Lenovo Fingerprint Software fails with Novell Client

  • Document ID:7003633
  • Creation Date:24-Jun-2009
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Client for Open Enterprise Server (Novell Client)

Environment

Novell Client for Windows v 4.91sp 3
Novell Client for Windows v 4.91sp 4
Novell Client for Windows v 4.91sp 5
Lenovo fingerprint software
Authentec fingerprint reader

Situation

Lenovo fingerprint software does not work with the Novell Client
Unable to login with fingerprint with Novell Client installed
Lenovo will not work with NWGina

Resolution

The Lenovo Fingerprint Software provides the ability to logon and unlock Windows workstations using your fingerprint instead of a password. Part of how this is achieved involves the Fingerprint Software integrating with the Microsoft standard logon interface (MSGINA) in order to achieve being able to swipe a fingerprint instead of providing a password to the MSGINA logon.

When the Novell Client for Windows XP/2003 is installed on the workstation for logging into Novell eDirectory in addition to Windows, the Novell Client configures Windows to use the Novell Client's logon interface (NWGINA) instead of the standard Microsoft MSGINA logon interface. This stops the Fingerprint Software's logon integration from working, because the Windows logon interface is no longer one the Fingerprint Software is designed to interact with (MSGINA).

In the Novell Client 4.91 SP3 for Windows XP/2003 and later versions, the Novell Client for Windows XP/2003 supports the ability to present the user with the Microsoft standard logon interface (MSGINA), but to also automatically attempt logging into eDirectory based on the same username and password as was provided for the Windows account logon. This Novell Client"PassiveModeNDSLogin" mode can also be used to allow the Fingerprint Software to continue integrating with the Microsoft MSGINA logon interface, yet still have the Novell Client login to eDirectory during the Windows logon too.

To achieve this configuration, use the following steps:

  1. This approach will be dependent upon the Windows user account name and password being the same as the Novell eDirectory user object name and password. For example, both the Windows account "Mary" and the eDirectory user object "Mary.CEO.Corp" will both need to be set to use the same password.

  2. If the Lenovo Fingerprint Software isn't already installed, install the current Fingerprint Software available from http://www.lenovo.com/think/support/.

    Note that if the Fingerprint Software is installed after the Novell Client, its expected that the Windows GINA configuration ("GinaDLL") will be changed to the Fingerprint Software's GINA ("ATGinaHook.dll") which will also cause the Microsoft MSGINA logon interface to start being presented instead of the Novell Client login interface.

  3. If the Novell Client is not already installed, install the current Novell Client 4.91 for Windows XP/2003 from https://download.novell.com/patch/finder . The Novell Client 4.91 SP3 for Windows XP/2003 or later must be used in order to provide "PassiveModeNDSLogin" support.

    Note that if the Novell Client is installed after the Fingerprint Software, during installation the Novell Client will prompt that another GINA ("ATGinaHook.dll") was found to be registered as the Windows "GinaDLL" configuration. It's recommended that you initially force Novell Client to replace the Windows GINA configuration with Novell Client's NWGINA, just to simplify some of the subsequent steps that will be performed.

    If a fingerprint-based Windows logon configuration was already being used on the machine, ensure that the Windows account name and password of an Administrators-member Windows account is known, since allowing the Novell Client to replace the Fingerprint Software's"ATGinaHook.dll" GINA will temporarily disable the fingerprint-based login.

    If during installation the Novell Client NWGINA hasn't been allowed to run at Windows startup, the Novell Client's red 'N' menu in the Windows taskbar notification area may not be present for accessing features such as "Novell Login" and "Novell Client Properties". It can also mean that the [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA] subkey will not also exist in the registry, and will have to be manually created in subsequent steps.

    If the Novell Client's red 'N' menu in the Windows taskbar notification area is not present, you can manually use the "Run" dialog from the "Start" menu to run "NWTRAY.EXE" to create the taskbar notification area icon.

  4. The next step is to populate the Novell Client's "Default" location profile so that it is configured with the correct eDirectory tree name, eDirectory context, etc., for logging on as the user(s) who will be using the machine.

    One way to do this is to right-click on the Novell Client red 'N' menu in the Windows taskbar notification area and select "Novell Client Properties". On the "Location Profiles" tab, highlight "Default" and select Properties, keep "Default" selected and hit "Properties" again, and then edit the Novell Client login configuration dialog with the correct information for the eDirectory tree name, context and server.

    Alternatively, another way to populate the Novell Client's "Default" location profile is to interactively run the Novell Client login to successfully login to eDirectory using the correct username, eDirectory context and tree name, etc. Because the "Save profile after successful login" option is enabled by default, this too will cause the eDirectory settings to be saved.

  5. Create the Novell Client"PassiveModeNDSLogin" configuration in the registry using the Windows RegEDIT applet or any other suitable tool for imposing Windows registry changes. To enable the Novell Client's"PassiveModeNDSLogin" mode, create the following REG_DWORD registry values under the indicated registry keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA]
    "PassiveMode"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
    "PassiveModeNDSLogin"=dword:00000001

  6. Configure the Fingerprint Software's GINA such that it will "chain" to Novell's NWGINA instead of Microsoft's MSGINA. To configure the Fingerprint Software to do this, create the following REG_SZ registry value:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
    "LowerGina"="NWGINA.DLL"

  7. Finally, change the Windows"GinaDLL" configuration to use the Fingerprint Software's"ATGinaHook.dll", if that configuration does not already exist. To configure the Windows GINA configuration to invoke the Fingerprint Software's GINA, create and/or update the following REG_SZ registry value:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "GinaDLL"="ATGinaHook.dll"

  8. If you have not already enrolled a user with the Fingerprint Software, use the Fingerprint Software's enrollment tool now to establish a fingerprint association to a Windows user account and password. This is the Windows user account name and password that will be used for logging in to both Windows and eDirectory during the Windows machine's logon.


To summarize the chain of events expected to happen during the Windows machine's logon:

  1. Windows, because of the "GinaDLL" being set to "ATGinaHook.dll", will provide the Fingerprint Software the opportunity to prompt for and collect a fingerprint for login instead of a Windows username and password.

  2. The Fingerprint Software, because"LowerGina" is set to "NWGINA.DLL", will invoke the Novell Client's NWGINA once the fingerprint's association to a specific Windows user account name and password have been determined.

  3. The Novell Client's NWGINA, because of the "PassiveMode" configuration, will invoke the standard Microsoft MSGINA logon user interface instead of the Novell Client's normal eDirectory & Windows login dialog. Because the standard Microsoft MSGINA logon interface is being presented, the Fingerprint Software is able to integrate with and initiate a Windows user account logon for the Windows user account that was associated to the fingerprint.

  4. The Novell Client's NWGINA, because of the "PassiveModeNDSLogin" configuration, upon return from a successful Windows account logon from Microsoft's MSGINA, will attempt to use that same Windows user account name and password to attempt logging into eDirectory too, using the eDirectory settings currently in the Novell Client's "Default" location profile.

  5. If the Novell Client's eDirectory logon attempt succeeds, it happens transparently and the user never sees a Novell Client login dialog. If the Novell Client's eDirectory logon attempt fails, either because the password isn't the same on the eDirectory user or the information in the "Default" location profile isn't correct, the user will see a dialog indicating what failure occurred in the eDirectory logon attempt. After acknowledging the error dialog, the user will be presented with the normal Novell Client eDirectory-only login dialog to allow the user to enter the correct eDirectory password and/or change the other eDirectory login details on the Novell Client login dialog.


Limitations of this Novell Client for Windows XP/2003 "PassiveModeNDSLogin" configuration:

  1. Note that the Novell Client's"PassiveModeNDSLogin" configuration only causes an authentication to eDirectory, and does not initiate the processing of login scripts or the eDirectory user. A workaround is to run eDirectory login scripts from the user's desktop. You can do this by placing a "Run" entry in the registry that invokes a command line that will run eDirectory logon scripts for the current eDirectory user, or you can create an "Startup" folder shortcut for invoking such a command line.

    If using the "Run" key in the registry, an example is to create a REG_EXPAND_SZ value named"NWSCRIPT" under the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] key, and then set the "NWSCRIPT" value to a command line similar to "loginw32.exe %username% /NA /CONT".

  2. If Novell ZENworks is being used in addition to the Novell Client, note that because Novell's NWGINA will no longer be the primary GINA, and the Windows account logon ultimately must happen before the eDirectory login, certain Novell ZENworks-specific features such as Dynamic Local User (DLU) policies cannot be supported when "PassiveMode" and/or"PassiveModeNDSLogin" are being used. For more information on what additional limitations "PassiveMode" and "PassiveModeNDSLogin" create for the Novell ZENworks environment on the workstation, please see the ZENworks documentation and support documents at https://www.novell.com/.

For additional information about the Novell Client for Windows XP/2003's "PassiveModeNDSLogin" functionality, see the following section of the Novell Client 4.91 SP5 for Windows XP/2003 Readme:

Passive Mode Login Functionality

https://www.novell.com/documentation/noclienu/clientreadme/data/ncw_readme_sp5.html#b7gx7eq