Novell Nsure SecureLogin 3.51.1 September 9, 2004 1.0 WARNINGS 2.0 Documentation 3.0 What's New 4.0 Known Issues 5.0 Registry Settings 6.0 Support 7.0 Legal Notices 1.0 WARNINGS 1.1 Warning: Upgrade SecretStore Before Applying SP1 If you are using Novell SecureLogin (NSL) in SecretStore mode, upgrade all servers running SecretStore to version 3.3.2 or later before deploying NSL 3.51.1. Failure to upgrade your SecretStore servers before running NSL 3.51.1 in SecretStore mode could result in the loss of all secrets for upgraded users. SecretStore 3.3.2 is provided with NSL 3.51.1. Updates for each supported platform are located in the \SecStore\Server directory. 1.2 Copy Tlaunch.ini to a Safe Directory The SecureLogin installation program overwrites the tlaunch.ini file. If you have enabled any terminal emulator applications for single sign-on, copy tlaunch.ini from the active directory (for example, Program Files\novell\securelogin) to a safe directory before upgrading or reinstalling SecureLogin. After upgrading or installing, copy the saved tlaunch.ini file back to the original file. 2.0 Documentation Because the documentation is continuously updated, documentation isn't included on the product CD or download image. Instead, documentation is provided on the Novell Web site. By using this online documentation, you have the latest information, including documentation updates, for the following: - The Nsure SecureLogin 3.51.1 Administration Guide - The Nsure SecureLogin 3.51.1 Installation Guide - The Nsure SecureLogin 3.51.1 Scripting Guide - The Nsure SecureLogin 3.51.1 Guide for Terminal Emulation - The Nsure SecureLogin 3.51.1 Terminal Services Guide - The Nsure SecureLgogin 3.51.1 User Guide View or download documentation from: http://www.novell.com/documentation/securelogin3511/index.html 3.0 What's New For a list of new and enhanced features, see "What's New" in the Overview section of the Novell SecureLogin 3.51.1 Administration Guide. View or download documentation from http://www.novell.com/documentation/securelogin3511/index.html. 4.0 Known Issues 4.1 General Issues 4.1.1 Logging Out of Applications on Windows 98 Workstations If another application blocks the Log Off message on Windows 98 workstations, the log off feature might not completely log out of an application. 4.1.2 The NICI Client Isn't Uninstalled When SecureLogin is installed, the Novell International Cryptography Infrastructure (NICI) client might be installed as well. However, if you uninstall SecureLogin, the NICI client remains because other Novell services (for example, NMAS, ConsoleOne, and NetIdentity) might also need the NICI client. If you plan to uninstall the NICI client, ensure that it is no longer needed before you remove it. To uninstall the NICI client, use Add/Remove Programs. 4.1.3 Unable to Read the Schema Error Message On an eDirectory 8.7 Windows 2000 server, if ldapschema.exe is run on a Windows 98 workstation and the Windows 2000 server is running eDirectory 8.7 clients, the client is sometimes unable to read the schema error message. 4.1.4 Logging In As Administrator After a Reboot Depending on what files were locked and the options that you select during an install, you might need to reboot the workstation. If this is the case, at the end of the install a dialog box informs you to log in with administrative rights after the reboot. This dialog box applies only to Windows 2000, Windows XP, or Windows NT installations. After you install SecureLogin 3.51.1 on Windows 2000/XP/NT workstations, and if the install requires a reboot, use one of the following options: - Use ZENworks to install. Don't just use ZENworks to run setup.exe. Complete the following steps: 1. On a Windows NT workstation, create a snapshot of the SecureLogin install. 2. In ConsoleOne, create a ZENworks application object, based on the snapshot. 3. Associate the application object with the users. - Make sure that the first user to log in after the install or reboot has administrative rights to the workstation. 4.1.5 Disconnecting When You Log Off If you have installed the following on a workstation, you are disconnected from both the Novell Client and LDAP connections when you log off: - SecureLogin in LDAP mode - The Novell Client - Secure Workstation If you require a different outcome, contact Novell Technical Support. 4.1.6 Using Unique Names User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named "Error." If you install SecureLogin in the eDirectory Client32 mode with the SecretStore client, you can't add an application and name it App1 (for example) if a password policy already exists with the name App1. 4.1.7 Logging In After Uninstalling the ZENworks for Desktops Management Agent Under the following conditions, you might not be able to log in to your workstation: - ZENworks for Desktops 4.01 Management Agent is installed. - SecureLogin is installed. - You uninstall the ZENworks for Desktop Management Agent, then restart the workstation. To solve the problem: 1. Start the workstation in Safe mode. 2. Copy the nwgina.dll file to the windows\system32 directory. 4.1.8 JavaSSO Intermittently Grabbing IE Control IDs JavaSSO intermittently grabs the Internet Explorer window control IDs instead of the actual Java application Control IDs.The symptom of this issue is that the script that is generated contains control IDs such as Back or Home. These controls impact using the JavaSSO Wizard. If you get these controls in the script, delete the script and try again, repeating this process until the correct script is generated. 4.1.9 Integration with NetIdentity The NetIdentity client might not work if SecureLogin is installed in LDAP non-eDirectory mode. 4.1.10 Displaying Default Logins If a default login doesn't contain data, ScptEdit doesn't display the default login. However, links are displayed through the main User IDs page. 4.1.11 Setting Preferences in 3.0 Mode If a SecureLogin 3.51.1 client in SecureLogin 3.0 mode sets a preference that should be filtered out, the data is still saved to the local cache but not to the directory. The result is that a setting might appear to be set at the local client, but you can't see it in the directory. 4.1.12 Unable to Delete Default Logins When you select the User ID tab from the Manage Logins option, and then try to delete a user ID, you are unable to delete a default login. To delete the default login, you must remove the associated application. 4.1.13 The Add Applications Wizard Overwrites Existing Scripts If SecureLogin is installed in LDAP GINA mode on Windows XP, SecureLogin's Add Application Wizard doesn't verify if the application that you are adding has already been enabled for single sign-on. The wizard uses the prebuilt script to overwrite the existing configured script. 4.1.14 The 0 Setting for Cache Refresh Interval The 0 setting for Cache Refresh Interval on a client workstation is invalid. In ConsoleOne, you can set the Cache Refresh Interval to a positive number other than 0. (Don't set the value to 0.) If you change the setting to 0 on a client workstation, the Cache Refresh Interval changes to the default setting, erasing the setting you made in ConsoleOne. 4.1.15 Old Passwords Unlock the Local Cache When SecureLogin runs with the Novell Client, the client doesn't send a change notification to SecureLogin. As a general rule, old passwords now won't unlock the cache. You have to log out and log back in (or wait for a cache refresh) for a password change to take effect. 4.1.16 Variables in the Wrong Order After SecureLogin detects a new application and prompts the user to run the Add Applications Wizard, the Wizard might interchange the Username and Password fields in the script and login dialog box. If a script references variables that are not available in the credential, the user is prompted to provide values for the variables in the order that the variables appear in the script. You might need to relocate the password variable so that it appears after the username variable in the script. 4.1.17 Novell Client32 4.92 SP2 Is Required When the Windows GINA is in use on Windows 2000, Windows XP, or Windows NT, the SecureLogin GINA also appears and displays the user's password in the username box. To resolve this issue, install Novell Client32 4.92 SP2. 4.1.18 Citrix MetaFrame Presentation Server To enable SecureLogin for the Citrix MetaFrame Presentation server, enable ICA support by making two registry settings on the server: HKLM\Software\Protocom\VirtualChannel AutoDetect = "0" HKLM\Software\Protocom\VirtualChannel protocol= "ICA" 4.1.19 Configuring a Network Policy for Secure Workstation The Secure Workstation Post-Login Method fails if you attempt to log in with it before configuring a Network Policy for Secure Workstation. To configure a Network Policy: 1. In ConsoleOne, in the Authorized Post-Login Methods container, bring up the properties of the Secure Workstation object. 2. Select the Secure Workstation tab. 4.1.20 SecureLogin Continues to Run If a workstation has SecureLogin installed in LDAP GINA mode, you are able to lock the workstation with those credentials. However, you can unlock the workstation with workstation-only rights. SecureLogin continues to run and the user is logged in during the next sync. To prevent this situation, configure Secure Workstation to close all applications that are running. 4.1.21 System Messages on Active Directory Some settings, such as Password Protect the System Tray Icon, require you to input a network password. If Microsoft Active Directory has told a user to change a password during the next login, these settings fail and a system message (for example, "password expired" or "wrong password") is displayed. 4.1.22 Updates to the Current Object Version Need to Be Saved in Active Directory In Active Directory's MMC, the Current Object Version, displayed in the Advanced Settings page, might not update immediately when the directory database version is changed. To update, click OK, then exit the MMC Properties dialog box. 4.2 Web-Related Issues 4.2.1 The DumpPage Command The DumpPage command only works on certain Web pages. 4.2.2 Adding Prebuilt Scripts When you use ConsoleOne to add prebuilt scripts to a container, certain prebuilt scripts for a Web site are tagged as Win32 scripts on a container. 4.2.3 Ignored URLs SecureLogin ignores a URL greater than 256 characters. For such URLs, select Application > Edit, then select Advanced Web from the Type drop-down list. 4.3 NMAS Issues 4.3.1 The NMAS Client Isn't Uninstalled When SecureLogin is installed, the NMAS client and, optionally, a number of NMAS login methods can be installed as well. If the NMAS Client is installed, the Novell Client interface changes. (The password field disappears). However, if you uninstall SecureLogin, the NMAS client remains, as does the different-looking Novell Client. The NMAS client, and any NMAS methods, can be uninstalled through Add/Remove Programs. 4.3.2 Installing and Assigning a Simple Password If users are to log in to an eDirectory server by using SecureLogin LDAP Authentication and using any NMAS method, you must install the NMAS Simple Password. Also, all users authenticating via LDAP must have a simple password assigned to them. Otherwise, the users will be prompted to log in more than once. 4.3.3 Simple Password Method Requires NMAS 2.2 If you plan to use the LDAP client and NMAS methods, do the following: - Set the simple passwords for the users. - Update the servers with the Simple Password Login method (LCM). If you are currently using the Simple Password method and plan to continue using it with SecureLogin 3.51.1, you must install the NMAS 2.2 version of the Simple Password Login Server Method before installing SecureLogin 3.51.1. NMAS files are on the SecureLogin CD or in the download image. 4.3.4 "Login Failed" Error You receive a "Login failed" error when you create an NDS or simple password sequence in ConsoleOne. A fix for this issue is targeted in a later release. 4.3.5 The NMAS Sequence Selection Is Disabled on LDAP If the NMAS Sequence Selection dialog box is disabled on LDAP, you have an earlier version of NMAS. To use NMAS over LDAP, install the latest version of NMAS. 4.4 SecretStore Issues 4.4.1 SecretStore on the Server If you plan to use SecretStore on the client (SecretStore mode), install or upgrade to SecretStore 3.3.2 on the server before selecting the SecretStore option during the client install. 4.4.2 Running SecretStore Mode on Windows 98 If you are running SecureLogin in SecretStore mode on Windows 98, full functionality might not be available. 4.4.3 Unable to Unlock the Local Cache On Windows 98 in eDirectory SecretStore mode, SecureLogin is unable to unlock the local cache with an NDS password. The passphrase works as expected. 4.4.4 Using SecretStore Mode to Manage SecretStore Users If users are running SecureLogin in SecretStore mode, you must use SecretStore mode to administer or manage those users. 4.4.5 Managing Non-SecretStore Users Non-SecretStore users should only be administered by non-SecretStore administrators. 4.5 pcProx Issues 4.5.1 Logging In Using pcProx Self-Enrollment If you selected the eDirectory, NMAS, pcProx, and "enable self-enrollment" options during installation, an internal 0xFFFFFFCE error might occur when you attempt to log in by using pcProx. 4.5.2 pcProx Isn't Supported on NT4 PCProx on NT4 isn't supported for this release. 5.0 Registry Settings The Activate the Diagnostic Log File option in the Settings tab starts logging by itself. For advanced debugging, see TID 10088017 on the Novell Support Web site. If you need information on LDAP Client registry settings, see TID 10093336 on the Novell Support Web site. If you need to set -DWORD values (for example, CacheExpireDays?), contact Novell Technical Support. 6.0 Support For support, refer to: - Online documentation at novell.com/documentation/securelogin351/index.html - Knowledgebase, updates, or chat at support.novell.com 7.0 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. Copyright 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. ConsoleOne, NDS, Novell, Novell SecretStore, and ZENworks are registered trademarks of Novell, Inc. in the United States and other countries. eDirectory, Client32, NMAS, Nsure, and Novell Client are trademarks of Novell, Inc. All third-party trademarks are the property of their respective owners.