Novell Home

My Favorites

Close

Please to see your favorites.

Troubleshooting password issues on Branch Office 2.0

(Last modified: 19Apr2006)

This document (10096650) is provided subject to the disclaimer at the end of this document.

fact

Novell Nterprise Branch Office 2

symptom

Troubleshooting password issues on Branch Office 2.0

fix

Grace login fixes should be applied to the Central office server.  See TID 10094407.

Other required updates on the Central Office server:

NICI 265  www.novell.com/download
secupd7   support.novell.com
edir8733  support.novell.com
nmsrv236  Support.novell.com

The simple password method should be updated to 2.3.4.0 on the Central Office server as per step 3a in TID 10092374.  The method may also be updated  with nmmth236 from support.novell.com.

The Branch Office server should be patched with the following which is current as of the writing of this TID:

NW65SP3.EXE

The 4.9 client should have the NMAS option enabled for changing passwords in an NBO 2.0 tree.  This client NMAS option should not be used with NBO 1.0.

The TREE command should be removed from the NBO container login script if it is being used.  This configuration was not specifically tested with NBO and is known to cause password sync issues.  TID#10098917 should be followed if the tree command is being used in the CO tree.

 

Information about iManager Universal Password Policy management in the Central Office tree:

The option to manage Universal Password Polices in the Central Office tree is typically available in iManager once the correct snapins are installed.  A Password link is added to the column on the left hand side.   iManager should never be used with the NBO tree.  All references here are specific to the CO tree.

The iManager Password Policy Advanced Password rules option is not compatible with Branch OfficeHaving this option enabled will cause serious Branch Office password change problems.

Here is an example of a policy compatible with Branch Office.

These options should be set when creating a new policy or modifying an existing policy for NBO compatibility.  They are found under Password Policy Configuration Options:

Enable Universal Password                                                                         true

Enable the Advanced Password Rules                                                   false

Remove the NDS Password when setting Universal Password                      false

Synchronize NDS Password when setting Universal Password                     true

Synchronize Simple Password when setting Universal Password                  true

Synchronize Distribution Password when setting Universal Password           false

Allow user agent to retrieve password                                                        true

Verify whether existing passwords comply with the password policy            false
(verification occurs on login)

Note: The last option may be set to true without affecting the policy compatibility with Branch Office.

ConsoleOne may also be used to confirm if the current policy is compatible with Branch Office by doing the following:

Launch ConsoleOne and open the Central Office security container at the root of the tree.  Open the password policy container object.  Right click the policy assigned to the container holding users that will provision to a Branch Office tree.  Select properties for this object.  Go to the OTHER tab and look at the value in nspmConfigurationOptions.  If this value is 272, the policy is compatible with Branch Office.  A new policy or an existing policy may be created or modified in iManager as outlined above in this document, or the nspmConfigurationOptions value can be set in ConsoleOne on the current policy to 272. Be aware that changing and saving this value will automatically and immediately set the policy options to NBO compatible settings as described above in this document.  This will affect all users assigned to this policy regardless if they are Branch Office users.

The following options may still be set via ConsoleOne or iManager on the user or user container object Restrictions tab.  These options do not cover the full functionality of the Advanced password rules in the iManager password policy management.  However, the options are compatible with NBO when set by browsing to the user or user container objects and making the adjustment.  Keep in mind these options will not be set in the iManager Password Management because Advanced password rules should be disabled for Branch Office compatibility.

Allow user to change password.

Require password.

Force periodic password changes.

Days between forced changes.

Date and time password expires.

Require unique passwords.

Limit grace logins.

Grace logins allowed.

Remaining grace logins.

With Universal Password enabled, two connections are used to the CO tree during each NBO authentication.  The grace logins value should be adjusted accordingly in the CO tree to allow enough grace attempts for change password requests upon password expiration.  (ie.. If the grace logins allowed and grace logins remaining are set to 3 in the Central Office tree, the user will be unable to change their password because it takes one full authentication for the NBO tree to receive information about password expiration.  During the first authentication, when the NBO tree is going through a process to sync up with some attributes from the CO tree, the user is not prompted to change the password.  The users gets prompted to change passwords on the next authentication to the NBO tree.  Unfortunately, the grace logins remaining has decremented enough at the time of the second authentication to prevent a proper two connection login.  The password can not be changed without a valid connection.

Note: 
If you are testing this in a lab environment, you must wait for two minutes for a valid result.  Normally the NBO will check the CO server for information during every authentication unless two minutes has not passed since the last authentication attempt.  If two minutes has not passed, the authentication is only "speaking" to the NBO tree.

The Limit Concurrent Connections value should also be adjusted to accommodate the consumption of two connections during authentication.  Setting a value of 1 will cause authentication and change password issues.

 

Troubleshooting password problems in the Central Office tree with DIAGPWD1.EXE:

DIAGPWD1.EXE is downloadable from support.novell.com

DIAGPWD1.EXE will only run successfully against Central Office servers installed with NMAS 2.3.6.

Install this utility on a Windows workstation and generate an OUTPUT.TXT file of the users context in the  central office tree.  See the DIAGPWD1.EXE readme for installation and syntax instructions.

The first section of this document covers authentication to the Branch Office when universal password has  NOT been enabled in the Central Office tree.

The second section of this document covers authentication to the Branch Office when universal password has  or will be enabled.

The third section of this document covers Virtual Office and CIFS authentication to the Branch Office when the Central Office server is Microsoft with Active Directory.

*************************************************************************************************************************************************


Section #1  Simple and NDS Passwords are being used in the Central Office tree.  The output examples in this  section were obtained with DIAGPWD1.EXE.

Authentication Methods in Section #1:

a)  Novell client 4.9 (NCP)

b)  Microsoft client (CIFS)

c)  Virtual Office


a)  Novell Client 4.9 (NCP)

The user nosimple does not have a simple password set in the Central Office tree.  This user will fail to auto  provision to a Branch Office tree via a Novell client connection because a simple password is required. 

Object DN: cn=nosimple,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Not set
 Password Policy DN: [NONE]


The user simpleandndsnotinsync has a simple password set but it does not match the NDS password.  This user will  fail to auto provision to a Branch Office tree via an NCP (Novell Client) connection because the simple and NDS  passwords must match in the Central Office LDAP tree. (Simple != NDS means the simple and NDS passwords are out  of sync.)

Object DN: cn=simpleandndsnotinsync,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Set, Simple != NDS
 Password Policy DN: [NONE]

b)  Microsoft client (CIFS)

The user usercifs does not have a simple password set in the Central Office tree.  This user will fail to auto  provision to a Branch Office tree via a CIFS connection because a simple password is required.

Object DN: cn=usercifs,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Not set
 Password Policy DN: cn=Universal Password Off,cn=Password Policies,cn=Security


The user usercifssimplendsdonotmatch has a simple password set but it does not match the NDS password.  This  user will fail to auto provision to a Branch Office tree via a CIFS connection because the simple and NDS  passwords must match in the Central Office LDAP tree. (Simple != NDS means the simple and NDS passwords are out  of sync.)

Object DN: cn=usercifssimplendsdonotmatch,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Set, Simple != NDS
 Password Policy DN: cn=Universal Password Off,cn=Password Policies,cn=Security

CIFS users may only change their password with the NBO Virtual Office login.  The change password option can be found from the My Settings link under Services.

NOTE:  CIFS uses the simple password.  Simple passwords are case sensitive.  NDS passwords are not case sensitive.  The simple and NDS passwords must be in sync with each other in the CO tree.  (See the CIFS section below for information about configuration when UP is enabled.)  Therefore, all simple passwords in the CO tree need to not have case.  Current simple password case may be removed by setting a new simple password in the CO tree without case.  Unfortunately, DIAGPWD.EXE will not catch a case mismatch condition between the NDS and Simple passwords. 


c)  Virtual Office

The user uservologin does not have a simple password set.  This user WILL be able to login because the Virtual  Office login sets the simple password to match the NDS password if it does not exist.

Object DN: cn=uservologin,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Not set
 Password Policy DN: cn=Universal Password Off,cn=Password Policies,cn=Security

The user uservosimplendsmismatch will not be able to login because the simple and NDS values are set but do not  match.

Object DN: cn=uservosimplendsmismatch,o=novell
 EMail: [NONE]
 Password Status: Universal Password disabled
 Simple Password Status: Set, Simple != NDS
 Password Policy DN: cn=Universal Password Off,cn=Password Policies,cn=Security

Simple and NDS password summary when universal password is disabled:

Simple passwords must be set and match NDS passwords in the central Office tree for a user to authenticate to  the Branch Office tree with CIFS or NCP.  The exception to this rule is authentication with a Virtual Office  login.  The Virtual Office login to the Branch Office tree will automatically set the simple password, except in a case mismatch condition, to match  the NDS password in the Central Office tree as long as a previously created simple password is not already out  of sync with the NDS password.  When the NDS password is changed with the client (NCP), NWADMIN, ConsoleOne, or iManager, only the NDS password value is changed.  The simple password will be out of sync in the Central Office tree until it is manually set in sync with the NDS value.  This can be done with iManager or ConsoleOne. 


***************************************************************************************************************************************************

 
Section #2  Universal password is enabled in the Central Office Tree.  The output examples in this section were  obtained with DIAGPWD1.EXE.

Authentication Methods:

a)  Novell client 4.9 (NCP)

b)  Microsoft client (CIFS)

c)  Virtual Office


a)  Novell Client 4.9 (NCP)

The user SimplesetbeforeUPisenabled has simple and NDS passwords set and in sync at the time Universal Password  is enabled.  Even though the log reports Universal Password is not set, this user WILL still be able to auto  provision to a Branch Office tree via NCP.  The authentication process to the NBO tree will set the Universal  password in the Central Office LDAP tree because the user already had matching simple and NDS passwords before  Universal password was enabled.

Object DN: cn=SimplesetbeforeUPisenabled,o=novell
 EMail: [NONE]
 Password Status: Enabled, Not set
 Simple Password Status: Set
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security

Here is what this user would look like in the Central Office LDAP tree after they have auto provisioned to the  Branch Office Tree for the first time.  Notice the universal password is now set.

Object DN: cn=SimplesetbeforeUPisenabled,o=novell
 EMail: [NONE]
 Password Status: Enabled, Set
 Simple Password Status: Set
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security

The user NDSONLY seen below had the NDS password set but did not have the simple password set at the time universal  password was enabled.  This user will fail to auto provision to the NBO via an NCP connection unless they  authenticate at least once to the central office tree.  Enabling universal password in the Central Office tree does not mean  a universal password has been set for individual users.  Authentication to the Central Office tree directly, not via the NBO, will set both  the simple and universal password values for these users. 

Object DN: cn=NDSONLY,o=novell
 EMail: [NONE]
 Password Status: Enabled, Not set
 Simple Password Status: Not set
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security

This is what the user looks like after they have authenticated once to the Central Office tree (see below).  The user will not be required again to authenticate first to the Central Office tree once the universal and simple  passwords are set. From this point on, the user can provision or login by authenticating directly to the NBO  tree.  Note:  Simple passwords can not be manually set in the CO tree via ConsoleOne or iManager once universal  password is enabled.

Object DN: cn=NDSONLY,o=novell
 EMail: [NONE]
 Password Status: Enabled, Set
 Simple Password Status: Set
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security


The user NSoutsync did not have the simple and NDS passwords in sync (Simple != NDS) at the time universal password was  enabled in the Central Office LDAP tree.  This user will fail to auto provision to the Branch Office tree.  (See the next paragraph for more important detail on how this situation affects passwords in the central office  tree.) 

Object DN: cn=NSoutsync,o=novell
 EMail: [NONE]
 Password Status: Enabled, Not set
 Simple Password Status: Set, Simple != NDS
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security

Even though this user has failed authentication to the NBO tree, another important change has happened with the  password in the Central Office tree.  Notice below in the log entry taken from the Central Office tree  immediately after the user fails authentication to the NBO tree.  It now shows the NDS and Simple in sync and a  universal password has been set.  This information is true, but the NDS and simple are now in sync with whatever was previously set for the simple password value.  This means the user will not be able to login to the Central Office tree anymore unless the simple password value is used.  The NDS value has been changed to the simple value.  Likewise, the user will now be able to login to the Branch Office tree as long as the newly set NDS  value, which was set from the simple value, is used. 

Object DN: cn=NSoutsync,o=novell
 EMail: [NONE]
 Password Status: Enabled, Set
 Simple Password Status: Set
 Password Policy DN: cn=Universal Password On,cn=Password Policies,cn=Security

NOTE #1: 

Having simple and NDS values out of sync, at the time universal password is enabled, is a bad situation with  Branch Office because password values become very difficult to determine.  Most business locations enable  universal password to fix password sync issues.  This is what universal password was designed to help fix.   However, It is very important with Branch Office that any set simple and NDS values in the Central Office tree  are in sync before enabling universal password.  Only enable universal password after all set NDS and simple  passwords are in sync.  Universal password will continue to automatically keep them in sync once it has been  enabled.

NOTE #2:

If a user with a mismatched NDS and simple password logs into the Central Office tree first via NCP, they should then be able to login to the NBO tree via the Novell client (NCP) using the NDS password.  Logging into the Central Office tree with an NCP client, when universal password is enabled, sets the two out of sync passwords back into sync.


Any new user created in the central office tree, after universal password has been enabled, will be able to provision to the Branch Office tree.  These users should not require authentication to the central office tree first.

b) Microsoft client (CIFS)

All rules for NCP authentication, when universal password is enabled, also apply to CIFS authentication and universal password.  This is specifically true when there is a mixture of CIFS and NCP authentications to an NBO tree.  See each test case scenario above for NCP authentication when universal password is enabled.  If the client environment is purely CIFS, then only the simple password is required.

CIFS users may only change their password with the NBO Virtual Office login.  The change password option can be found from the My Settings link under Services.

NOTE:  CIFS uses the simple password.  Simple passwords are case sensitive.  NDS passwords are not case sensitive.  The simple and NDS passwords must be in sync with each other.  NBO does not have a way to manage password case sensitivity via Universal Password in the CO tree. (See the section above about UP configuration with the advanced password rules set to false.)  Therefore, all simple passwords in the CO tree need to not have case.  If Universal Password has been enabled correctly in the CO tree, as described above in this document, current simple password case may be removed by setting a new NDS password without case.  Unfortunately, DIAGPWD.EXE will not catch a case mismatch condition between the NDS and Simple passwords. 


c)  Virtual Office

A user does not have a simple password set.  This user WILL be able to login because the Virtual Office login sets the simple password to match the NDS password if it does not exist.

Any user with a simple and NDS password mismatch will not be able to login to the NBO tree because the simple and NDS values are out of sync.

If the user with the mismatched NDS and simple password logs directly into the Central Office tree first via NCP (not via the NBO tree), they should then be able to login to the NBO tree with the virtual office login using the NDS password.  Logging into the Central Office tree directly via NCP, with universal password enabled, puts the two out of sync passwords back into sync except in the condition where the passwords are the same but with different case.


Universal Password summary:

It is best to only enable universal password when NDS and simple passwords are already in sync unless all users who will login to the branch office tree login first, at least once, to the Central Office tree.    Any new user created in the central office tree, after universal password has been enabled, will be able to provision to the Branch Office tree.  These users should not require authentication to the central office tree first.  All case must be removed from simple passwords because UP in the CO tree is not compatible with NBO if the advanced password rules is set to true.  Case may be removed by having UP enabled correctly for NBO compatibility (see section:  Information about iManager Universal Password Policy management in the Central Office tree.) and setting a new NDS password without case.


*******************************************************************************************************************************************************

Section #3  Virtual Office and CIFS authentication to the Branch Office when the Central Office server is Microsoft with Active Directory.

A user may only provision to the NBO tree via a Virtual Office login.  CIFS authentication may only be used to the NBO tree after the first authentication with Virtual Office is completed to provision the user.  If a users password is changed in the Central Office Active Directory tree, the only way for this change to be passed to the NBO tree is to login again with the Virtual Office web authentication.  Passwords changed in the NBO tree will not be passed to the CO active directory tree.

The best way to manage password changes to Central Office Active Directory trees is to do the following:

Expire and force a password change during direct authentication to the CO Active Directory tree.
Have the user then login to the NBO tree via a Virtual Office web authentication.
The correct changed password should now be provisioned to the NBO tree for either CIFS or Virtual Office authentication.

*******************************************************************************************************************************************************

 

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10096650
  • Solution ID: NOVL100956
  • Creation Date: 15Feb2005
  • Modified Date: 19Apr2006
    • NovellNetware

Did this document solve your problem? Provide Feedback