January 19, 2007
This is the Support Pack 1 (SP1) release for Novell SecureLogin 6.0. The version for this support patch in the product is, 6.0.105.
Because the documentation is continuously updated, documentation is not included on the product CD or download image. Instead, documentation is provided on the Novell® Web site. By using this online documentation, you have the latest information, including documentation updates, for the following:
View of download documentation at Novell Documentation Web site.
When the LDAP authentication client is acting as GINA, Ctrl+Alt+Del enables the Change Password option. This helps users to change LDAP and Windows* user passwords.
This feature enables the LDAP client to verify the server certificate during SSL authentication, which prevents man-in-middle attacks in a non-secure network. The LDAP client authenticates the user only after verifying the server certificate, which prevents an unauthorized host from pretending to the LDAP server.
When the workstation is connecting to the network, the LDAP authentication client detects this and does not switch on the Workstation only mode. This feature is specifically required during wireless authentication or connection to the network when the LDAP GINA is present.
When the network is disconnected, the Workstation only mode is retained.
When LDAP is acting as a GINA and Windows system is configured for automatic admin login, the LDAP GINA performs an automatic login allowing the user to log in automatically using the auto admin login configuration information from the system.
This release of SecureLogin allows encryption of the user’s local cache file. This setting is enabled by default when setting Use smart card to encrypt Single Sign-On (SSO) data.
SecureLogin now has built-in support for the Mozilla* Firefox* browser, enabling single sign-on to Web pages. SecureLogin supports Mozilla Firefox version 1.5
You can manually start the Web Wizard for those pages that have included security features to hide username and password fields on first load when using Microsoft* Internet Explorer.
The SecureLogin icon is automatically added to the toolbar of Internet Explorer, and can be selected at any time to initiate the manual web wizard.
Due to changes on the Hotmail site, the existing SecureLogin script no longer detects user password changes. SecureLogin now uses two new Predefined Application definitions (MSN Hotmail and MSN Hotmail change password) to allow for change of the user’s password.
You need to remove your previous Hotmail script and assign these new scripts to any user or container where Hotmail is being used and make sure that the application specific setting "Password field must exist on Internet Explorer page for Application Definition to run" is set to NO for the "MSN Hotmail change password" application definition.
If you are running SecureLogin on a Citrix server where roaming or mandatory profiles are in use, it is recommended that you the following DWORD registry key:
HKLM\Software\protocom\securelogin\ForceHKLMandNoDPAPI and set the value entry to 1.
This key allows a user to log into multiple machines simultaneously when operating within the preceding configuration constraints. It provides a workaround to the known Windows issue when using DPAPI and simultaneous logins.
The smart card Presence Detection requires the card to be present during single sign-on operations and administration. This option also to see if a smart card has been removed after the start of the Single Sign-on session, which prevents swapping smart cards to copy a user's credentials.
For more information, refer the Novell SecureLogin Administration Guide at Novell Documentation Web site.
When using PKI based credentials with a smart card to encrypt a user’s SecureLogin data, you can specify a search string in the security preferences to identify the certificate to be used for encryption.This certificate search criteria looks up the appropriate certificate based on a successful find against information in the Issued to and Issuer attributes. The Friendly name is not a searchable attribute.
When using ActivClient to force PIN change on a user, SecureLogin does not pick up that the PIN has been changed during the current session. This affects users when they go to open the administrative GUI, or use other settings that involve password protection of the system tray icon.
To enable the change to be accepted, the user needs to log off and log back in.
When PKI encryption option is turned off and Lost Card Scenario option is set to Allow Passphrase, it is recommended that you to set these options using SLManager instead of iManager.
When using Microsoft Active Directory* as the data store for SecureLogin, it is possible to use Microsoft Group Policy Objects (GPO) to manage Single Sign-on settings.
When SecureLogin reads the GPO it calculates a checksum to confirm that the file is not altered or deleted. SecureLogin will not load if the GPO is altered.
The current version of SecureLogin supports NMASâ„¢ 3.2 and NMAS 2.7 for NMAS methods.
The current version of SecureLogin supports NMAS 3.0
The current version of SecureLogin supports NICI 2.6.8
When Novell SecureLogin is loading for the first time after an Active Directory password change event, you get a message saying, Unable to find a cache directory “C:\Program Files\ActivIdentity \SecureLogin\SecureLogin\Cache†- directory does not exist or user does not have sufficient rights Defaulting cache directory to c:\
To continue to load Novell SecureLogin, click OK. Novell SecureLogin loads successfully.
NOTE:You will get this message four times before Novell SecureLogin works as expected.
If you uninstall NICI before uninstalling Novell SecureLogin (NSL), you might get an error indicating that ldapaut.dll cannot be loaded during NSL uninstallation. Uninstall NICI after NSL is uninstalled.
When a user logs in to a workstation, NSL does not automatically recognize the iFolder 2.1.8 login window at startup.
The workaround is to manually add the Novell iFolder pre-built script and re-login to the workstation, after which NSL identifies the iFolder 2.1.8 login window.
When users attempt to log in to eGuide, NSL does not automatically prompt them to store eGuide authentication credentials.
When users attempt to log in to GroupWise 7.0.1 WebAccess, they are not prompted to store their credentials.
The recommended workaround is to activate the pre-built GroupWise WebAccess script. Once the script is enabled, NSL interacts with GroupWise WebAccess as expected.
When users attempt to access Novell Access Manager, they are not prompted to store their credentials; instead, they are redirected to IDP. However, the redirected login does not work.
On Windows 2000 server, when a user cancels logging into NSL in LDAP mode, a SecureLogin message prompts user to select whether to perform SSO or not. In this scenario, using SSO to connect to a Web application might result in crashing Internet Explorer.
Some web pages are configured in such a way as to provide information to SecureLogin in a different manner. When working on such web pages, user can encounter the “Unable to instantiate scriptbroker module: 80070005†error message.
In such scenarios, set the following registry key: IESSO_USE_COM reg setting (Dword - value ’0’)under \HKEY_LOCAL_MACHINE\SOFTWARE\protocom\secureloginThis registry key changes the method of interprocess communication between SecureLogin processes, providing a workaround to the web issue. It will work across all web pages that is, not only on the web page throwing up the error.
Inserting the following registry key to resolve this issue: HKLM\Software\Protocom\SecureLogin\IESSO_USE_COM (DWORD KEY SET TO 0)
This version of Novell SecureLogin does not detect web login for Novell Access Manager authentication page.
However, you can configure this web page by selecting the SecureLogin icon in the Internet Explorer tool bar, which will trigger the manual web wizard.
You must manually delete the SecureLogin cache because it is not deleted during the uninstallation of SecureLogin. The HKEY_LOCAL_MACHINE\SOFTWARE\Protocom folder is also not removed from the system registry.
If you want to use a smart card to authenticate to SecureLogin and if ActivClient is installed in your system, ensure that you have installed the required versions of ActivClient.
At the time of this release, the recommended version of ActivClient is 5.4 and Hotfix FIXS0609014.
If a user tries to log into SecureLogin in the LDAP mode using the same smart card used to authenticate in the eDirectoryâ„¢ mode, the authentication fails. This is because SecureLogin smart card implementation sees them as two different users.
The security preference to use the AES algorithm to encrypt the SSO data in the directory can only be used with Windows XP or 2003 machines and not Windows 2000, because Windows 2000 does not support AES the Microsoft cryptographic libraries.
When installed in Client32â„¢ mode, SecureLogin does not take into account the case sensitivity of passwords while unlocking the system tray icon, if the Novell Clientâ„¢ 4.91 SP2 is used. To use this feature, update the Novell Client to version 4.91 SP3.
You cannot unlock the SecureLogin system tray icon using the NMAS pcProx authentication. Unlock the icon by using the passphrase if you have enabled one, or by using your directory password.
When you delete credentials through iManager, they are not deleted from the local cache. Close and re-open the SecureLogin client to re-synchronize credentials with the eDirectory.
SecureLogin installation does not overwrite NMAS client 3.2.0 if it is already installed on the system. In this case, manually install NMAS 3.2.1. NMAS 3.2.1 is installed automatically during the installation of SecureLogin if NMAS is not present on the system or if the version present on the system is earlier than NMAS 3.2.
Every time the cache is refreshed, the number of grace logins allowed is reduced by one. This happens because every time the cache is refreshed, SecureLogin tries to re-authenticate to the directory.
If you enter an invalid location in the text box during the installation of Novell SecureLogin, an error message is displayed. The next time you attempt to enter a location in the text box, the Choose a Destination Location screen goes out of focus.
Novell International Cryptography Infrastructure (NICI) is installed automatically when SecureLogin is installed in any of the following modes:
However, if you uninstall SecureLogin, the NICI client remains because other Novell services (for example, NMAS and NetIdentity) might also need the NICI client.
If you plan to uninstall the NICI client, ensure that it is no longer needed before you remove it. To uninstall the NICI client, use Add/Remove Programs.
Make sure that the first user to log in after the install or reboot has administrative rights to the workstation.
Depending on what files were locked and the options that you select during an install, you might need to reboot the workstation. If this is the case, at the end of the install a dialog box prompts you to log in with administrative rights after the reboot.
User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named Error.
If you install SecureLogin with the SecretStore client in the eDirectory mode, you cannot add an application and name it App1 (for example) if a password policy already exists with the name App1.
Under the following conditions, you might not be able to log in to your workstation:
To solve the problem:
The NetIdentity client does not work if SecureLogin is installed in LDAP non-eDirectory mode. This is because NetIdentity requires the eDirectory environment to work.
When SecureLogin runs with the Novell Client, the client does not send a password change notification to SecureLogin. The old eDirectory password still unlocks the local cache.
For details, see TID 10092159 on the Novell Support Web site
The predefined application definition does not work for the Citrixâ„¢ Program Neighborhood Client 9.1.5. Contact Novell Technical Support for an updated application definition.
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
The Secure Workstation Post-Login Method fails if you attempt to log in with it before configuring a Network policy for Secure Workstation.
To configure a Network policy:
Some settings, such as Password Protect the System Tray Icon, require you to use a network password. If Microsoft Active Directory has told a user to change a password during the next login, these settings fail and a system message (for example, Password expired or Wrong password) appears.
In Active Directory's MMC, the Current Object Version (displayed in the Advanced Settings page) might not update immediately when the directory database version is changed. To update, click OK, then exit the MMC Properties dialog box.
If you install the Quick Login/Logout Interface by modifying the SecureLogin install wizard (after installing SecureLogin and restarting the machine), the Quick Login/Logout Interface does not launch by itself. This happens if SecureLogin is already installed (with the Secure Workstation component) without selecting the Quick Login/Logout Interface.
To launch the Quick Login/Logout Interface, do either of the following:
Log in to the workstation again.
Start > Run, type nswqll, then click OK.
If the Enable Passphrase Security System option is modified, you must log in again before launching SecureLogin for the settings to take effect.
When users login to a Web site and log out, NSL may prompt users to login again to the same Web site. This occurs on rare occasions only and on some websites. If Users click Yes and continue, one new login is added to the NSL client. Each time the user logs in with this option, the same login is added as a new login.
The DumpPage command might not work on all Web content types.
When you use iManager to add the predefined application to a container, some Web-based applications are incorrectly identified as Win32 applications.
Check the properties of each application after the addition to validate that the configuration is correct.
If you uninstall SecureLogin, the Mozilla Firefox browser displays an error message when it restarts. This error occurs because the Firefox extensions do not have a command line parameters for uninstalling.
If this happens, uninstall the Firefox extension manually as follows:
A Mozilla Firefox message box, indicating the import of Internet Explorer settings, is displayed during the NSL 6.0 SP1 installation if Firefox is not previously invoked.
If this happens, click Import to import the Internet Explorer setting or click Cancel to cancel the import.
If you do not use a predefined application definition for Hotmail*, and you change the user password, SecureLogin attempts to log in with the old password and login fails.
If you configured the Hotmail predefined application in SecureLogin 3.51.3, the following error is displayed after upgrading from SecureLogin 3.51.3 to SecureLogin 6.0 SP1:[lnbrk]BROKER_SCR_UNMATCHED_QUOTES (-147)
If this happens, delete the old application definition for Hotmail and configure a new application definition.
The following NMAS methods are in the end of life phase and will be removed from a future release of the NMAS methods:
For more information, refer to latest NMAS documentation
If users have a login with post-login method (Secure Workstation), users are unable to log in after upgrading eDirectory to 8.8 SP1 or to NMAS 3.1.0.
Users can now login after upgrading the Security Service 2.0.2 available at http://download.novell.com/Download?buildid=9hi7-ELIZ64
If the password field in the Novell Client is disabled and the system tray icon is password-protected, a user cannot unlock the system tray icon.
When SecureLogin is installed, the NMAS client and, optionally, a number of NMAS login methods can also be installed.
However, if you uninstall SecureLogin, the NMAS client remains. Use Add/Remove Programs to uninstall the NMAS client and any NMAS methods.
If you plan to use the LDAP client and any NMAS method, do the following:
If you are currently using the Simple Password method and plan to continue using it with SecureLogin 6.0, you must install the Simple Password Login Server Method before installing SecureLogin 6.0. NMAS files are on the SecureLogin CD or in the download image.
If you log in using an NMAS method, any script that accesses the ?syspassword variable displays incorrect values (instead of the password) if you have not selected Enable Password Field in the Novell Client Login dialog box.
To select Enable Password Field:
When you do a silent installation of SecureLogin, the NMAS component is not installed. If you want SecureLogin to work with the NMAS client, you must manually install the client from the SecureLogin product CD.
NSL6.0.105 creates TryRegCredInOffline, a registry DWORD value in LDAP credential manager mode and the value is set to 1 by default if the LDAP and windows user association is set.
This has the following behavior.
In Credential manager mode, after successful Wndows GINA login, LDAP authentication is performed using Windows user credentials. And if the network is not available to the workstation or the server is offline, the Windows user credentials are used for seamless login to NSL offline mode.
When the value is set to 0, NSL-LDAP continues to retain the existing functionality.On a citrix server, the SecureLogin local cache file is disabled and hence NSL can not switch to offline. In this scenario, the value of TryRegCredInOffline should be set to 0.
Citrix passthrough fails if both of the following occur:
For a successful passthrough,
Citrix passthrough with SecureLogin fails with hardware-based NMAS methods (except for pcProx) when NMAS 3.0 (included with Novell Client 4.91) is installed on the Citrix server and NMAS authentication is enabled.
To resolve this issue, do either or the following on the Citrix server:
Citrix passthrough fails in the mixed mode scenario with NMAS 2.7 on the client and NMAS 3.x on the server.
In this case, upgrade all the clients to NMAS 3.2. Also, for non-password based authentication, disable the NMAS virtual channel.
SecureLogin using the Novell Client does not support non-password-based NMAS logins if the passphrase options are disabled. This is not supported because SecureLogin either fails to open the local cache or opens the local cache file without any password.
Offline authentication does not work if you do a non-password-based NMAS authentication with the Passphrase Security System disabled. This is because SecureLogin in offline mode accepts only passphrases for non-password-based NMAS authentication. This scenario occurs only if SecureLogin is installed in Novell Client mode.
NSL in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user's fully distinguished name (FDN) has 128 characters or more.
On VMWare*, SecureLogin in LDAP mode fails to detect the network connection status. Therefore, SecureLogin never switches to the Offline Login dialog box directly and always displays the LDAP Login dialog box.
If the NMAS Sequence Selection dialog box is disabled on LDAP, it means you have an earlier version of NMAS or you have not installed the simple password method on either the server or client. To use NMAS over LDAP, install NMAS 3.2 (available on the SecureLogin product CD).
?syspassword reflects the simple password for the currently logged-in user, if universal password is not configured on eDirectory. This happens when SecureLogin is installed in LDAP mode and NMAS is the authentication method.
If you are logged in to an eDirectory server using SecureLogin with LDAP and the NMAS mode of authentication, and universal password is not configured, you should use simple password to open the local cache in SecureLogin offline mode.
When you do an NMAS authentication in LDAP mode, if the SecureLogin system tray icon is password-protected and the universal password is not configured, you can unlock the icon only by using simple password. It does not matter if you have logged in to eDirectory using as an enhanced password or an NDS password.
If you plan to use SecretStore on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.
The SecureLogin username should be auto-populated for pcProx authentication. This can be done by selecting the Use the Card Reader to Obtain Username for Login option during installation. The card is scanned using the LoginIDs snap-in for pcProx so that the username information is also scanned along with the card ID.
When logging in to the LDAP mode with NMAS pcProx and Secure workstation, after the pcProx reader successfully reads the card and logs the user in, the NSL dialog box appears again after several seconds and the pcProx method successfully logs the user in again. This login process is repeated continually.
If this happens, upgrade NICI to 2.6.8.2, because NICI 2.6.6 is incompatible with NMAS 3.x while running in LDAP mode with NMAS and pcProx.
The latest USB card readers have compatibility issues with the current pcProx method. For example, pcProx does not work with USB card reader model number bse-rfid1356I-usb.
While running TLaunch in the background, tlaunch.exe fails to terminate even after the full script is run or the EndScript command is executed. Tlaunch.exe continues to run even after signing in to the terminal emulator.
To resolve this issue, you can add the KillApp command to the end of tlaunch.exe script.
However, if you are running multiple copies of the terminal emulator, the KillApp command might kill all emulator sessions. To avoid this, use the keystrokes that you normally use to terminate the application. For example: Alt+F4, Alt+F+X, Ctrl+C, or Ctrl+X (depending on the terminal emulator or application that you use).
A fix for this issue is targeted for a later release.
This release of Novell SecureLogin does not support web wizard application management through iManager. Instead use SLManager.
If you open the iManager SSO snap-in with Internet Explorer as the browser on a client machine with SecureLogin running, the system might not respond immediately (for about 10 seconds).
Security tab options are not visible in iManager after upgrading from SecureLogin 3.51.305, if the you set the Disable passphrase security option to Yes in SecureLogin 3.51.305 using ConsoleOne®. In this case, change the datastore mode in iManager to 6.0 to view the security settings.
If you set the Disable passphrase security option to Yes in SecureLogin 3.51.305 using ConsoleOne and later upgrade to SecureLogin 6.0 SP1, then configure the corporate redirection from a different container using iManager and then attempt to log in, the following error is thrown:
SecureLogin encountered an error during authentication
In this case, set the datastore mode in iManager SSO snap-in to 6.0.
The Activate the Diagnostic Log File option on the Settings tabbed page starts logging by itself. For advanced debugging, see TID 10088017 on the Novell Support Web site.
If you need information on LDAP Client registry settings, see TID 10093336 on the Novell Support Web site.
For support, refer to the following:
Customers can also call Novell Technical Support for technical support problems. The support phone number is 1-800-858-4000.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2006 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.