LDAP Contextless Login in Terminal Services Environments

In all versions of the Novell Client for Windows 2000/XP/2003 prior to and including Novell Client 4.91 SP3, the LDAP Contextless Login support will only perform a contextless lookup if a user interactively changes the contents of the "Username:" field or the"Tree:" field of the Novell Client login dialog.

 

As such, the LDAP Contextless Login support was not able to benefit scenarios involving Windows Terminal Services environments where TSClientAutoAdminLogon was being used in conjunction with credentials pre-supplied in the terminal connection, and/or with TSClientAutoAdminLogon in Citrix Metaframe environments that were launching published applications.

 

The widely used workaround for this limitation was to move or alias eDirectory users into a single container, such that in absence of contextless login support the terminal service environment could successfully default to a single context for all eDirectory user logins.

Starting with the post-Novell Client 4.91 SP3 updates of LGNCXW32.DLL v1.0.4 07FEB2007 and LOGINW32.DLL v4.18.00 07FEB2007 and later, the LDAP Contextless Login feature of the Novell Client for Windows will now trigger the necessary events for causing a contextless login lookup during an otherwise non-interactive TSClientAutoAdminLogon scenario.

 

With the updated Novell login components installed, the behavior is automatically enabled whenever LDAP Contextless Login is enabled and a TSClientAutoAdminLogon terminal login is occurring. The username that is supplied as part of the terminal connection credentials is used to perform an LDAP Contextless Login lookup during TSClientAutoAdminLogon processing, same as if the username had been entered during a completely interactive Novell Client login with LDAP Contextless Login enabled.

 

If LDAP Contextless Login successfully matches just a single user in eDirectory, the TSClientAutoAdminLogon processing will use the matching user and context and proceed with a completely transparent login attempt for the terminal session.

 

If the username supplied as part of the terminal connection credentials finds multiple matches via LDAP Contextless Login, the normal contextless login selection dialog will be displayed during the terminal session / published application login. Once the desired user is interactively selected, the TSClientAutoAdminLogon processing will proceed with the otherwise transparent login attempt using the selected user and context.

Note the "TSClientAutoAdminLogon" configuration being referenced here is a long-standing Novell Client feature specific to terminal session logins. When credentials are pre-supplied from the terminal client during a terminal session logon, this normally would only cause a Windows account transparent logon to occur.

 

With TSClientAutoAdminLogon enabled, this otherwise Windows-only terminal session logon is intercepted by the Novell Client an a specific Location Profile is used to supply the additional information, such as an eDirectory tree name and context, needed for attempting a transparent eDirectory logon in addition to the transparent Windows account logon. The registry configuration for establishing a TSClientAutoAdminLogon configuration is summarized as follows:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]

"TSClientAutoAdminLogon"="1"

"DefaultLocationProfile"="Default"

 

Discussion of this setting can be found in the Novell Support Knowledgebase in the AutoAdminLogon- and terminal services-related documents. Note this TSClientAutoAdminLogon configuration is automatically established by Citrix Metaframe as well when enabling the Novell eDirectory integration features of a Metaframe application farm.