client. An ID download is attempted when a user provides an incorrect password or a new password after a password change. Specify a value in milliseconds.
IDV_POLL_INTERVAL=10000
- When a user enters the correct password for the ID in the vault but the ID is not downloaded within this period the user is told the password is wrong. The user must try again with the same password. To reduce the likelihood of this problem on slower systems, increase this maximum wait time.
- When a user miss-types the password and the vault server does not respond with an error quickly, the user must wait this amount of time before they are told that their password is wrong
Applies to
Notes clients
IDV_RESETPASSWORD_DIGEST
Syntax
IDV_RESETPASSWORD_DIGEST=2
Updates the password digest field in a
Person document after resetting a password in the ID vault. Default
IDV_RESETPASSWORD_DIGEST=0
(No action)
Description
When you reset a password on a Notes ID in the vault and the Check password on Notes id file option is enabled in a user policy, use this setting on the Domino server with the ID vault to create an administration process request to update the password digest in the user's Person document to match the new password. Only ID files with this password digest can access the server after the administration process request is processed. For more information, see Resetting the password on an ID in a vault.
Applies to
Vault servers
IDVaultLastFlushTime
Syntax
IDVaultLastFlushTime=<date/time>
Default
None
Description
When the value of the IDVaultLastServer variable was last changed.
Administrators don't control this setting.
Applies to
Notes clients
IDVaultLastServer
Syntax
IDVaultLastServer=<vault server>
Default
None
Description
The name of the vault server last successfully used. This server is tried for ID vault transactions to avoid the cost of asking the home server for a referral list.
The variable is deleted every two weeks to ensure load balancing occurs among the vault replicas after a change in replicas or a replica failure / recovery.
Administrators don't control this setting.
Applies to
Notes clients
IDVault_Max_Auth_Failure_Cache_Size
Syntax
IDVault_Max_Auth_Failure_Cache_Size=<size>
Default
500
Description
The number of bad password entries in the bad password cache that trigger a log error when an ID vault is used. When a user enters a bad password, a bad password entry is made in a cache. The cache is cleared daily. If the limit is reached, an error is logged suggesting that too many people have entered bad passwords and the administrator should check the log for an attack.
IDVault_Max_Auth_Failure_Cache_Size = 1000
Applies to
Vault servers
IDVault_Max_Auth_Failures
Syntax
IDVault_Max_Auth_Failures=<number>
Default
10
Description
The maximum number of consecutive download attempts that are allowed in a day before attempts are denied. Consecutive failed attempts are kept in the bad password cache.
Applies to
Vault servers
SECURE_DISABLE_AUDITOR
Syntax
SECURE_DISABLE_AUDITOR=1
Default
SECURE_DISABLE_AUDITOR=0
Description
Applies to
Vault servers