31.7 Troubleshooting User Authentication

This section contains explanation on some of the user authentication related problems. To troubleshoot other problems you might encounter during authentication, see TID 3273870 in the Novell Support Knowledgebase.

Incorrect username displayed in the ZENworks Login screen

Explanation: The Username option in the ZENworks Login screen displays the Windows local username by default.
Possible Cause: If you changed only the full name of the user (My Computer > Manage > System Tools > Local Users and Groups > Full Name), the ZENworks login screen displays the old username and not the new full name.
Action: To change the local user account details, you must change both the username and the full name of the user:

  1. Click the desktop Start menu > Run.

  2. In the Run window, specify control userpasswords2, then click OK.

  3. Double-click the username and edit both the User Name and Full Name of the user.

  4. Click OK.

Unable to log in to the ZENworks Server

Possible Cause: A user with an account in the eDirectory that is installed on an OES 2.0 server tries to log into a non-OES 2.0 ZENworks Server.
Action: To log in to a non-OES 2.0 ZENworks Server, the user must be a Linux User Management (LUM) user. For more information on LUM users, see the Novell Linux User Management Technology Guide

Large number of concurrent client logins might result in login failures

Explanation: The maximum number of concurrent client connections that a server can support depends on the configured Connector acceptCount. If the number of concurrent client requests exceeds the value of Connector acceptCount, the client connect requests might fail because the server is not able to accept these connections.
Action: Increase the number of client connect requests that the server can support.

On a Windows server:  

  1. Log in as an administrator.

  2. Open the ZENworks_Install_path\share\ats\catalinabase\conf\server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. On the desktop, click Start > Run.

    2. In the Run window, specify service.msc, then click OK.

    3. Restart CasaAuthTokenSvc.

On a Linux server:  

  1. Log in as root.

  2. Open the /srv/www/casaats/conf/server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. At the server prompt, go to /etc/init.d/.

    2. Run the casa_atsd restart command.

How do I enable debug logs on Windows 2003, Windows XP, and Windows Vista devices?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

How do I enable the CASA debug logs?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

Logging in to the user source on a ZENworks Server is slow

Explanation: Logging in to the user source on a ZENworks Server from the managed device might take some time because the login process executes the device refresh synchronously.
Action: To speed up the login process, perform the following steps to change the login process to execute the device refresh asynchronously:

  1. Open the Registry Editor.

  2. Go to HKEY_LOCAL_MACHINE\Software\Novell\ZCM.

  3. Create a String called ZENLoginUserRefreshAsync and set the value to TRUE.

  4. Log in to the device again.

IMPORTANT:If you change the login process to execute the device refresh asynchronously, the latest policies might not be immediately available. With this change, you make the login performance more important than the accuracy of the policies.

Unable to log into the ZENworks Server when logging in to a Windows Vista device

Explanation: If you log into a Windows Vista device that has Novell SecureLogin installed and Active Directory configured as the user source, you are not automatically logged in to the ZENworks server.
Action: Do the following:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Protocom\SecureLogin\.

  3. Create a DWORD called ForceHKLMandNoDPAPI, and set the value to 1.

  4. Restart the device.

The settings assigned to an eDirectory user are not applied on the device where the user has logged in

Possible Cause: Two or more eDirectory users with the same username and password might exist in different contexts of the eDirectory tree.
Explanation: When an eDirectory user specifies the username and password to log in to a device, a user with the same username and password but located in a different context of the eDirectory tree might be logged in to the device and the settings of this user are applied on the device. This is because the login GINA is contextless.

For example: Assume that user1 and user2 have the same username and password:

User1: CN = bob, OU = org1, O = Company1 (bob.org1.company1)

User2: CN = bob, OU = org2, O = Company1 (bob.org2.company1)

When user2 specifies the username and password to log in to a device, user1 is logged in to the device instead of user2 because user1 appears first in the search performed by Novell CASA. The settings assigned to user1 are applied on the device.

Action: No two eDirectory users should have the same username and password. Even if the usernames are same, ensure that the passwords are different.

The ZENworks login screen is not displayed on a device if Novell Client has been uninstalled from the device

Explanation: If you uninstall the Novell Client 2 for Windows Vista/2008 (IR1a) from a device, the ZENworks login screen is not displayed on the device when you log in to the device.
Action: To log in to ZENworks Configuration Management, right-click the ZENworks icon on the device, then click Login.

Using a Smart Card to authenticate in to a device prompts the user to specify the eDirectory password

Explanation: If you use a smart card to authenticate in to a device for the first time, you are prompted to specify the eDirectory password after you have specified the smart card pin.
Action: After you add a user source, you must restart the ZENworks services.

Logging in to the user source on a ZENworks Server from a managed device might be slow if Trend Micro AntiVirus Plus AntiSpyware is installed on the device

Explanation: During installation of the ZENworks agent on a device, an executable file named NalView.exe, which is configured to run at user login, is added to the Run registry key. This addition enables the bundle icon to be placed on the Start menu, desktop, notification area, and the Quick Launch area of the Windows taskbar.

NalView.exe runs on the device during user login, resulting in a delay in the overall login time.

Action: To speed up the login process, do one of the following:

  • Disable NalView.exe at login time:

    NOTE:If you choose to disable Nalview.exe at login time, then the bundle icons is not placed on the device Start menu, desktop, notification area, and the Quick Launch area of the Windows taskbar. However, the bundle icon is placed in the application window of the device.

    1. Open the Registry Editor.

    2. Go to HKLM\SOFTWARE\Netware\Nal\1.0\NalView\.

    3. Create a DWORD called Disabled and set its value to 1.

    4. Log in to the device again.

  • Launch NalView.exe after a delay of x seconds from the login time:

    1. Open the Registry Editor.

    2. Go to HKLM\SOFTWARE\Netware\Nal\1.0\NalView\.

    3. Create a DWORD called Delay and set its value to the time (in seconds) by which you want to delay the launch of NalView.exe.

    4. Log in to the device again.

Unable to seamlessly log in to Novell SecureLogin on a device that has Novell ZENworks installed

Explanation: Novell SecureLogin starts seamlessly after a device desktop opens only if you have used the LDAP Credential Manager mode during the installation of Novell SecureLogin on the device. For more information about the LDAP Server options available during the installation of Novell Secure Login, see the Novell SecureLogin Installation Guide at the Novell Documentation site.

On a device that has ZENworks installed, if Novell SecureLogin does not start seamlessly after the device desktop opens, the authentication registry keys might not be properly set on the device.

Action: Do the following to set the authentication registry keys on the device:

  1. Open the Registry Editor.

  2. Go to HKLM\SOFTWARE\Novell\NWGINA\.

  3. Create a DWORD called PassiveMode and set its value to 1.

  4. Ensure that HKLM\Software\Novell\Login\LDAP\GinaLoginDone is set to 0.

  5. Log in to the device again.