Lotus Domino Connector Logging

Hi,

I have been trying to enable the Lotus Domino Connector  (build  5.3.721.0) to log detailed information into some place. I've seen that this latest build switches to ETW logging. So I've added the following to the miiserver.exe.config file in the system.diagnostics/sources section:

                   

   <source name="ConnectorsLog" switchValue="Verbose" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="LotusNoteTextTraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\temp\notesconnector.log" /> 
</listeners>
   </source>

Unfortunately that is not working, I also tried eventlogging, but that didn't work either. Can anyone point me into the right direction?

Thanks in advance

February 11th, 2014 7:46pm

Okay, figured it out. At least the following listener configuration seems to work:

                         

   <source name="ConnectorsLog" switchValue="Verbose" switchType="System.Diagnostics.SourceSwitch">
<listeners>
<add name="MAEventTracingForWindowsListener"
type="System.Diagnostics.Eventing.EventProviderTraceListener, System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                       initializeData="{C4D0C1D4-909D-481b-B011-10E682A6009D}" />
</listeners>
   </source>

Dont know, why the other trace types (event log and text) didn't. You can then start a trace as per description in miiserver.exe.config. For example:

> logman start mysession -p {C4D0C1D4-909D-481b-B011-10E682A6009D} -o NotesMAETWtrace.etl -ets
> logman stop mysession -ets
> tracerpt NotesMAETWtrace.etl -o NotesMAEventTrace.csv -of CSV -summary NotesMAEventTraceSum.txt -report NotesMAEventTraceRpt.xml


That article here helped a lot

http://social.technet.microsoft.com/wiki/contents/articles/21086.how-to-enable-etw-tracing-for-fim-2010-r2-connectors.aspx

Please also note the Trace Source Name for the Lotus Domino Connector, it is "ConnectorsLog", I couldn't find that information anywhere, it's not documented.

  • Marked as answer by SteffenSc Wednesday, February 12, 2014 8:16 AM
  • Edited by SteffenSc Wednesday, February 12, 2014 8:20 AM additional information
Free Windows Admin Tool Kit Click here and download it now
February 12th, 2014 11:16am

Hi Steffen

Thanks for posting this info it has helped me log the info I need on my Lotus Domino connector.

The issue I am seeing is when trying to create a standard Notes Person document, my export just 'hangs'  at the following point when setting the MailServer

 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       SetnoteRegistrationInfo call"
 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       this.NotesRegistration.CertifierIDFile:C:\Program Files\Microsoft   Forefront Identity Manager\2010\Synchronization Service\MaData\Lotus Domino   MA\temp_cert.id"
Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       this.NotesRegistration.IsNorthAmerican:False"
 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       NotesRegistration.MailOwnerAccess: Manager"
 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       this.NotesRegistration.ShortName:SProbets"
 Log Level : Verbose  Method Name : DominoPerson :   SetMailProperty       this.NotesRegistration.CreateMailDb:False"
 Log Level : Verbose  Method Name   : DominoPerson : SetNoteRegistrationInfo       SetnoteRegistrationInfo call end."
 Log Level : Verbose  Method Name   : DominoPerson : RegisterUser       fileName : 130681SP.id"
 Log Level : Verbose  Method Name   : DominoPerson : RegisterUser       pathInfo : "
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     userIdFile :   C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization   Service\MaData\Lotus Domino MA\130681SP.id"
 Log Level : Verbose  Method Name   : DominoPerson : RegisterUser       userIdFile : C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization   Service\MaData\Lotus Domino MA\130681SP.id"

 Log Level : Verbose  Method Name   : DominoPerson : RegisterUser       MailServer : "NotesServer1"

Can I ask if you managed to successfully provision a Notes Person record with this MA and if you had any issues on the export step? My import works fine but despite trying multiple configurations on the exported Person we cannot get past the above step and the FIM sessions just 'hangs' at this point.

If you had any logs which show what happens after this step that would also be really useful as don't even know what should be happening at this point and there are no other errors being reported in Event Viewer etc.

Thanks

Andy

February 27th, 2014 1:22pm

Just a guess: pass the server name with its hierarchical name, e.g.: CN=NotesServer1/OU=OrgUnit/O=Org

Actually, it looks like the process stops when the call to notes is made to initiate the user registration. DO you see any errors in the Lotus Domino Server logs?


Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 1:42pm

We have tried using all the variations on Notes Server name. The last time I ran it was in the hierarchical name as it was shown in the MA CS.

It seems that no matter what changes we make in the export object it always fails at the same place in the log. Problem is I don't know what the next step is in the process so I cant tell where to look for the step it is stopping at.

Domino shows a session being created and then closed on the registration server but nothing happens on the mail server. So we moved the mail server to be the same as the registration server and that still fails as below as well. So I cannot tell what is happening at this point as I don't think it has reached the log yet.

Log Level :   Verbose  Method Name : DominoPerson :   RegisterUser     RegisterUser call   "
Log Level : Verbose  Method Name : DominoPerson :   GetCertifierPasswordKey     File making   start."
 Log Level : Verbose  Method Name : Utility :   MakeCertificateFile     Deleted File   :C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization   Service\MaData\Lotus Domino MA\temp_cert.id"
 Log Level : Verbose  Method Name : Utility :   MakeCertificateFile     File making   end."
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     certkey :   O=Company[names.nsf]:Password"
 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       SetnoteRegistrationInfo call"
    Log Level : Verbose  Method Name   : DominoPerson : SetNoteRegistrationInfo       this.NotesRegistration.CertifierIDFile:C:\Program Files\Microsoft   Forefront Identity Manager\2010\Synchronization Service\MaData\Lotus Domino   MA\temp_cert.id"
Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       this.NotesRegistration.IsNorthAmerican:True"
Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       NotesRegistration.MailOwnerAccess: Manager"
 Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       this.NotesRegistration.ShortName:JSMith"
 Log Level : Verbose  Method Name : DominoPerson :   SetMailProperty       this.NotesRegistration.CreateMailDb:True"
Log Level : Verbose  Method Name : DominoPerson :   SetNoteRegistrationInfo       SetnoteRegistrationInfo call end."
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     fileName :   130681SP.id"
Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     pathInfo : "
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     userIdFile :   C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization   Service\MaData\Lotus Domino MA\130681SP.id"
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     userIdFile :   C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization   Service\MaData\Lotus Domino MA\130681SP.id"
 Log Level : Verbose  Method Name : DominoPerson :   RegisterUser     MailServer :   CN=HO-26/O=Company"
February 27th, 2014 3:14pm

Well, the next step is a call via COM to the Notes Client (Domino.IRegistration).

Is a user registered in Notes? If not, then that is the call that fails.

How does the connector behave, does it stop or throw an exception? Or does it just hang?

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 3:22pm

The MA just hangs. It never comes back from the 'running' status even though I did leave it overnight last night.

Do you mean manually call the Notes Client via a Visual Studio project?

Running the registration process directly in Notes Client is working fine as we already create a person object.

February 27th, 2014 3:26pm

Nope, the Notes Client is called via COM API of the Notes Client, the connector instantiates a COM object, opens a Notes session with it and then issues commands, like RegisterNewUser.

If that doesn't work, then your issue is most likely related to the Notes client you are running.

What version of Notes client are you using?

Could you also please check the event log for interesting messages?

I had a COM permission related issue after upgrading to the latest notes client. Please make sure that you have the LocalActivation Permission for your Synchronization Service Account on the LotusNotes.Session COM control. (AppID: {29131539-2EED-1069-BF5D-00DD011186B7}) 


  • Edited by SteffenSc Thursday, February 27, 2014 12:42 PM
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 3:41pm

We run Notes Client Revision 20110916.0921   (Release 8.5.3).

There was a missing permission on the COM side which I have added as you stated but even after a server reboot the export is still stopping at the same spot.

Nothing goes into the event logs on the FIM box and nothing seems to be appearing on the Notes Server event logs. Notes does record a session being created and then dropped in the Notes server log files though.

So it must be working part of the way through the process.

February 27th, 2014 4:47pm

To me this looks a Notes client issue... could you try to update to the latest client?
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 4:50pm

Have you populated a ShortName and all the other core attributes?

I don't think it's a client activation issue considering the NotesSession is successfully created, import works, etc.  8.5.3 is probably the most popular client version, although I suppose updating to 8.5.4 couldn't hurt.

It's unfortunate that the MA tends to log things after they happen rather than in advance of trying a large operation.  There are options to gather detailed logging info from the Notes client itself (for example, search for 'Notes client_clock', 'NSD', etc.).

February 27th, 2014 7:48pm

From what I can see the management agent checks if the shortname attribute has been populated, it will log something like: Invalid Attribute:ShortName missing. if any of the required attributes are missing.

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 7:53pm

Yes ShortName, Full Name, DN and all the manadatory attributes (_MMS_xxxx values) have been populated.

When I did the initial exports I would get 'missing provisioning attributes' which I had to adjust to get an export which would not throw and error immediately (except that it never completed!).

ShortName is just a simple 'JSmith' style.

I used the TechNet articles on provisioning to double check my code as well and didn't see anything different.

We have also tried variations on whether the id file is created locally or in mail database and user types etc. Everything just stops at the same point in the log no matter what we try.

February 27th, 2014 7:58pm

Hmm, switching on Notes client logs could be a good next step, but it's uncharacteristic for Notes to hang on bad input rather than throwing an exception... and the NotesSession is necessarily functional at this point.  It looks like the MA does rather a lot of work between the last call in the trace logs you've gathered and the next time it pipes up.  Anything in the registration server's console or log.nsf?


Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 8:15pm

The Notes server shows a session being created from the FIM box which seems to correspond to events further up the log when it is setting the Person doc attributes.

Then it closes the session and when it reaches the end of the log file which references the mail server name nothing is ever detected at the Notes end.

February 27th, 2014 8:24pm

Sounds like it's hanging while submitting the registration request.  I've never seen this happen (the registration classes are pretty good about rejecting stuff they can't process) but would turn on the client_clock next.  Is the server at 8.5.3 as well?
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2014 8:39pm

Turning on the Notes client_clock seems to have identified the issue although I am not sure what the solution will be.

The log file in Notes shows us this

28/02/2014 11:20:52.43 [04E0:0005-061C] Tcp_ProcessInit> enter
28/02/2014 11:20:52.43 [04E0:0005-061C] TCP_GetProcessEndpOptions> Get Security Options = 0h
28/02/2014 11:20:52.43 [04E0:0005-061C] Tcp_ProcessInit> return: 0h
The ID file being used is: O=COMPANY
This ID file requires multiple passwords.
Enter one of the multiple passwords (press the Esc key to abort):

This the last entry in the file and seems to be the reason the export never ends.

The issue is that we need to use a cert ID file which has multiple passwords assigned. We assigned one of them in the MA where we told it about the cert.id for that Org but it doesn't seem to accept it (or the MA does not use it as it shows the same when I put a known bad password in there as well).

Does anyone know if the MA can cope with a cert.id file which uses multiple passwords?

February 28th, 2014 2:28pm

Multi-password certifier IDs are a bit unusual, and I wouldn't expect them to function in this case.  Even Domino server setup with such a certifier ID fails.

Having worked extensively on a third-party Notes MA offered by my employer, I am all too familiar with the Notes registration API.  We chose to prioritize the Domino Certification Authority process over interacting with the certifier IDs directly and the result is much more supportable.

Free Windows Admin Tool Kit Click here and download it now
February 28th, 2014 6:02pm

OK I think we will need to raise this point with Microsoft to find out if it should be a supported option or not.

Thanks for the help. We have created a second cert in our Dev for a separate Org and we can now at least provision Notes person objects although we may have an issue in prod if we cannot use the multi-password version.

I don't suppose there are any Microsoft reps looking in this forum that can tell me if a multi-password certifier is supported on the Lotus Domino v8.x Connector?

March 3rd, 2014 1:41pm

You can of course raise a ticket with Microsoft, but I've confirmed that the Notes APIs in use by the MA do not support multiple-password IDs, and there is no commercially viable workaround.  Best bet would be to work on converting the certifier ID back to single-password.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2014 5:02am

Hi,

I tried this with the 5.3.1003.0 build but it I can't get it to work. Have you tried it with that build?

September 24th, 2014 4:53pm

How did you determine the GUID for the connector?  I've tried everything I can think of but do not seem to get any meaningful data.
Free Windows Admin Tool Kit Click here and download it now
January 29th, 2015 8:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics