Novell Documentation: Novell SecureLogin 3.51 SP2 - Managing Administrative and User Settings

Managing Administrative and User Settings

This section provides information on the following:

Understanding the Configuration Hierarchy

You can apply SecureLogin settings to a Container object, a User object, or a workstation.

Container object
Settings applied to a Container object affect all users and objects in and below that Container object.
User object
Settings applied to a User object supersede the settings applied to a Container object or to a workstation.
Workstation
You can give users the ability to apply settings to a workstation. However, any settings applied to a User object supersede settings applied to a workstation.

Viewing SecureLogin Settings

You can view SecureLogin settings by using SecureLogin on the desktop, ConsoleOne, Microsoft Management Console in Active Directory environments, or SecureLogin Manager.

Click Settings.

The Description column (Setting Description in MMC and on the desktop) explains a setting's purpose or action.

The Value column lists the default or changed value.

The Source column (Inherited From in MMC and on the desktop) displays the origin of the setting's value. The origin can be one of the following:
- A default value
- Manually configured at the User object level
- An inherited value
Scroll to the desired setting.

The following table provides information on the settings. If you are running in standalone mode, not all settings are displayed.

Configuration Option	Description
Activate the Diagnostic Log File	Logs the details of use to the hard drive. Because this preference is used for debugging and troubleshooting, the default is set to No. If you need to investigate a SecureLogin issue on the workstation, set the value to Yes. NOTE: If you set this setting to Yes, expect a continuous increase in memory usage, similar to a memory leak.
Add Application Prompts for Internet Explorer (and Netscape) Java Applications Windows Applications	Provides a prompt to enable an application for single sign-on, if a script exists for the application. To prevent a prompt, change the value to No. If you disable the prompt, users can enable (for single sign-on) only those applications that you configure at the container or OU level.
Allow Single Sign-on to Internet Explorer Java Applications Netscape Windows Applications	Enables single sign-on to the application type. To prevent users from being able to single sign-on to these applications, set the value to No. In contrast to disabling the SecureLogin prompts, disallowing single sign-on access disables any single sign-on for the application type.
Allow Users to View and Change Settings	Enables users to customize their SecureLogin environment by using the Settings tab to change settings on their workstations. To prevent users from customizing, change the value to No.
Allow Users to View and Modify Scripts	Enables users to view and edit scripts, which are SecureLogin's instructions as to what to do concerning the application. When the value is set to Yes, users can use the New and Edit buttons on the Applications page. To prevent users from viewing and modifying scripts, set the value to No.
Allow Users to View Passwords	Enables users to check the Display Passwords check box and view passwords that they use to log in to applications. To prevent users (and anyone else) from viewing their SecureLogin passwords, change the value to No. The Yes setting is useful when a user's SecureLogin configuration needs to be reset. (The Clear Object Data or Clear Cache buttons reset the configuration.) Clearing object data deletes all use information, including passwords and passphrases that need to be entered when the user restarts SecureLogin. Allowing the user to view passwords enables the user to view and record passwords before object data (cache) is cleared.
Change the Cache Refresh Interval	Controls the number of minutes that SecureLogin waits before checking the container or OU cache for updates. The default is 5 minutes. Depending on your network and number of users, a recommended value is 240 minutes.
Customize Text for the Passphrase Setup Dialog Box	Enables you to personalize the text that appears in the Passphrase Setup dialog box that users encounter when they first use SecureLogin. Although you can type 8 lines with 64 characters on each line, limit your text to 415 characters. Otherwise, the text boxes hide the remaining text.
Detect Incorrect Passwords	We recommend that you set this value to No. The response to an incorrect password is included in the SecureLogin application connector (script).
Disable the Advanced Settings of Manage Logins	The Advanced option that is available from the SecureLogin task bar icon enables users to change SecureLogin settings, change their passphrases, and refresh the local cache. To prevent users from using this functionality, set the value to Yes. The Settings tab is then unavailable through either the Advanced option on the task bar icon or Manage Logins.
Disable Single Sign-On	By default, all users can single sign-on to Windows, Web, and terminal emulator applications. To prevent a user from using single sign-on, select the User object and change the value to Yes. In the snap-in to MMC, a Yes setting might cause the message "_wremove preference" to appear. If the message appears, click OK. You can ignore this message. It doesn't affect SecureLogin functionality.
Display the System Tray Icon	Whether the icon is displayed depends on the organization's security policies and preferences. To prevent users from displaying and accessing the system tray (task bar) icon, change the value to No.
Enable the File Cache	Enables SecureLogin to create and use cache files on the workstation. The cache file stores all user settings, including those inherited from higher-level containers and OUs. Settings are normally stored in a directory on the server. However, if the server is unavailable, or if you are using a laptop, the cache on the workstation is used. The cache is password protected and encrypted.
Enable the New Login Wizard on the System Tray Icon	Enables users to create multiple SecureLogin logins for the same application or server. To disable this feature, change the value to No.
Password Protect the System Tray Icon	Requires users to provide their network passwords before they can access options on the system tray SecureLogin icon. To require a password, change the value to Yes.
Prevent Users from Entering a Passphrase Question	By default, users can enter their own passphrase question, and then provide an answer. To require users to use a passphrase question that the administrator provides, set the value to Yes.
Stop Walking Here	Enables or disables inheritance settings from higher-level containers or OUs. Higher levels might have implemented a different version of SecureLogin. If inheritance from higher levels is required, set the value to No (default).
Use a Passphrase Policy	By default, SecureLogin doesn't require a passphrase policy. To require a passphrase policy, change the value to Yes, then edit and save the policy.

To access the Settings tab for Active Directory:

Select a Container or User object from the Active Directory Users and Computers in MMC, then select Properties.
Select the Settings tab from the SecureLogin SSO tab of the properties dialog box.

Configuring SecureLogin Settings

The Settings page enables you to control SecureLogin functionality. Users are able to view a subset of these settings. Depending on the values you set, users can change the subset of settings on their workstations. Local settings (subset) override user settings that you make.

You can't delete a setting. When you click Delete in SecureLogin or the snap-in to MMC, the setting changes to the default value.

Also, if SecureLogin can't enforce a policy, SecureLogin changes the specified value to a valid approximation. For example, if you set the minimum password length greater than the maximum password length, SecureLogin can't enforce that setting.

Click Settings.
Click a setting, click Edit, change the value by using the drop-down list, then click OK.

The following figure illustrates the Editing a Setting dialog box in ConsoleOne:

To customize text for the passphrase setup dialog box, type the text. The customized text replaces the default text.
Save changes by clicking OK or Apply.

Inherited fields in the SecureLogin Settings page don't apply until the corresponding settings are saved. To save inherited settings, click OK, close SecureLogin, then re-open SecureLogin.

Displaying the System Tray (Task Bar) Icon

When SecureLogin is installed, a Post-Install screen displays the following options:

If the Start SecureLogin on Windows Startup check box, SecureLogin places the SecureLogin icon on the task bar whenever the workstation is started.

To prevent users from displaying and accessing the task bar icon:

Using administrative tools, right-click the Container or User object, then click Properties > Novell SecureLogin > General Settings > Settings.
Select Display the System Tray Icon, then click Edit.
Using the drop-down list, change the value to No.
Save the changes by clicking OK twice.

If you turn off the SecureLogin icon on the task bar (workstation) and then use another tool to change the data, the changes won't take effect until the workstation is restarted.

Disabling the Local Cache

To use login data when you work offline, you can store login data in encrypted files on your workstation. By default, these cache files are located in the \documents and settings\profile\application data\securelogin\cache directory.

To disable the cache by using SecureLogin:

Right-click the SecureLogin icon on the task bar, select Advanced, then select Change Settings.
Select Settings > Enable Cache File.
Click Edit, set the value to No, then click OK twice.

To disable the cache by using administrative tools:

Right-click the Container or User object, then click Properties > Novell SecureLogin > General Settings > Settings.
Select Enable File Cache, click Edit, then set the value to No.
Save the changes by clicking OK twice.