The following sources provide information about Novell SecureLogin:
Getting Started
Installation
Administration
End User
Reference
Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. It eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.
This document provides you an introduction to the new features introduced in this version of Novell SecureLogin and also lists issues related to the administration, functioning, and other aspects of Novell SecureLogin.
For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..
After installing SecureLogin 7.0 and 7.0 SP1 in the eDirectory LDAP mode or NDS mode, you must at once extract the fix FIX701100501_185, run the ndsschema schema file, and extend the schema. This step is mandatory for the smooth functioning of SecureLogin.
Novell SecureLogin operates on LDAP v3 (non-eDirectory) and Novell eDirectory modes. However, for a successful installation, before installing SecureLogin on any of the platforms, install Novell International Cryptographic Infrastructure (NICI). Otherwise, an error message is displayed indicating that NICI is not installed and stops the installation process.
You must install both 32-bit and 64-bit NICI manually.
Microsoft Windows Vista 64-bit in eDirectory, LDAP (non-eDirectory), and LDAP v3 mode
Microsoft Windows Server 2008 (64-bit)
Novell Client Login Extension can help the user to recover the forgotten login password for Novell Client also. For a successful password recovery for Novell Client, install the Novell Client before installing the Client Login Extension tool.
The SLLogging Manager utility is provided to enable advanced logging for support purposes.
Because of Microsoft Windows Vista restrictions, the SLLogging Manager must be enhanced to run on Vista.
Right-click the SLLogging Manager application and select . Any changes made through the SLLogging Manager now change the registry correctly to create the relevant log file.
Before installing SecureLogin on a Windows Vista machine, ensure that the operating system is updated with latest security and service patches or with MS redistributables (32-bit or 64-bit). Otherwise, the SecureLogin installation fails and shows the error message: "NSL Event Service failed to start".
Novell SecureLogin 7.0 introduces an enhanced administrative wizard. Enhancements are made to improve the wizard engine and provide a unified and intuitive process. The primary improvement is to provide a single wizard that manages different applications types.
Using the wizard, you can create applications definitions for Web, Windows, and Java applications. The new wizard simplifies the configurations of complex application definitions.
This version of Novell SecureLogin provides multiple scripting enhancements to continue delivering the most flexible possible solution to accommodate complex scenarios.
This release supports:
Microsoft Windows Vista SP1 (32-bit and 64-bit)
Microsoft Windows Server 2003 SP2 (32-bit and 64-bit)
Microsoft Windows Server 2008 SP2 (32-bit and 64-bit)
Microsoft Windows 7 (32-bit and 64-bit)
Microsoft Windows XP
This version of Novell SecureLogin supports .NET Framework 3.5 SP1 or above. Novell SecureLogin can use only an already available .NET Framework. Novell SecureLogin does not inform about an uninstalled .NET Framework, which it cannot use anymore.
The Novell SecureLogin Event Service is a client based tool that can periodically poll the Windows Event Log, retrieve the SecureLogin events, and send them to the Audit server. From a syslog server, you can view all or specific SecureLogin event logs that are sent from every system that is configured to run this tool. As part of the SecureLogin installation, the Event Service tool also gets installed.
Novell SecureLogin 7.0 SP1 support Web enabled Oracle form applications.
Client Login Extension 3.7 provides password recovery support for applications that are accessed through Novell SecureLogin 7.0 SP1. The password recovery support is available for graphical authentication interfaces such as GINA and Credential Provider for LDAP clients, Novell Client, and Microsoft clients. Clients in the Windows 7 and Windows Vista operating systems support the Credential Provider model of graphical authentication interface. Clients in other operating systems support the GINA model of graphical authentication interface.
NOTE:Among Windows Vista (64-bit) operating systems, Client Login Extension support is available to Enterprise Editions only.
The password recovery support through Client Login Extension tool is also available for locked workstations and for workstations in which user operations are controlled by Desktop Automation Services (DAS).
NOTE:In the Active Directory environment, the password recovery support for Credential Provider is available for all platforms except Windows 7 and Windows Vista.
In the earlier version of Novell SecureLogin, Active Directory authentication of the workstation were used to login to SecureLogin. This version of Novell SecureLogin allows the user to login separately using the smart card credentials.
To support this feature in Desktop Automation Services, on-cardmon element has been modified. The changes in smart card and Desktop Automation Services allows switching of users using smart card in Active Directory mode.
This version of Novell SecureLogin allows the user to configure to support different card format. If the user does not configure the card format, the default behaviour will be applied. The default behaviour is to assign all the bits as Card ID.
In the earlier version, the pcProx command element provided information to Desktop Automation Services on the action performed when configured to monitor removal of the pcProx card.
In this version, the pcProx command element provides information to Desktop Automation Services on the action to be performed when configured to monitor for tap or removal of the pcProx card.
Novell SecureLogin Citrix Passthrough to Microsoft Windows 2008 in Novell Client™ Credential Provider mode is not supported.
If Novell SecureLogin is installed on a Citrix server in Novell Client mode, and if you select the option when restarting Windows on that Citrix server, a message indicating “You are not logged in to a directory and SecureLogin was unable to find any cached user data" is displayed.This message appears twice before you are authenticated.
In some scenarios, in the Novell SecureLogin Client Utility, users are unable to delete the logins from the navigation area on the left pane. When users right-click the login, both and options are disabled.
However, the login can be deleted from the right pane.
When a Web page could not send information to SecureLogin by using a different method, the following error message is shown:
“Unable to instantiate scriptbroker module: 80070005”
To resolve this error, uninstall SecureLogin, delete its installation directory, and also delete the registry hive: hklm/software/protocom; then, reinstall SecureLogin.
This workaround resolves this error for all Web pages, including the Web page that produced this error.
If the problem persists, re-register some of the SecureLogin dll files, as follows:
regsvr32 "C:\Program Files\Novell\SecureLogin\iesso.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slbroker.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slcaptain.dll
User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named Error.
If you install SecureLogin with the SecretStore client in the eDirectory mode, you cannot add an application and name it App1 (for example) if a password policy already exists with the name App1.
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user’s fully distinguished name (FDN) has 128 characters or more.
In Microsoft Windows 2003 configurations, users might be able to login to their workstation by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the re-use of an old password.
To disable an old password as soon as a password change occurs, update the domain controller registry setting with the following value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create new DWORD value OldPasswordAllowedPeriod
Set this value to 0.
For more information, see the Microsoft Web site..
If password policies already exist, ignore the incorrect error message 0 password policy that is shown when restoring user data.
The and fields in > are dimmed when the option is selected. Deselecting the keystroke option does not automatically enable these fields.
This occurs because when you select the option, it disables the link to the specified control. When you de select this option, the wizard cannot automatically detect the fields again. You must manually select the fields by dragging the icon to the required text field.
The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.
Use one of the following workarounds to resolve the issue.
Using ConsoleOne: Browse to > > > . Specify the attribute information.
Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option and specify the IP address of the NetWare workstation where you want to extend the schema.
NOTE:You can use the utility from any workstation on which eDirectory is installed.
On Windows 7 and Windows Vista, the log file for the DAS feature does not store the DAS related data when UAC is enabled. Changing the DASLog.txt file path from the installation location to C:\ enables the log file to store DAS related data.
If you launch the Control Panel from the menu when LDAPAuth GINA is running on the client, the Control Panel takes more than 20 seconds to display.
When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user.
In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.
Using the SecureLogin wizard, you can configure a .NET application in the LDAP mode for its login credentials, change password option, change password notification, and so on. Performance of the configured application depends upon its size (usually 64 KB maximum) and the number of associated controls (usually 10 controls maximum). If the size and number of controls occupy a huge space in the system, the application fails to load in the next login attempt. Therefore, convert such an application into an application definition and reduce its size before logging in.
pcProx identification fails in Novell Client on Microsoft Windows 2008 and Windows 7, on the first attempt for a new user. An error message indicating the system cannot log in to the network appears and prompts the user to verify the credentials.
So, during the first attempt, log in to Novell Client using NMAS pcProx sequence. pcProx identification happens correctly in the subsequent logins.
Unlocking a Citrix* session by using the NMAS pcProx sequence does not work. That is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.
In a Windows Vista environment, the prebuilt Novell GroupWise WebAccess script is not detected although the script exists in the application area of the Novell SecureLogin client.
The user is not prompted to use the script. Novell SecureLogin fails to run the script.
To resolve this issue, add the prebuilt script to the list of application definitions.
If you plan to use Novell SecretStore on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.
When an administrator logs into the workstation in which User Access Control is enabled, the Secure Workstation Session Management Process is blocked; and, an error message is shown.
On Windows 7, the workaround is to manually run the process.
On Windows Vista, directly unblock the process from the taskbar. If it is not unblocked, you cannot log in by using the NMAS secure workstation sequence; and, would see the error message: Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.
This error occurs only for a user with administrator privileges, and not for a user with non-administrator privileges (that is, a standard user).
For detailed information, see the Microsoft Developer Network Web site..
On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with Secure Workstation sequence without the administrator unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.
The issue exists when the NMAS login is used with the Novell Client or Novell SecureLogin-LDAP Client.
The Secure Workstation policy fails when set through iManager, because the Post-Login method fails for SUSE Linux Enterprise Server 10 and eDirectory 8.8 SP1.
However, users can use the Secure Workstation Policy setting through the client policy.
If a user logs in without the smart card when the preference is set to and preference is set to , he or she is not prompted for smart card.
Instead, the user gets an incorrect message The smartcard does not contain any certificates that match the certificate selection criteria, is displayed.
If the PKCS#11 wrapper library file aetpksse.dll is missing, the error message Access to smart card failed is shown when the Access Manager attempts to access the smart card. To avoid this error, ensure that the aetpksse.dll file is available at C:\WINDOWS\system32\.
Novell SecureLogin fails to launch using smart card authentication without User Principal Name, when is set to .
This problem can be resolved if you use any of the following options:
preference is set to .
Smart Card must be configured with User Principle Name.
In offline mode, the smart card re-authentication fails when is set to and when the workstation is not connected to the network.
When is set to , SecureLogin fails to launch and a error message is displayed, Smart Card is required for New single Sign on user.
To resolve this problem, must be set to default or
Novell SecureLogin system tray icons does not get cleared during fast user switching using smart card. By hovering the mouse over the SecureLogin system tray icons, the SecureLogin system tray icons will be cleared.
There is a known issue with the TLaunch shortcut command line /n (Number) switch.
Contact Novell Support for information.
When you launch TLaunch and search for the available emulators, TLaunch fails to detect a newly created emulator.
TLaunch also fails to save the changes made to one of the existing emulators.
However, you can add and edit emulators on Microsoft Windows and Windows XP.
As a workaround, click > > , Right click , then select .
If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, during upgrade from version 6.1 or 6.1 SP1 to 7.0 you are prompted to close the Windows Explorer.
Click to proceed with the upgrade.
When upgrading to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.
To retain the customized setting, do one of the following:
Replicate the customized settings on Novell SecureLogin 7.0 MSI.
Take a backup of the customized file and apply it after upgrade.
When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.
To workaround this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:
@echo off del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" del "C:\Program Files\Novell\SecureLogin\slmanager.exe"
During upgrade from Novell SecureLogin 6.1 to 7.0, if the Password protect the system tray icon preference is enabled users are prompted to provide the network password.
To workaround the issue:
Stop Novell SecureLogin manually before starting to upgrade.
or
Run slproto/forceshutdown from the commandline to shutdown Novell SecureLogin
NOTE:If you stop SecureLogin manually, you are prompted to specify the password.
If you use the slprotoc/forceshutdown command, you are not prompted to specify t he password.
Start the upgrade.
Specify the correct credentials.
Web applications directly accessed through Internet Explorer on a Microsoft Windows 2003 server might not work correctly until the option is disabled on the server. Alternatively, you can go to > and enable the third-party Web browser extensions.
This however, does not impact clients connected to a Microsoft Windows 2003 server.
Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings, is displayed during the Novell SecureLogin installation.
If this happens, click to import the Internet Explorer setting or click to cancel the import. The Novell SecureLogin installation proceeds.
When a DHTML enabled Web application is started, SecureLogin fails to prompt for entering the credentials. The error occurs when SecureLogin fails to run the predefined application definition to enable single sign-on for the site. Close the browser session and relaunch the Web application as a workaround to resolve this issue.
Performance issues occur while loading Java applet of some applications. The workaround to resolve this issue is to comment out the JavaSSOHook property from the accessibility.properties and awt.properties files.
Novell SecureLogin 7.0 SP1 supports Web enabled Oracle form applications. Therefore, Oracle JInitiator and JRE should be available in the system where Novell SecureLogin 7.0 SP1 will be used. If any of them is not present in the machine where Novell SecureLogin is already running, add the missing Java components in the machine, and then run the repair option available with the SecureLogin installer; the repair option of the installer adds the new Java component to be used for Oracle form applications.
Clicking the button shows authentication fields in an application being defined in the Application Definition Wizard. When defining an Oracle form that is run from a browser, the identified fields might get shown not only on the Oracle form, but also on the browser. You may ignore this behavior.
The Java component assigns a name taken from the title field of the innermost container to an Oracle form application. If the innermost container is not assigned with a title when the forms are created, the wizard cannot assign a name to the Oracle form application.
Loading of Oracle components requires some time before an application definition for Oracle form is started. Therefore, the Wizard consumes some time when starting the application definition for Oracle form.
Using Client Login Extension tool, you can specify the text to be shown when a user clicks the Did you forget your Password ? link. The text specified for the Novell Client is not shown when the link is clicked.
Using the Forgotten Password link to recover the password forgotten for a locked workstation does not work on Microsoft Credential Provider for Novell Client.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®,™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2005-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.