Novell Client 4.91 SP5 for Windows XP/2003 Readme

September 2008

1.0 What’s New

1.1 Support Pack 5

This release contains bug fixes only. For a list of fixes, see Section 6.0, Fixes Since the Last Release.

1.2 Support Pack 4

1.3 Support Pack 3

This release contains bug fixes only. For a list of fixes, see 6.0 Fixes Since the Last Release in the Novell® Client™ 4.91 SP3 for Windows XP/2003 Readme.

1.4 Support Pack 2

This release includes additional Forgotten Password Recovery functionality. When a user logs in, the Novell Client checks to see if the password policy uses Challenge Response and if the user has entered responses. If responses have not been entered, the user is notified and a dialog box opens so that he or she can enter the responses. Additionally, if the password policy uses a password hint or a password reminder and this had not been set, the Novell Client prompts the user to enter this information.

1.5 Support Pack 1

This release includes a new feature that lets users recover a forgotten password by using the “Forgot your password” link in the client login dialog box. For more information, see Using the “Did You Forget Your Password?” Link in the Novell Client for Windows Installation and Administration Guide.

1.6 Version 4.91

The following features are new in version 4.91:

  • Changes to the Update Agent to allow you to deploy new property page settings.

  • Changes to Automatic Client Update that allow you to enable Update Agent on multiple workstations without running a complete software installation.

  • Changes to the Novell Client Update Agent and Automatic Client Update to allow components to be uninstalled.

  • Unicode* file naming in mixed language environments.

  • A Microsoft* Windows* System Restore Point is now created on Windows XP workstations prior to the Novell Client installation. System Restore allows you to restore your computer to its state before the Novell Client was installed, if a problem occurs, without losing data.

  • Implementation of the Novell Universal Password (also know as the NDS® Login Method) available in NetWare® 6.5 and later. It provides more robust and strong password and password management, with the ability to create a common password that can be used by all protocols to authenticate users. Also included are support for password hints, administrator messages, and password requirements.

  • Support for the NetIdentity agent

    The NetIdentity agent can be installed with the Novell Client or as a separate installation. It provides background authentication to Windows Web-based applications that require Novell eDirectory™ authentication, such as iPrint, Novell Virtual Office, and NetStorage.

1.7 Changes

The following changes have been made in version 4.91:

  • Windows NT* is no longer supported.

  • ZENworks® for Desktops 3.2 components have been deleted.

2.0 Installation Issues

2.1 Supported Windows Platforms

The Novell Client for Windows supports the following Windows operating systems. For all platforms, the Novell Client only supports 32-bit versions of Windows. The Novell Client cannot be installed on a 64-bit version of Windows 2003, Windows XP, or Windows 2000.

  • Windows 2000 Professional

  • Windows 2000 Server

  • Windows 2000 Advanced Server

  • Windows Server 2003 Server Edition

  • Windows Server 2003 Enterprise Edition

  • Windows XP Professional

  • Windows XP Tablet PC Edition

IMPORTANT:The Novell Client might run but is not supported on Windows XP Home edition.

2.2 Supported Server Platforms

The Novell Client for Windows XP/2003 supports Novell Open Enterprise Server (OES) 1, OES 2, NetWare® 5.1, NetWare 6.0, and NetWare 6.5.

2.3 Install Option 1 - setupsp.exe

To install the updates on a workstation with the Novell Client for Windows v4.91 already installed, run setupsp.exe.

Available options for configuring setupsp.exe are described in Section 2.5, Setupsp.exe Functionality.

Setupsp.exe can be launched automatically as part of the NetWare login script. The following is an example of the code you would add to the login script:

@\\%<aserver>\sys\public\client491sp5\setupsp.exe

2.4 Install Option 2 - ACU Install

Automatic Client Upgrade (acu.exe) checks the Novell Client major, minor, and Support Pack versions previously installed on the workstation. If the workstation requires only the Support Pack updates, setupsp.exe will be launched instead of the full Client Install to update the software on the workstation.

For example, when acu.exe runs on a workstation with the Novell Client for Windows v4.91 installed, the setupsp.exe program is executed. A workstation with an old client version or no client installed will run the full Novell Client install.

Available options for configuring the acu.exe are described in Section 2.6, Acu.exe Functionality.

2.5 Setupsp.exe Functionality

The setupsp.inf file contains a [ServicePackOptions] section through which additional setupsp.exe behavior can be controlled. The default values for the option section have changed and are as follows:

[ServicePackOptions]
Reinstall = NO
DisplayInstallPrompts = YES
UpdateNICI = YES
UpdateNMAS = YES
UpdateNetIdentity = YES
RebootOnCompletion = PROMPT
PromptUserOnCompletion = YES
  • Reinstall: Setting this value to NO disables the ability to reinstall the Support Pack, if the current Support Pack has already been installed on the workstation. For example, once the Support Pack has been installed successfully, running setupsp.exe will not install the Support Pack again. When the value is set to YES it allows the Support Pack installation to re-apply the updates even though the current Support Pack may have already been installed.

  • DisplayInstallPrompts: Setting this value to YES displays all dialogs regarding the installation of the Support Pack. When the value is set to NO, no dialogs will be displayed during the Support Pack installation.

    DisplayInstallPrompts has no affect on the RebootOnCompletion or PromptUserOnCompletion values.

  • UpdateNICI, UpdateNMAS, UpdateNetIdentity: These parameters indicate whether SETUPSP.EXE is to install updates to the optional products included with the Novell Client. The product will only be updated if is has been detected on the workstation prior to the Support Pack installation.

  • RebootOnCompletion: Setting this to PROMPT, prompts the user to decide whether the workstation should be shut down and restarted after the Support Pack installation completes.

    The PromptUserOnCompletion setting has no effect when RebootOnCompletion is set to PROMPT.

    Setting the value RebootOnCompletion = YES restarts the workstation after the Support Pack installation completes without waiting for the user to acknowledge any prompts.

    RebootOnCompletion = NO exits the Support Pack installation without restarting the workstation.

  • PromptUserOnCompletion: This setting controls whether the user is advised that the Support Pack install completed prior to exiting the installation program. Setting the value PromptUserOnCompletion = NO exits the Support Pack installation without waiting for the user to acknowledge any prompts.

    Setting PromptUserOnCompletion = YES displays an informational prompt upon completion of the installation process. The user must simply press OK and does not have a choice to override or force a reboot. This prompt only confirms that installation completed prior to whichever post-install action will take place (whether setupsp.exe will just exit or will reboot the workstation, depending on whether RebootOnCompletion is set to YES or NO).

2.6 Acu.exe Functionality

In addition to providing all the functionality Automatic Client Upgrade (acu.exe) has previously provided, it also provides administrators with an additional method for executing setupsp.exe on workstations that already have client software installed. An administrator can choose to use acu.exe to launch setupsp.exe to provide additional prompting or logging during the client update process.

Normally the acu.exe application checks only the workstation's major and minor client version (and the administrator's major and minor internal version, if defined) to determine whether acu.exe should attempt to launch the full setupsp.inf install.

If the workstation major and minor client version checks show that the workstation already has the same major and minor client version that is available for install, acu.exe will now also check the workstation ServicePack value (as setupsp.exe does) to determine whether the local workstation has the Support Pack installed. If the workstation is in need of only the Support Pack updates, acu.exe then launches only setupsp.exe instead the full client upgrade/install process.

The acu.ini file contains a [ServicePack] section through which this new behavior can be further controlled. The default values for the [ServicePack] section are as follows:

[ServicePack]
Check = Yes

Setting the value Check = Yes causes acu.exe to take the [ServicePack] into account, as described previously.

Setting the value Check = No causes acu.exe to ignore the workstation [ServicePack] value and will not run setupsp.exe instead of a full client upgrade/install. This behavior can also be forced by launching acu.exe with an /NSP command line switch. For example:

ACU.EXE /NSP

2.7 The Total Path to the Installation Set Must Not Exceed 214 Characters.

The path to any and all files within a Novell Client for Windows installation set must not exceed 256 characters.

Currently this means the directory path into which you extract the installation set must not exceed 214 characters. This limit is relative to the traditional MAX_PATH or 256-character limit in Windows applications, but it also takes into account additional path space that is needed for running the installation.

If the installation set is being accessed from a remote network location, for example \\servername\volumename, the length of the network server and volume name also counts against the maximum depth, due to underlying processing that makes use of the real path to the installation set. Even if a mapped drive letter and/or the map root feature is used for accessing the installation set, the limit is measured as if a UNC path had been used.

3.0 Login Issues

3.1 Login Fails when Specifying the Default NMAS Login Sequence

By default, the Novell Client attempts to perform an NMAS™ login using the NMAS login sequence that is configured in eDirectory. If nothing is specified, the Novell Client uses the default NMAS login sequence. This automatic fallback to the default can fail when logging in against an NMAS 2.3.4.1 server.

In the Login dialog box, select Advanced, select the NMAS tab, and then select NDS in the Sequence drop-down menu.

3.2 Commenting Out the NMAS Load Line on NetWare 6.5 Server Causes the Client Login to Fail

If you remark out (rem) the NMAS load line in the autoexec.ncf file on a NetWare 6.5 server, the Novell Client cannot log in to the server. NMAS should not be removed from a NetWare 6.5 server.

3.3 Contextless Login Property Page Does Not Allow Cut and Paste Actions

You cannot copy, cut, or paste from within some fields of the contextless login property page.

3.4 ZENworks 6.5 Middle Tier Fails to Authenticate

Users and workstations can no longer authenticate through the middle tier after installing the Novell Client. For more information, see TID 3174438.

3.5 Passive Mode Login Functionality

When configured for passive mode login, the Novell Client’s NWGina defers to the Microsoft Graphical Identification and Authentication Dynamic Link Library (MSGINA.DLL) for the initial workstation login. After authentication to the workstation, NWGina attempts to authenticate to the Novell environment. The username and password used for workstation authentication are used for the Novell authentication.

To successfully authentication to the Novell environment, the username must exist in eDirectory, and the default location profile must be properly configured with the Tree and Context information.

To enable passive mode login, set the following registry keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA] “PassiveMode”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login] “PassiveModeNDSLogin”=dword:00000001 “PassiveModeNDSLoginSilent”=dword:00000000 or 00000001 “PassiveModeNDSLoginRequired”=dword:00000000 or 00000001

Registry Setting Descriptions

  • PassiveMode: (0/1) default is 0 0 = normal mode 1 = passive mode

  • PassiveModeNDSLogin: (0/1) default is 0 0 = don't do Novell login 1 = do Novell login

  • PassiveModeNDSLoginSilent: (0/1) default is 0 0 = report Novell login errors 1 = don't report Novell login errors

  • PassiveModeNDSLoginRequired: (0/1) default is 0 0 = don't require Novell login 1 = require Novell login

Notes:

  • If the “PassiveModeNDSLoginRequired” setting is True (1), the GINA login experience will require a successful Novell authentication in order to succeed.

  • The “PassiveModeNDSLoginSilent” setting requires functionality released in the Novell Client for Windows XP/2003 4.91 SP3

  • Login scripts are not processed in passive mode. A workaround is to run them after the GINA login. You can do this by placing a run entry in the registry, or you can create an entry in the startup folder.

    If using the "Run" key in the registry, an example is to create a REG_EXPAND_SZ value named "NWSCRIPT" under the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] key, and then send the "NWSCRIPT" value to a command line similar to one of the following:

    loginw32.exe %username% /NA /CONT

    This will unconditionally expand the Windows username to be passed to LOGINW32.EXE as the Windows user to run scripts for. Note that for a PassiveModeNDSLogin, it is already assumed that the Windows account name and eDirectory account names match.

    cmd.exe /C IF DEFINED NWUSERNAME loginw32.exe %nwusername% /NA /CONT

    This sets up a CMD.EXE command line to conditionally run LOGINW32.EXE for processing of login scripts, but only if the NWUSERNAME variable is defined such that LOGINW32.EXE will not be launched if for any reason the eDirectory login was not performed by PassiveModeNDSLogin.

4.0 Known Issues

4.1 Newer NetIdentity Client Files Might Cause Conflict

Newer versions of the NetIdentity client files, such as the version shipping with the Novell Client 4.91 or later, have a different architecture than the version shipping with ZENworks for Desktops 4.0.1(and updates), even though the filenames are the same.

If you try to install the NetIdentity client after installing the ZENworks Management Agent, the following error message is displayed:

This version of NetIdentity cannot be installed over Novell ZENworks for Desktops (ZfD). You must either uninstall ZfD or wait to upgrade NetIdentity with the next release of ZfD.

You cannot install an updated NetIdentity.

However, if the newer version of NetIdentity is already installed on a workstation, a subsequent installation of the ZENworks Management Agent will not detect the newer versions of the NetIdentity files, so the Agent installation program overwrites the newer files. Later, when users log in to the workstation or select the NetWare Logon from the red N in the Quick Launch bar, the workstation freezes.

In this situation, we recommend that you use the Add/Remove Programs utility (available from the Windows Control Panel) to uninstall NetIdentity and then install the ZENworks Management Agent.

4.2 Files with Extended Attributes Do Not Copy to a Linux NSS Volume via NCP

Files with extended attributes do not copy to a Linux* NSS volume using NCP™. To solve this problem, use CIFS to copy files with extended attributes to a Linux server. Or, copy files from a Netware server that has extended attributes to a FAT32 (not NTFS) drive first, and then recopy the files to a OES Linux server.

4.3 Older Versions of NICI Do Not Work with the Enhanced Password Method

By default, the Client version 4.91 and later implements the Novell Universal Password, which provides robust and strong passwords. As a part of this implementation, Novell Client installs NMAS and NICI.

NMAS authentication adds additional security to the network. However, if your network does not use NMAS, login might take additional time and you might want to disable NMAS authentication on the server and not install it with the Novell Client software. The Novell Client installs NICI Client 2.7 and NMAS Client 3.0 by default. If you do not want to install them during the Client installation, install using a configuration file (unattended) that specifies not to install them. For more information, see the Novell Client for Windows Installation and Administration Guide.

For more information on disabling NMAS, see Disabling NMAS on the Server in the Novell Modular Authentication Services 2.3 x Administration Guide.

For more information on deploying universal passwords, see Deploying Universal Password in the Novell Modular Authentication Services 2.3 x Administration Guide.

4.4 UNC Path Filter Is Included in This Release

Although security issues and architectural concerns prompted the removal of the UNC Path Filter (NWFILTER.SYS) in updates after 4.91 SP4, the security issues have been addressed and the feature is included in the 4.91 SP5 release.

Applying the Novell Client 4.91 SP5 update to a machine that has had NWFILTER.SYS removed, re-installs and re-enables the UNC Path Filter.

If the UNC Path Filter is still present on the machine and is set to Off, the Off setting is maintained when the SP5 update is applied.

For further information regarding the post-4.91 SP4 removal of NWFILTER.SYS, please see TID 3260263.

4.5 Possible Issue When UNC Path Filter is Enabled

Reports are still under investigation of Windows machines that encounter NO_MORE_IRP_STACK_LOCATIONS (0x35) bugchecks and have shown the Novell Client UNC Path Filter (NWFILTER.SYS) to be present in the code running at the time of the crash.

If you see a blue screen citing the NO_MORE_IRP_STACK_LOCATIONS (0x35) bugcheck code on a machine with the Novell Client for Windows installed, try setting the UNC Path Filter option to Off on the Advanced Settings tab of the Novell Client Properties dialog box as part of your troubleshooting steps.

For more information, see TID 3595221 in the Novell Knowledgebase.

5.0 Enabling 802.1X Authentication

The Novell Client for Windows 4.91 SP4 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, eDirectory, and 802.1X with the same set of credentials for a single sign-on experience.

When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPV2) between the Windows Supplicant, the Wireless Access Point/Wired Switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.

  1. Right-click the Red N in the system tray, then click Novell Client Properties.

  2. In the Novell Client Configuration dialog box, click the Location Profiles tab.

  3. Select Default in the Location Profiles box, then click Properties.

  4. Select Default in the Service Instance drop-down list, then click Properties.

  5. Click the 802.1X tab, then select Enable Tab.

  6. Select Login using 802.1X.

    You can also select any of the following options:

    802.1X Authenticate on subsequent logins: Causes 802.1X authentication to take place when a user logs in from the Red N, even if he or she is already logged in. If the user is not logged in, 802.1X authentication takes place even if this option is not selected.

    Append Domain name to User name: Prepends the user’s domain to the username when the username is submitted to 802.1X. The format is DomainName/username. Use this option if the RADIUS server expects the domain name to precede the username. This options is normally used when IAS/AD is the RADIUS backend.

  7. Click OK three times.

  8. Reboot the workstation for the changes to take effect.

    After it is enabled, a 802.1X tab appears on the Novell Login dialog box when you click the Advanced tab. Use the options on the tab (see Step 6) to control 802.1X authentication at login time.

6.0 Fixes Since the Last Release

The following bugs have been fixed with the release of the Novell Client 4.91 SP5 for Windows XP/2003:

  • Installation of one or more of the additional products failed if the installation is performed from a folder containing more than 157 characters.

  • Slow Laptop Bootup when not on Novell Network with Safe Boot from Mcafee

  • MSTSC Pass Through authentication fails on domain verify

  • Updation failed via red-N for the latest Windows Client 20080805.

  • Wild card search for user names with UTF characters pops-up a screen where user names are not displayed correctly.

  • User is not able to retrieve the password policy when 'Allow dot in username' is enabled in Novell client for Windows

  • Need "workstation only login after network login failed" enhanced to login ws only with no prompt

  • Bug Check 19 (BAD_POOL_HEADER)

  • User is unable to install Novell client for windows if installation is performed from build folder present at the root of a drive,containing more than 85 characters.

  • e-directory login is not performed automatically with TSClientAutoAdminLogon enabled on remote desktop in Novell client for windows .

  • Trustee management not working using Novell client(Windows XP SP2) in DSFW scenario

  • Local Stack overflow / B.S.O.D (unauthentificated user)

  • Blue screen with Citrix and 4.91sp3 client

  • Netware Redirector Driver nwfs.sys multiple local privilege escalation

  • Needs to suppress "802.1x authentication failure" pop-up

  • Browsing for printers erratic with NDPPNT.DLL dated 2/7/2008

  • Deadlock issue with NWFS.SYS

  • Changing DFS dir in DOS box hangs the system

  • When logged in remotely to server, DFS junction maps to local server rather than remote server.

  • Novell Client installation removes CTXGinaDLL key from registry

  • First RDP connection gets a pre-populated domain; second connection does not

  • "Internal error OX77777727 occurred" at the time of clicking "Did you forget password?" for the user who has limited concurrent connection.

  • Security vulnerability in NWSPOOL.DLL - EnumPrinters Stack Overflow

  • Expand 'Workstation Only Fallback" policy to allow preventing fallback from ever occurring

  • Address METHOD_NEITHER vulnerabilities across all Novell Client drivers.

  • Cryptic NMAS errors for failed Challenge Response attempt and when eDir user account is locked

  • 8801 errors when logging in using 802.1x

  • BAD_POOL_CALLER crash on Windows 2003 Citrix TS

  • VDI Blue screen issue

  • Security vulnerability in NICM.SYS

  • LoginW32.dll - Access violation - code c0000005 (!!! second chance !!!)

  • Win XP SP2 update removes netware services registry entry

  • Security vulnerability in NWFILTER.SYS

  • Ndppnt.dll from 4.91 SP4 breaks NDPS printer installs

  • When a Workstation is locked, contents of the clipboard can be pasted into the username field

  • Security vulnerability in NWSPOOL.DLL

  • When using the field test patch Novell Client 4.91 Post-SP4 NWSPOOL.DLL dated 2007-07-26 cannot see servers under netware servers when browsing

  • SRVLOC needs to default to single equals for SLPv2

  • New background contextless login on Citrix generates a login failure with ICA client passthru

  • File copy with Extended Attribute present fails in 4.91 SP3 and later

  • Buffer overflow in nwspool.dll

  • Owner name and Last Updater Name is not displayed on a purge file for a volume in Purge option

  • Novell client for Windows is wrong when login failed

  • If you install Daemon Tools, NCP client redirection breaks

  • ACU.EXE and/or Update Agent silently fails when command line "too long".

  • Winlogon.exe Application Error after upgrade via ACU

  • LDAP Contextless Login: No LDAP server specified

  • Service fails to login with the SP3 novnpnt.dll

  • An error message is displayed, when fully qualified domain name (FQDN) (ex. User.Novell) is given in user name and clicking on ‘did u forget password’

  • No winlogon/gina

  • IP address costing of 1 does not connect to correct host address

  • Challenge Response Client prompt for username, tree and context, if it is not filled out

7.0 Additional Documentation

For documentation on installing and configuring Novell Client software, see the Novell Client for Windows Installation and Administration Guide.

For documentation on managing login scripts, see the Novell Login Scripts Guide.

For information on configuring and using Universal Password, see the Novell Password Management Administration Guide.

If you are using Novell Modular Authentication Services (NMAS) in your network, you should also read the NMAS 3.2 readme or the NMAS 3.3 readme depending on the NMAS version you are using. Because the NMAS installation has been integrated in to the Novell Client installation, issues that affect NMAS could also affect the Novell Client.

8.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.

For Novell trademarks, see the Novell Trademark and Service Mark list.

All third-party trademarks are the property of their respective owners.