2.9 Troubleshooting User Authentication

This section contains explanation on some of the user authentication related problems. To troubleshoot other problems you might encounter during authentication, see TID 3273870 in the Novell Support Knowledgebase.

Incorrect username displayed in the ZENworks Login screen

Explanation: The Username option in the ZENworks Login screen displays the Windows local username by default.
Possible Cause: If you changed only the full name of the user (My Computer > Manage > System Tools > Local Users and Groups > Full Name), the ZENworks login screen displays the old username and not the new full name.
Action: To change the local user account details, you must change both the username and the full name of the user:
  1. Click the desktop Start menu > Run.

  2. In the Run window, specify control userpasswords2, then click OK.

  3. Double-click the username and edit both the User Name and Full Name of the user.

  4. Click OK.

Unable to log in to the ZENworks Server

Possible Cause: A user with an account in the eDirectory that is installed on an OES 2.0 server tries to log into a non-OES 2.0 ZENworks Server.
Action: To log in to a non-OES 2.0 ZENworks Server, the user must be a Linux User Management (LUM) user. For more information on LUM users, see the Novell Linux User Management Technology Guide

Large number of concurrent client logins might result in login failures

Explanation: The maximum number of concurrent client connections that a server can support depends on the configured Connector acceptCount. If the number of concurrent client requests exceeds the value of Connector acceptCount, the client connect requests might fail because the server is not able to accept these connections.
Action: Increase the number of client connect requests that the server can support.

On a Windows server:  

  1. Log in as an administrator.

  2. Open the ZENworks_Install_path\share\ats\catalinabase\conf\server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. On the desktop, click Start > Run.

    2. In the Run window, specify service.msc, then click OK.

    3. Restart CasaAuthTokenSvc.

On a Linux server:  

  1. Log in as root.

  2. Open the /srv/www/casaats/conf/server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. At the server prompt, go to /etc/init.d/.

    2. Run the casa_atsd restart command.

How do I enable debug logs on Windows 2003, Windows XP, and Windows Vista devices?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

How do I enable the CASA debug logs?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

Logging in to the user source on a ZENworks Server is slow

Explanation: Logging in to the user source on a ZENworks Server from the managed device might take some time because the login process executes the device refresh synchronously.
Action: To speed up the login process, perform the following steps to change the login process to execute the device refresh asynchronously:
  1. Open the Registry Editor.

  2. Go to HKEY_LOCAL_MACHINE\Software\Novell\ZCM.

  3. Create a String called ZENLoginUserRefreshAsync and set the value to TRUE.

  4. Log in to the device again.

IMPORTANT:If you change the login process to execute the device refresh asynchronously, the latest policies might not be immediately available. With this change, you make the login performance more important than the accuracy of the policies.

Unable to log into the ZENworks Server when logging in to a Windows Vista device

Explanation: If you log into a Windows Vista device that has Novell SecureLogin installed and Active Directory configured as the user source, you are not automatically logged in to the ZENworks server.
Action: Do the following:
  1. Open the Registry Editor.

  2. Go to HKLM\Software\Protocom\SecureLogin\.

  3. Create a DWORD called ForceHKLMandNoDPAPI, and set the value to 1.

  4. Restart the device.

The settings assigned to an eDirectory user are not applied on the device where the user has logged in

Possible Cause: Two or more eDirectory users with the same username and password might exist in different contexts of the eDirectory tree.
Explanation: When an eDirectory user specifies the username and password to log in to a device, a user with the same username and password but located in a different context of the eDirectory tree might be logged in to the device and the settings of this user are applied on the device. This is because the login GINA is contextless.

For example: Assume that user1 and user2 have the same username and password:

User1: CN = bob, OU = org1, O = Company1 (bob.org1.company1)

User2: CN = bob, OU = org2, O = Company1 (bob.org2.company1)

When user2 specifies the username and password to log in to a device, user1 is logged in to the device instead of user2 because user1 appears first in the search performed by Novell CASA. The settings assigned to user1 are applied on the device.

Action: No two eDirectory users should have the same username and password. Even if the usernames are same, ensure that the passwords are different.

The ZENworks login screen is not displayed on a device if Novell Client has been uninstalled from the device

Explanation: If you uninstall the Novell Client 2 for Windows Vista/2008 (IR1a) from a device, the ZENworks login screen is not displayed on the device when you log in to the device.
Action: To log in to ZENworks Configuration Management, right-click the ZENworks icon on the device, then click Login.

A DSfW user is unable to use Kerberos authentication to log into a device

Explanation: If an iManager or ConsoleOne created DSfW user chooses to use Kerberos authentication to log in to a device, the authentication fails.
Action: Modify the user to set the value of the UserPrincipalName attribute in the standard domain username format (for example, user@domain.com) and then log in to the device again.

or

Use Microsoft Management Console (MMC) for creating DSfW users because the value of the user’s UserPrincipalName attribute is set by default.

Unable to create a keytab file for a DSfW server

Explanation: During the creation of a keytab file for DSfW server, you might encounter the following error:

Unable to find the user in the specified domain

Action: Do the following:
  1. Run the following command to ensure that the DSfW services are running properly:

    xadcntrl status

  2. (Conditional) If the DSfW services are not running properly, run the following command to restart the DSfW services:

    xadcntrl reload

  3. Run the following command to create the keytab file again:

    ktpass /princ host/atsserver.myserver.com@MYSERVER.COM -pass atsserver_password -mapuser domain\atsserver -out atsserver.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL