2.4 Enabling Single Sign-On with Windows

Users authenticate to both the ZENworks PBA and the Windows operating system. You can enable single sign-on so that the user logs in to the ZENworks PBA and the PBA handles the login to the Windows operating system. This, of course, requires that the user’s PBA and Windows credentials are the same. Single sign-on applies to both authentication methods (user ID/password or smart card).

If you are using ZENworks login to enable policies and bundles to be applied to users as well as devices, and you have configured ZENworks login for single sign-on with your Windows login, single sign-on works for all three logins. When a user logs in to the ZENworks PBA, the credentials are passed to the Windows login and then the ZENworks login.

Refer to the following sections for information on enabling single sign-on.

NOTE:With managed Windows 7 devices, the user may be required to press Ctrl+Alt+Del within one minute after authenticating with PBA for single sign-on to work. For security reasons, single sign-on might not authenticate the Windows login on some devices with Windows 7 operating systems without taking this measure. In this scenario, the user can still log in with their Windows credentials if single sign-on is skipped.

2.4.1 Activating Single Sign-On in the Disk Encryption Policy

Single sign-on is activated through the Disk Encryption policy assigned to a device:

  • To create a new policy with single sign-on activated and assign it to a device, see Policy Deployment in the ZENworks Full Disk Encryption Policy Reference.

  • To modify an existing policy to activate single sign-on and republish it to a device, see Policy Management in the ZENworks Full Disk Encryption Policy Reference.

2.4.2 Configuring Windows Login

Single sign-on supports both the classic Logon screen mode (left screen shot) and the Welcome screen mode (right screen shot). As long as a device is using one of these two modes, single sign-on works as soon it is activated in the policy and the policy is applied to the device.

Single sign-on also supports Secure Logon (shown below) in both of these modes. However, as with the standard Windows login process, the user must press Ctrl+Alt+Delete to dismiss the Secure Logon screen before the single sign-on process can continue.

If single sign-on is failing on a device, we recommend that you set the device to use the classic Logon screen without Secure Logon. In addition, we recommend that you set the Do Not Display Last User Name option to Enabled so that the Logon screen is not automatically populated with the user name of the last person to successfully log in.

To configure these settings locally on a Windows device, log on to the device as an administrator and do the following:

  1. Set the classic Logon screen mode:

    1. Click Start, and enter gpedit.msc in the search box to open the Local Group Policy Editor.

    2. In the editor, expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

    3. Double-click Always Use Classic Logon.

    4. Select Enabled, and click OK.

  2. Disable Secure Logon:

    1. Click Start, and enter netplwiz in the search box to open the User Accounts dialog box.

    2. Click the Advanced tab.

    3. In the Secure logon section, deselect Require users to press Ctrl+Alt+Delete if selected, and click OK.

  3. Enable the Do Not Display Last User Name setting:

    1. Click Start, and enter secpol.msc in the search box to open the Local Security Policy.

    2. Go to Local Policies > Security Options.

    3. Double-click Interactive logon: Do not display last user name.

    4. Select Enabled, and click OK.

Windows 8

  1. Set classic Logon screen mode:

    1. Right-click Start, and select Search to open the Search pane.

    2. Enter gpedit.msc in the search box to open the Local Group Policy Editor.

    3. In the editor, expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

    4. Double-click Always Use Classic Logon.

    5. Select Enabled, and click OK.

  2. Disable Secure Logon:

    1. Enter netplwiz in the search box to open the User Accounts dialog box.

    2. Click the Advanced tab.

    3. In the Secure logon section, deselect Require users to press Ctrl+Alt+Delete if it is selected.

    4. Click OK.

  3. Enable the Do Not Display Last User Name setting:

    1. Enter secpol.msc in the search box to open the Local Security Policy.

    2. Expand Local Policies > Security Options.

    3. Double-click Interactive logon: Do not display last user name.

    4. Select Enabled, and click OK.

Windows 10

  1. Set classic Logon screen mode:

    1. Enter gpedit.msc in the search box on the Taskbar to open the Local Group Policy Editor.

    2. In the editor, expand Local Computer Policy > Computer Configuration > Administrative Templates > System > Logon.

    3. Double-click Always Use Classic Logon.

    4. Select Enabled, and click OK.

  2. Disable Secure Logon:

    1. Enter netplwiz in the search box on the Taskbar to open the User Accounts dialog box.

    2. Click the Advanced tab.

    3. In the Secure logon section, deselect Require users to press Ctrl+Alt+Delete if it is selected.

    4. Click OK.

  3. Enable the Do Not Display Last User Name setting:

    1. Type secpol.msc, and then click OK to open the Local Security Policy.

    2. Expand Local Policies > Security Options.

    3. Double-click Interactive logon: Do not display user name at sign in.

    4. Select Enabled, and click OK.

2.4.3 Using the Client for Open Enterprise

If a device is using the Client for Open Enterprise (formerly called the Novell Client) for Windows login, be aware of the following requirements:

  • Novell Client 2 SP3 IR5 or later is required on Windows 7/8/10.

  • When using user ID/password authentication with the Client for Open Enterprise and DLU, the user needs to log in to the Client for Open Enterprise once before single sign-on will work. During single sign-on, the ZENworks PBA passes the user ID and password to the Client for Open Enterprise. However, the Client requires other details (tree, server, context, and so forth) that are available only if the user has populated the details during a previous log in.

  • When using smart card authentication with the Client for Open Enterprise, NESCM (Novell Enhanced Smart Card Method) and DLU, the user needs to be the last user to have logged in to the Client. During single sign-on, the ZENworks PBA passes the PIN to the Client. However, the Client requires other details (tree, server, context, and so forth) that are available only if the user was the last smart card user to log in to the client.

  • Smart card authentication with the Client for Open Enterprise, NESCM, and Disconnected Workstation Only mode is not supported.