Environment
Windows 7 workstation
Novell Client 2 for Windows
NMAS
Novell Enhanced Smart Card Method
Novell Client 2 for Windows
NMAS
Novell Enhanced Smart Card Method
Situation
Users log in with a smart card, lock the workstation, and then enter an incorrect pin when attempting to unlock the workstation
“Incorrect pin" error message is hidden.
User sees no error message after entering the wrong pin when attempting to unlock workstation.
Workstation appears to be hung (it isn't really hung, it is waiting user input on an error message that is not visible)
“Incorrect pin" error message is hidden.
User sees no error message after entering the wrong pin when attempting to unlock workstation.
Workstation appears to be hung (it isn't really hung, it is waiting user input on an error message that is not visible)
Resolution
Enable the NMAS tab in properties of the Novell Client on the workstation.
Right click on the red N in the system tray.
Select "properties."
Select "System Login Profiles."
Highlight the profile being used and click "properties."
Click on the NMAS tab and check the box for "Enable Tab."
Right click on the red N in the system tray.
Select "properties."
Select "System Login Profiles."
Highlight the profile being used and click "properties."
Click on the NMAS tab and check the box for "Enable Tab."
Status
Reported to EngineeringAdditional Information
The presence of the NMAS tab is what instructs the Novell Client to invoke NMAS related functions and services. With the NMAS tab present the Novell Client calls the NMAS “unlock workstation†API. When the NMAS tab is not present the Novell Client calls the standard eDirectory “verify password†function.
Because of differences in these two “unlock†calls, the “incorrect pin†error message is not properly associated with the Novell Client when the eDirectory “verify password†unlock is called. Subsequently, the Novell Client has no control of the window handle for the error message, and cannot control where the message is presented. The error message could appear anywhere, likely behind another window.
More detail:
When the NMAS tab is enabled the Novell Client calls the NMAS API (NMAS_C32UnlockWorkstation). The Novell Client is able to explicitly pass a parent window handle that any method-specific UI should use as their parent window handle, and the message appears in plain view as desired.
However, when the NMAS tab is NOT present the Novell Client calls “NWDSVerifyObjectPassword.†This call looks at the user's default NMAS sequence as defined in eDirectory, and calls the appropriate NMAS method(s) to unlock the workstation, whether that be a password, a pin, a biometric or whatever. This prompt bypasses the Novell Client. Because the Novell Client has no knowledge that an NMAS sequence has been invoked, it cannot pass a parent window handle to an NMAS method UI to control where the error message appears. As a result the error message can appear anywhere, and may not be visible.
Because of differences in these two “unlock†calls, the “incorrect pin†error message is not properly associated with the Novell Client when the eDirectory “verify password†unlock is called. Subsequently, the Novell Client has no control of the window handle for the error message, and cannot control where the message is presented. The error message could appear anywhere, likely behind another window.
More detail:
When the NMAS tab is enabled the Novell Client calls the NMAS API (NMAS_C32UnlockWorkstation). The Novell Client is able to explicitly pass a parent window handle that any method-specific UI should use as their parent window handle, and the message appears in plain view as desired.
However, when the NMAS tab is NOT present the Novell Client calls “NWDSVerifyObjectPassword.†This call looks at the user's default NMAS sequence as defined in eDirectory, and calls the appropriate NMAS method(s) to unlock the workstation, whether that be a password, a pin, a biometric or whatever. This prompt bypasses the Novell Client. Because the Novell Client has no knowledge that an NMAS sequence has been invoked, it cannot pass a parent window handle to an NMAS method UI to control where the error message appears. As a result the error message can appear anywhere, and may not be visible.