Novell Client 4.91 SP4 for Windows XP/2003 Readme

September 4, 2007

1.0 What’s New

1.1 Support Pack 4

1.2 Support Pack 3

This release contains bug fixes only. For a list of fixes, see 6.0 Fixes Since the Last Release in the Novell® Client™ 4.91 SP3 for Windows XP/2003 Readme.

1.3 Support Pack 2

This release includes additional Forgotten Password Recovery functionality. When a user logs in, the Novell Client checks to see if the password policy uses Challenge Response and if the user has entered responses. If responses have not been entered, the user is notified and a dialog box opens so that he or she can enter the responses. Additionally, if the password policy uses a password hint or a password reminder and this had not been set, the Novell Client prompts the user to enter this information.

1.4 Support Pack 1

This release includes a new feature that lets users recover a forgotten password by using the “Forgot your password” link in the client login dialog box. For more information, see Using the “Did You Forget Your Password?” Link in the Novell Client for Windows Installation and Administration Guide.

1.5 Version 4.91

The following features are new in version 4.91:

  • Changes to the Update Agent to allow you to deploy new property page settings.

  • Changes to Automatic Client Update that allow you to enable Update Agent on multiple workstations without running a complete software installation.

  • Changes to the Novell Client Update Agent and Automatic Client Update to allow components to be uninstalled.

  • Unicode* file naming in mixed language environments.

  • A Microsoft* Windows* System Restore Point is now created on Windows XP workstations prior to the Novell Client installation. System Restore allows you to restore your computer to its state before the Novell Client was installed, if a problem occurs, without losing data.

  • Implementation of the Novell Universal Password (also know as the NDS® Login Method) available in NetWare® 6.5 and later. It provides more robust and strong password and password management, with the ability to create a common password that can be used by all protocols to authenticate users. Also included are support for password hints, administrator messages, and password requirements.

  • Support for the NetIdentity agent

    The NetIdentity agent can be installed with the Novell Client or as a separate installation. It provides background authentication to Windows Web-based applications that require Novell eDirectory™ authentication, such as iPrint, Novell Virtual Office, and NetStorage.

1.6 Changes

The following changes have been made in version 4.91:

  • Windows NT* is no longer supported.

  • ZENworks® for Desktops 3.2 components have been deleted.

2.0 Installation Issues

2.1 Supported Windows Platforms

The Novell Client for Windows supports the following Windows operating systems. For all platforms, the Novell Client only supports 32-bit versions of Windows. The Novell Client cannot be installed on a 64-bit version of Windows 2003, Windows XP, or Windows 2000.

  • Windows 2000 Professional

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows Server 2003 Server Edition

  • Windows Server 2003 Enterprise Edition

  • Windows XP Professional

  • Windows XP Tablet PC Edition

IMPORTANT:The Novell Client might run but is not supported on Windows XP Home edition.

2.2 Supported Server Platforms

The Novell Client for Windows XP/2003 supports Novell Open Enterprise Server (OES) 1, OES 2, NetWare® 5.1, NetWare 6.0, and NetWare 6.5.

3.0 Login Issues

3.1 Login Fails when Specifying the Default NMAS Login Sequence

By default, the Novell Client attempts to perform an NMAS™ login using the NMAS login sequence that is configured in eDirectory. If nothing is specified, the Novell Client uses the default NMAS login sequence. This automatic fallback to the default can fail when logging in against an NMAS 2.3.4.1 server.

In the Login dialog box, select Advanced, select the NMAS tab, and then select NDS in the Sequence drop-down menu.

3.2 Installing SecureLogin 3.5 SP1 over the Novell Client 4.91 Prevents Login

Do not install SecureLogin 3.5 SP1 (or earlier) after installing the Novell Client 4.91. SecureLogin installs NMAS Client 2.7 over the NMAS Client 3.0. The Novell Client requires the NMAS Client 3.0; it is not compatible with the previous versions of the NMAS Client.

To solve this, reinstall the Novell Client 4.91.

3.3 Commenting Out the NMAS Load Line on NetWare 6.5 Server Causes the Client Login to Fail

If you remark out (rem) the NMAS load line in the autoexec.ncf file on a NetWare 6.5 server, the Novell Client cannot log in to the server. NMAS should not be removed from a NetWare 6.5 server.

3.4 Contextless Login Property Page Does Not Allow Cut and Paste Actions

You cannot copy, cut, or paste from within some fields of the contextless login property page.

3.5 ZENworks 6.5 Middle Tier Fails to Authenticate

Users and workstations can no longer authenticate through the middle tier after installing the Novell Client. For more information, see TID 10093371.

3.6 Passive Mode Login Functionality

When configured for passive mode login, the Novell Client’s NWGina defers to the Microsoft Graphical Identification and Authentication Dynamic Link Library ( MSGINA.DLL) for the initial workstation login. After authentication to the workstation, NWGina attempts to authenticate to the Novell environment. The username and password used for workstation authentication are used for the Novell authentication.

To successfully authentication to the Novell environment, the username must exist in eDirectory, and the default location profile must be properly configured with the Tree and Context information.

To enable passive mode login, set the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA] “PassiveMode”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login] “PassiveModeNDSLogin”=dword:00000001 “PassiveModeNDSLoginSilent”=dword:00000000 or 00000001 “PassiveModeNDSLoginRequired”=dword:00000000 or 00000001

Registry Setting Descriptions

  • PassiveMode: (0/1) default is 0 0 = normal mode 1 = passive mode

  • PassiveModeNDSLogin: (0/1) default is 0 0 = don't do Novell login 1 = do Novell login

  • PassiveModeNDSLoginSilent: (0/1) default is 0 0 = report Novell login errors 1 = don't report Novell login errors

  • PassiveModeNDSLoginRequired: (0/1) default is 0 0 = don't require Novell login 1 = require Novell login

Notes:

  • If the “PassiveModeNDSLoginRequired” setting is True (1), the GINA login experience will require a successful Novell authentication in order to succeed.

  • The “PassiveModeNDSLoginSilent” setting requires functionality released in the Novell Client for Windows XP/2003 4.91 SP3

  • Login scripts are not processed in passive mode. A workaround is to run them after the GINA login. You can do this by placing a run entry in the registry, or you can create an entry in the startup folder.

    The following in a run key example:

    [ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “nwscript=reg_expand_sz:loginw32.exe %username% /NA /CONT

4.0 Known Issues

4.1 Newer NetIdentity Client Files Might Cause Conflict

Newer versions of the NetIdentity client files, such as the version shipping with the Novell Client versions 4.9, 4.9 SP1, 4.9 SP2, and 4.91, have a different architecture than the version shipping with ZENworks for Desktops 4.0.1(and updates), even though the filenames are the same.

If you try to install the NetIdentity client after installing the ZENworks Management Agent, the following error message is displayed:

This version of NetIdentity cannot be installed over Novell ZENworks for Desktops (ZfD). You must either uninstall ZfD or wait to upgrade NetIdentity with the next release of ZfD.

You cannot install an updated NetIdentity.

However, if the newer version of NetIdentity is already installed on a workstation, a subsequent installation of the ZENworks Management Agent will not detect the newer versions of the NetIdentity files, so the Agent installation program overwrites the newer files. Later, when users log in to the workstation or select the NetWare Logon from the red N in the Quick Launch bar, the workstation freezes.

In this situation, we recommend that you use the Add/Remove Programs utility (available from the Windows Control Panel) to uninstall NetIdentity and then install the ZENworks Management Agent.

4.2 Files with Extended Attributes Do Not Copy to a Linux NSS Volume via NCP

Files with extended attributes do not copy to a Linux* NSS volume using NCP™. To solve this problem, use CIFS to copy files with extended attributes to a Linux server. Or, copy files from a Netware server that has extended attributes to a FAT32 (not NTFS) drive first, and then recopy the files to a OES Linux server.

4.3 Older Versions of NICI Do Not Work with the Enhanced Password Method

By default, the Client version 4.91 and later implements the Novell Universal Password, which provides robust and strong passwords. As a part of this implementation, Novell Client installs NMAS and NICI.

NMAS authentication adds additional security to the network. However, if your network does not use NMAS, login might take additional time and you might want to disable NMAS authentication on the server and not install it with the Novell Client software. The Novell Client installs NICI Client 2.7 and NMAS Client 3.0 by default. If you do not want to install them during the Client installation, install using a configuration file (unattended) that specifies not to install them. For more information, see the Novell Client for Windows Installation and Administration Guide .

For more information on disabling NMAS, see Disabling NMAS on the Server in the Novell Modular Authentication Services 2.3 x Administration Guide.

For more information on deploying universal passwords, see Deploying Universal Password in the Novell Modular Authentication Services 2.3 x Administration Guide.

4.4 Possible Issue When UNC Path Filter is Enabled

Reports are still under investigation of Windows machines that encounter NO_MORE_IRP_STACK_LOCATIONS (0x35) bugchecks and have shown the Novell Client UNC Path Filter (NWFILTER.SYS) to be present in the code running at the time of the crash.

If you see a blue screen citing the NO_MORE_IRP_STACK_LOCATIONS (0x35) bugcheck code on a machine with the Novell Client for Windows installed, try setting the UNC Path Filter option to Off on the Advanced Settings tab of the Novell Client Properties dialog box as part of your troubleshooting steps.

For more information, see TID 3595221 in the Novell Knowledgebase.

5.0 Enabling 802.1X Authentication

The Novell Client for Windows 4.91 SP4 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, eDirectory, and 802.1X with the same set of credentials for a single sign-on experience.

When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPV2) between the Windows Supplicant, the Wireless Access Point/Wired Switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.

  1. Right-click the Red N in the system tray, then click Novell Client Properties.

  2. In the Novell Client Configuration dialog box, click the Location Profiles tab.

  3. Select Default in the Location Profiles box, then click Properties.

  4. Select Default in the Service Instance drop-down list, then click Properties.

  5. Click the 802.1X tab, then select Enable Tab.

  6. Select Login using 802.1X.

    You can also select any of the following options:

    802.1X Authenticate on subsequent logins: Causes 802.1X authentication to take place when a user logs in from the Red N, even if he or she is already logged in. If the user is not logged in, 802.1X authentication takes place even if this option is not selected.

    Append Domain name to User name: Prepends the user’s domain to the username when the username is submitted to 802.1X. The format is DomainName/username. Use this option if the RADIUS server expects the domain name to precede the username. This options is normally used when IAS/AD is the RADIUS backend.

  7. Click OK three times.

  8. Reboot the workstation for the changes to take effect.

    After it is enabled, a 802.1X tab appears on the Novell Login dialog box when you click the Advanced tab. Use the options on the tab (see Step 6) to control 802.1X authentication at login time.

6.0 Fixes Since the Last Release

The following bugs have been fixed with the release of the Novell Client 4.91 SP4 for Windows XP/2003:

  • Using the Trustee Rights utility of the Novell Client, you cannot browse to User objects in a Domain Services for Windows domain.

  • Update Agent update from HTTP source fails.

  • Unattended installation removes previously installed IPX component.

  • Incorrect Policy Path setting.

  • Novell Client 4.91 SP3 upgrade breaks single sign-on.

  • Novell Client upgrade fails from 491 to 4.91 SP4 when extended character set is used in the mapped path.

  • Cannot unlock workstation via Remote Desktop with Novell Client. SAS sequence is required but cannot be typed.

  • Remote Desktop “in use” credential dialog box does not allow screen saver to invoke.

  • A format string vulnerability has been reported for the NMAS Client.

  • Contextless Login not functioning with MSGina logon as the default.

  • Contextless Login not able to pass credentials on terminal server.

  • Citrix server hang in module nwshlxnt.dll.

  • Novell Client does not acknowledge mandatory profile and keeps creating unique user profile.

  • Novell Client displays a blank window and can't be uninstalled.

  • Novell Client not passing MSTSC parameters to Windows XP workstation.

  • Windows path truncated to 1024 bytes.

  • LDAP Contextless Login clears Windows From: server entry on the Windows tab.

  • Able to bypass GINA when entering 256 characters for name.

  • AutoAdminLogon for eDirectory cannot trigger Contextless Login lookup.

  • Nwdns.sys does not support the group policy-populated DNS suffix list.

  • Duplicate user listings with LDAP Contextless Login.

  • LDAP Contextless Login cache writing invalid REG_SZ values.

  • Microsoft Search is missing files.

  • Net use fails wrong EID and credentials used.

  • Renaming folders with long names causes unexpected issues.

  • Memory Corruption in NWFS during QueryVolumeInformation handling.

  • RDP client connections to Terminal Server failing with Novell Client.

  • Symantec AntiVirus realtime does not scan files on Novell volumes.

  • Managed memory leak when hitting DFS-involved path.

  • NWFS not working with Microsoft's OneCare products.

  • NWFS bugcheck E3 (RESOURCE_NOT_OWNED).

  • Terminal servers reboot after having the Novell Client 4.91SP3 and post patches applied.

  • Cannot rename a subdirectory at a junction point if the junction point's name is the same as the referenced subdirectory on the target volume.

  • When a laptop is docked or undocked multiple times, the workstation is unable to read the network drives.

  • Workstation not releasing lock on file.

  • Blue screens on terminal servers.

  • BugCheck C1 when accessing a long path.

  • Error when browsing to Directory map object from Network places.

  • NCP Client can't tell where the DFS Junctions is pointing to if it's pointing to a subdirectory of a volume.

  • Blue screen on logoff.

  • No error message with NDPS printer install and with user only rights.

  • Buffer overflow in nwspool.dll.

7.0 Additional Documentation

For documentation on installing and configuring Novell Client software, see the Novell Client for Windows Installation and Administration Guide .

For documentation on managing login scripts, see the Novell Login Scripts Guide .

For information on configuring and using Universal Password, see the Novell Password Management Administration Guide .

If you are using Novell Modular Authentication Services (NMAS) in your network, you should also read the NMAS readme. Because the NMAS installation has been integrated in to the Novell Client installation, issues that affect NMAS could also affect the Novell Client.

8.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.