ZCM Passive mode login

  • 7001082
  • 04-Aug-2008
  • 27-Apr-2012

Environment

Novell ZENworks 10 Configuration Management

Situation

By design, ZCM managed agent prompts for login on startup (passive mode login fails) when user source is doesn't match the domain or tree for Active Directory or eDirectory entered into the Microsoft login box or Novell client login box.  Logging in with the ZCM login dialog should work correctly.
 
ZCM managed agent does not prompt for local workstation logins or when the user source matches the original login type (AD for domain logins, or eDirectory for Novell client logins)

Resolution

This is working as designed.

Additional Information

  1. Logging into Active Directory domain:

    When the workstation logs into a domain using the Microsoft login screen for domain login, the user name, password and the Active Directory domain information are passed to the ZENworks agent which attempts passive mode login with that credential set.  If the same Active Directory domain was configured as the user source, this will login passively (without additional prompt).

    If eDirectory has been configured as the user source, then passive mode fails and ZCM prompts the user to enter proper credentials and select the realm from the list of all configured user sources.
  2. Logging in Locally:

    When the workstation does a local login through Microsoft login screen for local workstation login, the credentials are passed to ZENworks agent which  iterates through to all the user sources configured (eDirectory or Active Directory ) and will attempt to passive login. If it fails, it will prompt for the proper credentials.
  3. Logging in using Novell Client:

    When the workstation uses Novell client login screen to login to eDirectory, the user name, password and eDirectory tree information are passed to the ZENworks agent which attempts passive mode login with that credential set.  If eDirectory was configured as the user source, this will login passively (without additional prompt).

    If Active Directory has been configured as the user source, then passive mode login fails and ZCM prompts the user to enter proper credentials and select the realm from the list of all configured user sources.
The nwgina context information is copied into ZenContext , so user name, password and realm information are passed to ZCM login while attempting passive mode login.  This can be seen in the zenlgn.log.
 
To disable passive mode login, or prompt for zcm login see ZENworks 10 Configuration Management documentation ZENworks 10 Configuration Management System Administration Reference section 30.3 Disabling ZENworks User Authentication.
 
If you have multiple User Sources, a PC will default to one User Source, but if that logon fails it will then prompt the user with a drop down selection of available user sources.

The last successfully used user source will become the new default user source on that box.

Authentication to the user source is via the ZENworks managed agent client to the ZCM Server which uses LDAP to test the credentials against the LDAP User source.
 
Differences in passive login among different Windows OS:
 
Windows XP / 2003:
NWGina runs in passive mode and passes through MSGina.
The order of login when Novell Client is not installed:
  1. Windows login.
  2. ZENworks login.
If Windows login fails for any reason, ZENworks login will not be attempted.
 
Windows Vista, Windows 7:
The order of login when using ZENworks credential provider.
  1. ZENworks login happens first in the background.
  2. Windows login.



For other TIDs relating to login issues, see TID 3273870 - Troubleshooting ZCM login problems