For example, if the workstation is configured for LDAP mode, the server also must be installed in the same mode.
This is to ensure that SecureLogin detects the Citrix environment and installs the corresponding modules.
This is to ensure that all the users emon1
receive the same configuration.
Passthrough cannot happen if LDAPAuth is installed in Credential manager or Application modes on the Citrix server. On the Citrix client workstation, LDAPAuth can be installed in any mode.
To select Enable Password Field:
Right-click the Novell Client icon on the status bar (system tray), then click Novell Client Properties > Location Profiles.
In the Location Profiles window, double-click Default, then click Properties.
On the Credentials tabbed page, select Enable Password Field and then click OK.
Several components are utilized by SecureLogin to perform passthrough authentication. The modules differ depending on the passthrough configuration. The SecureLogin installation program detects the configuration and installs the correct modules to each device. For example, if the Citrix client is installed on the server and client, SecureLogin detects the corresponding components and installs them.
NOTE: Prior to NSL 3.51 SP1, this was a manual process.
The following illustration details how passthrough authentication works:
Passthrough authentication features the following:
The workstation must be configured to capture the user credentials on login to the server. This might be login to a Novell network, Microsoft network, or some other LDAP-compliant network. SecureLogin uses different modules to interface with the correct GINA in each environment. This allows the capture of the username, password, or any other variable during the normal boot/login of the client.
Different information is captured depending on the configured workstation environment. For a list of the runtime variables that are captured (for example, ?syspassword or ?sysuser), refer to "Using Symbols and Variables" in the Nsure SecureLogin 3.51.2 Scripting Guide.
The following table shows the environments and the corresponding module used.
Table 1. Workstation Components
Environment | Module |
---|---|
Novell Client32TM (with/without NMAS) |
slinac.dll |
LDAP |
slnmas.dll |
Microsoft Client |
sl_tscgina.dll |
Each module captures credentials from the corresponding login dialog box and stores them in encrypted form in the registry for SecureLogin to access. When SecureLogin loads, it reads the encrypted values from the registry, deletes the registry values, and stores them in the ?sys variables as explained below:
NOTE: The variables can be used in scripts for all applications that utilize the same credentials.
If, for some reason, Secure Login uses the wrong module, or if the module is missing, then when SecureLogin loads, it cannot copy the values to the corresponding ?sys variable. In such a scenario, if an application script utilizes the ?sys variables, the result is an error -426. Also, if passthrough authentication is configured, no credentials are supplied to the Citrix session and a second login is required.
Proper validation should be done to ensure that the credentials are captured correctly so that SecureLogin can provide them to either application scripts or passthrough authentication.
To ensure that SecureLogin client is able to read the workstation login credentials and store them in the ?sys variables, create a notepad.exe script to echo the values to a new notepad document.
Right-click the SecureLogin icon on the status bar (system tray), then click Manage Logins > Applications > New.
In the Create a New Application dialog box, select New Application.
In the Name edit box, type notepad.exe.
Leave the default (Windows) as the Type, then click Create.
Click Script, then copy and paste the following script:
## BeginSection: "Test Notepad Script to display sys variable"Dialog Class "Notepad" Title "Untitled - Notepad"EndDialogType \NType ?SYSUSERType \NType ?SYSPASSWORDType \N## EndSection:
To save the script and close all SecureLogin windows, click OK twice.
On the Windows task bar, click Start > Run.
Type notepad.exe in the Open field.
Launch notepad.exe and validate that the login credentials are written to the application.
If you receive a -426 error or if the wrong values are written to the document, it means proper modules are either not loaded or configured correctly.
The Novell client does not pass a password if you are logged into the Workstation Only mode. Also, in this mode, you cannot execute a login again and expect the ?sys variables to update. This process occurs only during the initial login process.
If, for some reason, while SecureLogin is working, a configuration change prevents the credentials from passing, SecureLogin might still appear to work and passthrough authentication might succeed as well until the user changes the network password. But then, instead of new password, the stored credentials are used for passthrough authentication.
NOTE: Make sure that you reboot the system and log in as a new user.
When prompted to change your password, click Yes and then change the user password. If the credentials get updated, this part of passthrough authentication is working properly.
IMPORTANT: SecureLogin supports password expiration through the Novell Client login. The option to change the Novell Client password after the completion of the boot-up process is not supported. If you change the directory password anytime after SecureLogin client loads, you must log out from the workstation and log in again for SecureLogin to pick up the new password.
Depending on the environment, SecureLogin utilizes the server module (corresponding to the client module) to perform passthrough authentication. The environment and the module details are given in the table below.
Table 2. Server Component Environments
Environment | Module |
---|---|
Novell Client32 (without NMAS) |
slinas.dll |
Novell Client32 (with NMAS) |
slnmas.dll |
LDAP |
slaa_sso.dll |
Microsoft Client |
sl_tsgina.dll |
On the workstation, the concern is capturing credentials from the users' initial login, while on the server side, the focus is on taking those captured credentials and passing them through to the configured GINA.
In addition to the components on the workstation and server, SecureLogin requires a method of communicating the captured information between the workstation environment and the actual Citrix session. SecureLogin performs this using a virtual channel. The server modules rely on the virtual channel to get the credentials from SecureLogin.
A virtual channel is a session-oriented, bidirectional, error-free transmission connection that can be used by Application Layer code for exchanging custom data packets between a Terminal Server and a Terminal Client.
There are three major Virtual Channel components in the Terminal Server:
Virtual Channel Driver (VCD): The heart of SecureLogin Terminal Server single sign-on; it liaises between server login extensions and SecureLogin single sign-on to perform all Terminal session single sign-on procedures.
Server Login Extension: Requests user login credentials from the VCD and initiates the login. After authentication, the login extension sends credentials back to the VCD to update the SecureLogin single sign-on data store.
SecureLogin uses two types of virtual channels in the Citrix environment named ICA and RDP. Two modules installed on the workstation and server allow the SecureLogin client to communicate with the specific virtual channel.
The following table provides the details:
Table 3. Details of Virtual Channel
Virtual Channel | Session | Client Interface Module | Server Interface Module |
---|---|---|---|
ICA |
Citrix ICA session |
vdslssoN.dll |
sl_ica.dll |
RDP |
Terminal server session |
tsslsso.dll |
sl_rdp.dll |
On the server, there is yet another module, named sl_vc.dll. This is the main interface module on the server and provides the interface to the VCDs. It determines which of the two different virtual channels to query for the passthrough credentials.
An additional component is used while you launch remote applications outside of an ICA/RDP desktop session. This is typically referred to as a published application.
Here, the user clicks a shortcut to launch a remote server application without opening a full desktop session. The module SLLauncher.exe is used to interface between SecureLogin and the remote application server. SLLauncher is used to start the required SecureLogin components on the server for an application to single sign-on.
For information on SLLauncher and its configuration, refer to the SLLauncher Switches.
NOTE: SLLauncher is not used in the actual passthrough authentication. SecureLogin uses slinas.dll, slnmas.dll, slaa_sso.dll, or the sltsgina.dll to set up the virtual channel.
The server detects whether the ICA protocol is present or not. If the ICA protocol is present, the server loads the ICA protocol. If the client is trying to establish a session using the RDP protocol, the server loads the RDP protocol and the session begins. By default, the server automatically responds to either the RDP or ICA protocol.The auto-detection feature is on by default. Because Windows NT 4.0 Terminal Server Edition (RDP 4.0) does not support the Virtual Channel operation, it does not respond to the client trying to establish a session using the RDP protocol.
You can do this by making the registry changes detailed below.
WARNING: Editing the Registry can cause irreparable damage to the system. If you are not sure of the process for adding these registry values, seek assistance from someone suitably experienced.
On the Windows task bar, click Start > Run.
Type regedit in the Open field.
The Registry Editor is displayed.
In the left panel, select HKEY_LOCAL MACHINE > SOFTWARE > Protocom > SecureLogin > VirtualChannel.
In the right panel, click Title.
The Edit String dialog box is displayed.
NOTE: All Registry values specified are of string type [REG_SZ]
Add the following entry:
"AutoDetect" = "0"
HINT: Make the following entry in the same key if needed during troubleshooting, to bypass the auto-detection feature and specify the protocol the server should use."Protocol" = "RDP" or "ICA"
The appropriate SecureLogin client interface module captures these credentials, encrypts, and stores them in the registry of the workstation.