September 2008
This release contains bug fixes only. For a list of fixes, see Section 6.0, Fixes Since the Last Release.
The Novell® Client™ 4.91 SP 4 or later for Windows XP/2003 includes the ability to configure 802.1x authentication. For more information, see Section 5.0, Enabling 802.1X Authentication.
For a list of fixes, see 6.0 Fixes Since the Last Release
in the Novell® Client™ 4.91 SP4 for Windows XP/2003 Readme.
This release contains bug fixes only. For a list of fixes, see 6.0 Fixes Since the Last Release
in the Novell® Client™ 4.91 SP3 for Windows XP/2003 Readme.
This release includes additional Forgotten Password Recovery functionality. When a user logs in, the Novell Client checks to see if the password policy uses Challenge Response and if the user has entered responses. If responses have not been entered, the user is notified and a dialog box opens so that he or she can enter the responses. Additionally, if the password policy uses a password hint or a password reminder and this had not been set, the Novell Client prompts the user to enter this information.
This release includes a new feature that lets users recover a forgotten password by using the “Forgot your password” link in the client login dialog box. For more information, see Using the “Did You Forget Your Password?” Link in the Novell Client for Windows Installation and Administration Guide.
The following features are new in version 4.91:
Changes to the Update Agent to allow you to deploy new property page settings.
Changes to Automatic Client Update that allow you to enable Update Agent on multiple workstations without running a complete software installation.
Changes to the Novell Client Update Agent and Automatic Client Update to allow components to be uninstalled.
Unicode* file naming in mixed language environments.
A Microsoft* Windows* System Restore Point is now created on Windows XP workstations prior to the Novell Client installation. System Restore allows you to restore your computer to its state before the Novell Client was installed, if a problem occurs, without losing data.
Implementation of the Novell Universal Password (also know as the NDS® Login Method) available in NetWare® 6.5 and later. It provides more robust and strong password and password management, with the ability to create a common password that can be used by all protocols to authenticate users. Also included are support for password hints, administrator messages, and password requirements.
Support for the NetIdentity agent
The NetIdentity agent can be installed with the Novell Client or as a separate installation. It provides background authentication to Windows Web-based applications that require Novell eDirectory™ authentication, such as iPrint, Novell Virtual Office, and NetStorage.
The following changes have been made in version 4.91:
Windows NT* is no longer supported.
ZENworks® for Desktops 3.2 components have been deleted.
The Novell Client for Windows supports the following Windows operating systems. For all platforms, the Novell Client only supports 32-bit versions of Windows. The Novell Client cannot be installed on a 64-bit version of Windows 2003, Windows XP, or Windows 2000.
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows Server 2003 Server Edition
Windows Server 2003 Enterprise Edition
Windows XP Professional
Windows XP Tablet PC Edition
IMPORTANT:The Novell Client might run but is not supported on Windows XP Home edition.
The Novell Client for Windows XP/2003 supports Novell Open Enterprise Server (OES) 1, OES 2, NetWare® 5.1, NetWare 6.0, and NetWare 6.5.
To install the updates on a workstation with the Novell Client for Windows v4.91 already installed, run setupsp.exe.
Available options for configuring setupsp.exe are described in Section 2.5, Setupsp.exe Functionality.
Setupsp.exe can be launched automatically as part of the NetWare login script. The following is an example of the code you would add to the login script:
@\\%<aserver>\sys\public\client491sp5\setupsp.exe
Automatic Client Upgrade (acu.exe) checks the Novell Client major, minor, and Support Pack versions previously installed on the workstation. If the workstation requires only the Support Pack updates, setupsp.exe will be launched instead of the full Client Install to update the software on the workstation.
For example, when acu.exe runs on a workstation with the Novell Client for Windows v4.91 installed, the setupsp.exe program is executed. A workstation with an old client version or no client installed will run the full Novell Client install.
Available options for configuring the acu.exe are described in Section 2.6, Acu.exe Functionality.
The setupsp.inf file contains a [ServicePackOptions] section through which additional setupsp.exe behavior can be controlled. The default values for the option section have changed and are as follows:
[ServicePackOptions] Reinstall = NO DisplayInstallPrompts = YES UpdateNICI = YES UpdateNMAS = YES UpdateNetIdentity = YES RebootOnCompletion = PROMPT PromptUserOnCompletion = YES
Reinstall: Setting this value to NO disables the ability to reinstall the Support Pack, if the current Support Pack has already been installed on the workstation. For example, once the Support Pack has been installed successfully, running setupsp.exe will not install the Support Pack again. When the value is set to YES it allows the Support Pack installation to re-apply the updates even though the current Support Pack may have already been installed.
DisplayInstallPrompts: Setting this value to YES displays all dialogs regarding the installation of the Support Pack. When the value is set to NO, no dialogs will be displayed during the Support Pack installation.
DisplayInstallPrompts has no affect on the RebootOnCompletion or PromptUserOnCompletion values.
UpdateNICI, UpdateNMAS, UpdateNetIdentity: These parameters indicate whether SETUPSP.EXE is to install updates to the optional products included with the Novell Client. The product will only be updated if is has been detected on the workstation prior to the Support Pack installation.
RebootOnCompletion: Setting this to PROMPT, prompts the user to decide whether the workstation should be shut down and restarted after the Support Pack installation completes.
The PromptUserOnCompletion setting has no effect when RebootOnCompletion is set to PROMPT.
Setting the value RebootOnCompletion = YES restarts the workstation after the Support Pack installation completes without waiting for the user to acknowledge any prompts.
RebootOnCompletion = NO exits the Support Pack installation without restarting the workstation.
PromptUserOnCompletion: This setting controls whether the user is advised that the Support Pack install completed prior to exiting the installation program. Setting the value PromptUserOnCompletion = NO exits the Support Pack installation without waiting for the user to acknowledge any prompts.
Setting PromptUserOnCompletion = YES displays an informational prompt upon completion of the installation process. The user must simply press OK and does not have a choice to override or force a reboot. This prompt only confirms that installation completed prior to whichever post-install action will take place (whether setupsp.exe will just exit or will reboot the workstation, depending on whether RebootOnCompletion is set to YES or NO).
In addition to providing all the functionality Automatic Client Upgrade (acu.exe) has previously provided, it also provides administrators with an additional method for executing setupsp.exe on workstations that already have client software installed. An administrator can choose to use acu.exe to launch setupsp.exe to provide additional prompting or logging during the client update process.
Normally the acu.exe application checks only the workstation's major and minor client version (and the administrator's major and minor internal version, if defined) to determine whether acu.exe should attempt to launch the full setupsp.inf install.
If the workstation major and minor client version checks show that the workstation already has the same major and minor client version that is available for install, acu.exe will now also check the workstation ServicePack value (as setupsp.exe does) to determine whether the local workstation has the Support Pack installed. If the workstation is in need of only the Support Pack updates, acu.exe then launches only setupsp.exe instead the full client upgrade/install process.
The acu.ini file contains a [ServicePack] section through which this new behavior can be further controlled. The default values for the [ServicePack] section are as follows:
[ServicePack] Check = Yes
Setting the value Check = Yes causes acu.exe to take the [ServicePack] into account, as described previously.
Setting the value Check = No causes acu.exe to ignore the workstation [ServicePack] value and will not run setupsp.exe instead of a full client upgrade/install. This behavior can also be forced by launching acu.exe with an /NSP command line switch. For example:
ACU.EXE /NSP
The path to any and all files within a Novell Client for Windows installation set must not exceed 256 characters.
Currently this means the directory path into which you extract the installation set must not exceed 214 characters. This limit is relative to the traditional MAX_PATH or 256-character limit in Windows applications, but it also takes into account additional path space that is needed for running the installation.
If the installation set is being accessed from a remote network location, for example \\servername\volumename, the length of the network server and volume name also counts against the maximum depth, due to underlying processing that makes use of the real path to the installation set. Even if a mapped drive letter and/or the feature is used for accessing the installation set, the limit is measured as if a UNC path had been used.
By default, the Novell Client attempts to perform an NMAS™ login using the NMAS login sequence that is configured in eDirectory. If nothing is specified, the Novell Client uses the default NMAS login sequence. This automatic fallback to the default can fail when logging in against an NMAS 2.3.4.1 server.
In the Login dialog box, select Sequence drop-down menu.
, select the tab, and then select in theIf you remark out (rem) the NMAS load line in the autoexec.ncf file on a NetWare 6.5 server, the Novell Client cannot log in to the server. NMAS should not be removed from a NetWare 6.5 server.
You cannot copy, cut, or paste from within some fields of the contextless login property page.
Users and workstations can no longer authenticate through the middle tier after installing the Novell Client. For more information, see TID 3174438.
When configured for passive mode login, the Novell Client’s NWGina defers to the Microsoft Graphical Identification and Authentication Dynamic Link Library (MSGINA.DLL) for the initial workstation login. After authentication to the workstation, NWGina attempts to authenticate to the Novell environment. The username and password used for workstation authentication are used for the Novell authentication.
To successfully authentication to the Novell environment, the username must exist in eDirectory, and the default location profile must be properly configured with the Tree and Context information.
To enable passive mode login, set the following registry keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA] “PassiveMode”=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login] “PassiveModeNDSLogin”=dword:00000001 “PassiveModeNDSLoginSilent”=dword:00000000 or 00000001 “PassiveModeNDSLoginRequired”=dword:00000000 or 00000001
PassiveMode: (0/1) default is 0 0 = normal mode 1 = passive mode
PassiveModeNDSLogin: (0/1) default is 0 0 = don't do Novell login 1 = do Novell login
PassiveModeNDSLoginSilent: (0/1) default is 0 0 = report Novell login errors 1 = don't report Novell login errors
PassiveModeNDSLoginRequired: (0/1) default is 0 0 = don't require Novell login 1 = require Novell login
If the “PassiveModeNDSLoginRequired” setting is True (1), the GINA login experience will require a successful Novell authentication in order to succeed.
The “PassiveModeNDSLoginSilent” setting requires functionality released in the Novell Client for Windows XP/2003 4.91 SP3
Login scripts are not processed in passive mode. A workaround is to run them after the GINA login. You can do this by placing a run entry in the registry, or you can create an entry in the startup folder.
If using the "Run" key in the registry, an example is to create a REG_EXPAND_SZ value named "NWSCRIPT" under the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] key, and then send the "NWSCRIPT" value to a command line similar to one of the following:
loginw32.exe %username% /NA /CONT
This will unconditionally expand the Windows username to be passed to LOGINW32.EXE as the Windows user to run scripts for. Note that for a PassiveModeNDSLogin, it is already assumed that the Windows account name and eDirectory account names match.
cmd.exe /C IF DEFINED NWUSERNAME loginw32.exe %nwusername% /NA /CONT
This sets up a LOGINW32.EXE for processing of login scripts, but only if the NWUSERNAME variable is defined such that LOGINW32.EXE will not be launched if for any reason the eDirectory login was not performed by PassiveModeNDSLogin.
command line to conditionally runNewer versions of the NetIdentity client files, such as the version shipping with the Novell Client 4.91 or later, have a different architecture than the version shipping with ZENworks for Desktops 4.0.1(and updates), even though the filenames are the same.
If you try to install the NetIdentity client after installing the ZENworks Management Agent, the following error message is displayed:
This version of NetIdentity cannot be installed over Novell ZENworks for Desktops (ZfD). You must either uninstall ZfD or wait to upgrade NetIdentity with the next release of ZfD.
You cannot install an updated NetIdentity.
However, if the newer version of NetIdentity is already installed on a workstation, a subsequent installation of the ZENworks Management Agent will not detect the newer versions of the NetIdentity files, so the Agent installation program overwrites the newer files. Later, when users log in to the workstation or select the NetWare Logon from the red N in the Quick Launch bar, the workstation freezes.
In this situation, we recommend that you use the Add/Remove Programs utility (available from the Windows Control Panel) to uninstall NetIdentity and then install the ZENworks Management Agent.
Files with extended attributes do not copy to a Linux* NSS volume using NCP™. To solve this problem, use CIFS to copy files with extended attributes to a Linux server. Or, copy files from a Netware server that has extended attributes to a FAT32 (not NTFS) drive first, and then recopy the files to a OES Linux server.
By default, the Client version 4.91 and later implements the Novell Universal Password, which provides robust and strong passwords. As a part of this implementation, Novell Client installs NMAS and NICI.
NMAS authentication adds additional security to the network. However, if your network does not use NMAS, login might take additional time and you might want to disable NMAS authentication on the server and not install it with the Novell Client software. The Novell Client installs NICI Client 2.7 and NMAS Client 3.0 by default. If you do not want to install them during the Client installation, install using a configuration file (unattended) that specifies not to install them. For more information, see the Novell Client for Windows Installation and Administration Guide.
For more information on disabling NMAS, see Disabling NMAS on the Server in the Novell Modular Authentication Services 2.3 x Administration Guide.
For more information on deploying universal passwords, see Deploying Universal Password in the Novell Modular Authentication Services 2.3 x Administration Guide.
Although security issues and architectural concerns prompted the removal of the UNC Path Filter (NWFILTER.SYS) in updates after 4.91 SP4, the security issues have been addressed and the feature is included in the 4.91 SP5 release.
Applying the Novell Client 4.91 SP5 update to a machine that has had NWFILTER.SYS removed, re-installs and re-enables the UNC Path Filter.
If the UNC Path Filter is still present on the machine and is set to Off, the Off setting is maintained when the SP5 update is applied.
For further information regarding the post-4.91 SP4 removal of NWFILTER.SYS, please see TID 3260263.
Reports are still under investigation of Windows machines that encounter NO_MORE_IRP_STACK_LOCATIONS (0x35) bugchecks and have shown the Novell Client UNC Path Filter (NWFILTER.SYS) to be present in the code running at the time of the crash.
If you see a blue screen citing the NO_MORE_IRP_STACK_LOCATIONS (0x35) bugcheck code on a machine with the Novell Client for Windows installed, try setting the
option to on the tab of the Novell Client Properties dialog box as part of your troubleshooting steps.For more information, see TID 3595221 in the Novell Knowledgebase.
The Novell Client for Windows 4.91 SP4 includes an Extensible Authentication Protocol (EAP) plug-in to the Microsoft Windows XP supplicant, which lets users authenticate through RADIUS to wireless access points and wired switches for added network security. Using FreeRADIUS as the RADIUS server, users can authenticate to their local machines, eDirectory, and 802.1X with the same set of credentials for a single sign-on experience.
When 802.1X authentication is enabled, the username and password entered in the Novell Login dialog box are first passed to the EAP plug-in module. An exchange of messages (PEAP/MSCHAPV2) between the Windows Supplicant, the Wireless Access Point/Wired Switch, and the RADIUS server allows network access if the correct credentials were entered. After the 802.1X authentication has succeeded, both the eDirectory and local logins take place just as they have in previous versions of the Novell Clients. If the 802.1X authentication fails, no access to the network is given, and the user will not be able to access the network.
Right-click the Red N in the system tray, then click
.In the Novell Client Configuration dialog box, click the
tab.Select
in the box, then click .Select
in the drop-down list, then click .Click the
tab, then select .Select
.You can also select any of the following options:
802.1X Authenticate on subsequent logins: Causes 802.1X authentication to take place when a user logs in from the Red N, even if he or she is already logged in. If the user is not logged in, 802.1X authentication takes place even if this option is not selected.
Append Domain name to User name: Prepends the user’s domain to the username when the username is submitted to 802.1X. The format is DomainName/username. Use this option if the RADIUS server expects the domain name to precede the username. This options is normally used when IAS/AD is the RADIUS backend.
Click
three times.Reboot the workstation for the changes to take effect.
After it is enabled, a 802.1X tab appears on the Novell Login dialog box when you click the Step 6) to control 802.1X authentication at login time.
tab. Use the options on the tab (seeThe following bugs have been fixed with the release of the Novell Client 4.91 SP5 for Windows XP/2003:
Installation of one or more of the additional products failed if the installation is performed from a folder containing more than 157 characters.
Slow Laptop Bootup when not on Novell Network with Safe Boot from Mcafee
MSTSC Pass Through authentication fails on domain verify
Updation failed via red-N for the latest Windows Client 20080805.
Wild card search for user names with UTF characters pops-up a screen where user names are not displayed correctly.
User is not able to retrieve the password policy when 'Allow dot in username' is enabled in Novell client for Windows
Need "workstation only login after network login failed" enhanced to login ws only with no prompt
Bug Check 19 (BAD_POOL_HEADER)
User is unable to install Novell client for windows if installation is performed from build folder present at the root of a drive,containing more than 85 characters.
e-directory login is not performed automatically with TSClientAutoAdminLogon enabled on remote desktop in Novell client for windows .
Trustee management not working using Novell client(Windows XP SP2) in DSFW scenario
Local Stack overflow / B.S.O.D (unauthentificated user)
Blue screen with Citrix and 4.91sp3 client
Netware Redirector Driver nwfs.sys multiple local privilege escalation
Needs to suppress "802.1x authentication failure" pop-up
Browsing for printers erratic with NDPPNT.DLL dated 2/7/2008
Deadlock issue with NWFS.SYS
Changing DFS dir in DOS box hangs the system
When logged in remotely to server, DFS junction maps to local server rather than remote server.
Novell Client installation removes CTXGinaDLL key from registry
First RDP connection gets a pre-populated domain; second connection does not
"Internal error OX77777727 occurred" at the time of clicking "Did you forget password?" for the user who has limited concurrent connection.
Security vulnerability in NWSPOOL.DLL - EnumPrinters Stack Overflow
Expand 'Workstation Only Fallback" policy to allow preventing fallback from ever occurring
Address METHOD_NEITHER vulnerabilities across all Novell Client drivers.
Cryptic NMAS errors for failed Challenge Response attempt and when eDir user account is locked
8801 errors when logging in using 802.1x
BAD_POOL_CALLER crash on Windows 2003 Citrix TS
VDI Blue screen issue
Security vulnerability in NICM.SYS
LoginW32.dll - Access violation - code c0000005 (!!! second chance !!!)
Win XP SP2 update removes netware services registry entry
Security vulnerability in NWFILTER.SYS
Ndppnt.dll from 4.91 SP4 breaks NDPS printer installs
When a Workstation is locked, contents of the clipboard can be pasted into the username field
Security vulnerability in NWSPOOL.DLL
When using the field test patch Novell Client 4.91 Post-SP4 NWSPOOL.DLL dated 2007-07-26 cannot see servers under netware servers when browsing
SRVLOC needs to default to single equals for SLPv2
New background contextless login on Citrix generates a login failure with ICA client passthru
File copy with Extended Attribute present fails in 4.91 SP3 and later
Buffer overflow in nwspool.dll
Owner name and Last Updater Name is not displayed on a purge file for a volume in Purge option
Novell client for Windows is wrong when login failed
If you install Daemon Tools, NCP client redirection breaks
ACU.EXE and/or Update Agent silently fails when command line "too long".
Winlogon.exe Application Error after upgrade via ACU
LDAP Contextless Login: No LDAP server specified
Service fails to login with the SP3 novnpnt.dll
An error message is displayed, when fully qualified domain name (FQDN) (ex. User.Novell) is given in user name and clicking on ‘did u forget password’
No winlogon/gina
IP address costing of 1 does not connect to correct host address
Challenge Response Client prompt for username, tree and context, if it is not filled out
For documentation on installing and configuring Novell Client software, see the Novell Client for Windows Installation and Administration Guide.
For documentation on managing login scripts, see the Novell Login Scripts Guide.
For information on configuring and using Universal Password, see the Novell Password Management Administration Guide.
If you are using Novell Modular Authentication Services (NMAS) in your network, you should also read the NMAS 3.2 readme or the NMAS 3.3 readme depending on the NMAS version you are using. Because the NMAS installation has been integrated in to the Novell Client installation, issues that affect NMAS could also affect the Novell Client.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to www.novell.com/info/exports/ for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.novell.com/company/legal/patents/ and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.