The NMAS for Windows Logon support allows the smart card to be used for a workstation login when eDirectory is not available or eDirectory login is not desired. This is useful in situations where network connectivity is not always available, such as for laptop users.
To enable the NMAS for Windows Logon feature:
Install IAS (Identity Assurance Client) 3.0.8. IAS installation triggers Novell Client 2 SP3 for Windows (IR2a) and NESCM 3.0.8 (Novell Enhanced Smart Card Method) installation. For more information on the IAS installation, see Novell Enhanced Smart Card Method Installation in the Novell Enhanced Smart Card Method Installation and Administration Guide.
NOTE:NMAS Client 3.5.1 or later is required for NMAS Based Windows Logon to work. NMAS Client 3.5.1 gets installed by default along with Novell Client 2 SP3 for Windows (IR2a).
Select the Use Smart Card for Workstation Only Login and Require Smart Card for Workstation only Login check boxes as per the security requirement of the organization during the NESCM installation. For more information, see Novell Enhanced Smart Card Method Installation in the Novell Enhanced Smart Card Method Installation and Administration Guide.
Enroll the workstation users with the eDirectory user.
After enabling NMAS for Windows Logon feature, you can disable it for a specific workstation as well as exempt some users from using it.
After a successful eDirectory plus workstation login (enrollment), the NMAS for Windows Logon functionality encrypts and stores the credentials for future computer only logins. This means that a successful enrollment must have occurred before NMAS for Windows Logon functionality is available.
Insert the smart card that is configured in the eDirectory. For more information, see Configuring the Server in the Novell Enhanced Smart Card Method Installation and Administration Guide.
On the Log on to OES Network page, enter the eDirectory username and pin.
Click Show Advanced Options to display the Login dialog box.
On the eDirectory tab, specify the tree name, tree context, and the server name.
On the NMAS tab, select the sequence as Enhanced Smart Card, then click Apply.
Click the icon.
You are logged in to the network through the eDirectory credentials.
On the Log on to this Computer page, specify the Windows user credentials (username and password), then click the login icon.
You are logged on to the workstation through the Windows credentials.
Log out of the workstation.
For subsequent logins, it's enough to provide the enrolled local user name, the smart card and the smart card pin, and you are seamlessly logged on to the workstation.
Insert the smart card that is configured in the eDirectory.
On the Windows 10/ Windows 8/ Windows 7/ Windows 2012 credential provider page, click Computer Only Logon, to display the Log on to this computer screen.
Select Use NMAS for Windows Logon check box, enter the enrolled local username, and the smart card pin.
NOTE:You can also login using your password if Require Smart Card for Workstation Only Login is not enabled at the time of IAS client installation. For more information, refer <IAS Section>. Deselect the Use NMAS for Windows Logon check box for a Windows password based login. It is recommended to remove the smart card from the smart card reader during this login.
Click the icon and you are logged on to the workstation.
Exception List is used to exempt some users from using NMAS based Windows Logon. This can be used only when the Require Smart Card for Workstation Only Login check box is enabled at the time of IAS client installation.
Open Windows registry editor.
Create a key named Disconnected Login under HKEY_LOCAL_MACHINE > SOFTWARE > NOVELL > Login.
Right-click to create a value named Enforcement Exception List of type multi-string value.
Open the Enforcement Exception List entry, add usernames that have to be exempted from NMAS based Windows Logon, then click OK.
Separate each username with a Return Key press.
NOTE:The usernames can be in any of the following formats: simple user names such as john, user names preceded by domain names (for example, domainname\john), and UPN format user names such as john@domainname.com.
Close the registry.
You have successfully created an exception list. Users in this list can login using their password after deselecting the Use NMAS for Windows Login check box in the Windows Log on to this computer page.
Right-click the icon in the notification area.
Click Client Properties.
On the Advanced Login tab, select Suppress NMAS Support for Computer Only Logon, then select On in the Setting list.
By default, the value of Settings is set to Off.
You have successfully suppressed the NMAS support for computer only logon for this workstation. In the consecutive login attempts, you can log on to the workstation using password.