16.2 Using the Desktop Management Agent and the ZENworks Middle Tier Server for Authentication

If you want your users to log in to the network through the Desktop Management Agent login dialog box, you need to understand how the Desktop Management Agent can be customized, and understand the other preparations that you must make to customize the login experience you want the users to have.

This section contains the following information:

16.2.1 Credentials Required by Desktop Management Policies

This section lists the credentials that are required in order for Desktop Management User and Workstation policies to authenticate to eDirectory when the user's workstation has the Desktop Management Agent installed and is communicating through the ZENworks Middle Tier Server.

This information should help you understand why you supply these credential sets during the installation. The sections include:

Credentials Required for User Policies

The following table shows the credentials needed by Desktop Management User policies that use the Desktop Management Agent and the ZENworks Middle Tier Server to authenticate to eDirectory. It is assumed that the user's workstation has the Desktop Management Agent installed.

Table 16-3 Credentials Needed by Desktop Management User Policies that Use the Desktop Management Agent and the ZENworks Middle Tier Server to Authenticate

Workstation Platform

eDirectory Server's File System

Required Credentials

Comments

Windows 98 SE

NetWare

eDirectory Workstation ID and password

 

Windows 98 SE

Windows 2000/2003

eDirectory User and Domain User ID and password

Proxy credentials are entered during the ZENworks Middle Tier Server installation and are stored in the registry of the ZENworks Middle Tier Server.

Windows 2000/XP

NetWare

eDirectory User ID and password

 

Windows 2000/XP

Windows 2000/2003

eDirectory User and Domain User ID and password

If users do not log in to a domain, (but do log in to the local workstation and eDirectory) the Middle Tier Server uses the eDirectory credentials to authenticate to the domain. This means that the eDirectory credentials must match the domain credentials.

If users are logging in to a domain, their domain credentials are used.

Credentials Required for Workstation Policies

The following table shows the credentials needed by Desktop Management Workstation policies that use the Desktop Management Agent and the ZENworks Middle Tier Server to authenticate to eDirectory. It is assumed that the user's workstation has the Desktop Management Agent installed.

Table 16-4 Credentials Needed by Desktop Management Workstation Policies that Use the Desktop Management Agent and the ZENworks Middle Tier Server to Authenticate

Workstation Platform

eDirectory Server's File System

Required Credentials

Comments

Windows 98 SE

NetWare

eDirectory Workstation ID and password

 

Windows 98 SE

Windows 2000/2003

eDirectory User and Domain User ID and password

Proxy credentials are entered during the ZENworks Middle Tier Server installation and are stored in the registry of the ZENworks Middle Tier Server.

Windows 2000/XP

NetWare

eDirectory Workstation ID and password

 

Windows 2000/XP

Windows 2000/2003

Proxy ID and password

Proxy credentials are entered during the ZENworks Middle Tier Server installation and are stored in the registry of the ZENworks Middle Tier Server.

16.2.2 Customizing the Agent Login

If the Novell Client is not present on the workstation when the Desktop Management Agent is installed, the installation program displays the Workstation Manager Settings page. This page lets you customize what the user sees at login time.

Figure 16-1 Workstation Manager Settings Page of the Agent Installation Wizard

If you select Display ZENworks Middle Tier Server Authentication Dialog, a customized Novell login dialog box is always displayed to the user.

You might want to select this option if you plan to have more than one Middle Tier Server available in the network that the users can use for authentication to the Desktop Management Server.

NOTE:If the user workstation is a Windows 2000/XP platform, you should use this option if you want to apply Dynamic Local User policies to the workstation.

Figure 16-2 The ZENworks Middle Tier Server Authentication Dialog Box

This login dialog box requires the user to enter a User ID and password (that is, the “authentication credentials”) for the Desktop Management Server. These are the same credentials that the user is accustomed to using for connecting to the network (that is, connecting to eDirectory).

During the installation program, if you selected Allow Users to Change the ZENworks Middle Tier Server Address on Authentication Dialog, the users on this workstation can edit the DNS name/IP address of the ZENworks Middle Tier Server that is used for authenticating to eDirectory. They can also specify an alternate port for authenticating to the Apache Web server (NetWare®) or the IIS Web server (Windows). Users can do this by clicking the Options button on the Desktop Management Agent login dialog box.

Users specify an alternate port by entering a colon and the port number at the end of the IP Address or DNS name. For example:

151.155.155.000:5080

IMPORTANT:Entering a protocol (such as http: or https:) along with the IP address does not allow the Desktop Management Agent to connect to the ZENworks Middle Tier Server.

16.2.3 Synchronized Passthrough Login

If you want the user to never see a Novell login dialog box, or in other words, to “pass through” the Desktop Management Agent and authenticate to the location of ZENworks files, you should first make sure that the user's local workstation credentials are the same as the eDirectory credentials. This is also called “passive mode” login.

If this synchronization is ready, then the authentication happens like this:

  1. The user enters his or her local Windows logon credentials at the Windows login dialog box.

  2. The Desktop Management Agent, although not visible, passes the Windows workstation credentials to the Middle Tier Server,

  3. The Middle Tier Server checks the credentials against eDirectory users, and authenticates to eDirectory if there is a match.

  4. The user is authenticated to eDirectory, which points to policy files that can be passed to the workstation where the user is logged in.

To configure the Desktop Management Agent for passthrough authentication, simply accept the default settings in the Workstation Manager Settings dialog box. For more information, see Customizing the Agent Login.

If the user logs in to Windows with credentials that are not valid in eDirectory, a Novell Desktop Management Agent login dialog box is displayed.

16.2.4 Logging In to a Windows Network Environment

If the server where you want to install ZENworks Desktop Management is part of a Windows network environment (that is, a network with no Novell NetWare servers), that network probably has Microsoft Active Directory installed and the users are members of Microsoft domains. As mentioned in Section 3.2, Desktop Management Server Software Requirements, the installation of Novell eDirectory 8.7.3 or later (recommended) is also a prerequisite in the network (in this case the Microsoft domain) where you will install ZENworks Desktop Management.

The following scenarios provide information about the way ZENworks Desktop Management authenticates after logging in to a Windows network environment:

Synchronized Login to eDirectory

If you want users to log in using the Desktop Management Agent login dialog box and local machine credentials, you must synchronize the local workstation credentials with the eDirectory credentials. If this synchronization is ready, then the authentication happens like this:

  1. At workstation startup time, the Windows 2000/XP operating system opens the Desktop Management Agent login dialog box.

  2. In the dialog box, the user clicks the Options button to display optional login fields.

  3. The user enters his or her eDirectory username and password in the Username and Password fields.

  4. In the From drop-down list, the user chooses the Windows workstation name to log in to the Windows network.

  5. The Desktop Management Agent passes the eDirectory credential set to the ZENworks Middle Tier Server.

  6. The ZENworks Middle Tier Server checks the credentials against eDirectory users and authenticates to eDirectory if there is a match.

  7. The user is authenticated to eDirectory, which points to policy files that can be passed to the workstation where the user is logged in.

Microsoft Domain Login

If you want users to log in using the Desktop Management Agent login dialog box and Microsoft domain credentials, the Windows 2000/2003 server where ZENworks Middle Tier Server software is installed and the Windows 2000/2003 server where Desktop Management Server software is installed must be part of the same Microsoft domain or trust relationship. The user's workstation doesn't log on to the domain unless the Desktop Management Server will be delivering MSI applications to it.

The authentication happens like this:

  1. At workstation startup time, the Windows 2000 operating system opens the Desktop Management Agent login dialog box.

  2. In the dialog box, the user clicks the Options button to display optional login fields.

  3. In the From drop-down list, the user chooses the option to log in from the Microsoft Domain.

  4. The user enters his or her domain credentials in the Username and Password fields. These credentials don't need to be synchronized with eDirectory credentials.

  5. The Desktop Management Agent passes the credential set to the ZENworks Middle Tier Server.

  6. The ZENworks Middle Tier Server checks the credentials against Domain users and authenticates to the domain.

  7. The user is authenticated to the domain and has access to the policy files, which are stored and are accessible through the domain and can be passed to the workstation where the user is logged in.

Lights-Out Workstation Authentication

If you have already installed the Desktop Management Agent on a workstation, and if the Workstation Manager on that workstation has been scheduled to receive a workstation group policy, the workstation can still be authenticated to a Windows network and receive the policy files when the time for the group policy execution arrives, even if the user is not logged in. This is sometimes called “lights-out” authentication. The authentication happens like this:

  1. When the policy execution time arrives, the Desktop Management Agent connects to the ZENworks Middle Tier Server by using the DNS name or IP address supplied during the Desktop Management Agent installation. This information is stored in the Windows registry at the workstation.

  2. The ZENworks Middle Tier Server uses the domain user credentials stored in its registry program (supplied by the ZENworks Middle Tier Installation program) to authenticate as a domain user with file rights to the appropriate files.

  3. The policy files are copied to the user's workstation through the ZENworks Middle Tier Server.