The following sources provide information about Novell® SecureLogin 6.1 Support Pack 1 (SP1):
Installation: Novell SecureLogin 6.1 SP1 Installation Guide
Administration: Novell SecureLogin 6.1 SP1 Administration Guide
Application Definition: Novell SecureLogin 6.1 SP1 Application Definition Guide
Citrix and Terminal Services: Novell SecureLogin 6.1 SP1 Citrix and Terminal Services Guide
Quick Start: NMAS Login Method and Login ID Snap-In for pcProx
User Manual: Novell SecureLogin 6.1 SP1 User Guide
Online product documentation: Novell Documentation Web site.
Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. It eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.
This document provides you an introduction to the new features introduced in this version of Novell SecureLogin and also lists issues related to the administration, functioning, and other aspects of Novell SecureLogin.
During a fresh install of Novell SecureLogin 6.1 SP1, if you are prompted to upgrade, delete all references to the product key and then continue with the installation.
NOTE:Take a backup of the registry keys before deleting.
Click Start > Run > type regedit.
Search for 80D1DD4E-85FD-4978-B010-9C480B10DF18 in the registry keys.
Delete the references to the product key.
With this release of Novell SecureLogin, you can choose to install Desktop Automation Services (DAS) along with Novell SecureLogin.
Previously, DAS was released as a standalone component that you downloaded separately for use with Novell SecureLogin. With this release, you can install DAS during the installation of Novell SecureLogin 6.1 SP1. Select the Install Desktop Automation Services option on the Installation Features page when you install Novell SecureLogin 6.1 SP1.
In a lost card scenario when a user tries to log in to Novell SecureLogin, the user is prompted to insert the smart card four times before displaying a message indicating SecureLogin failed to access the smart card.
The user is not prompted with the passphrase and so, cannot login. This happens because the Security preference is set to and is set to .
To continue with the log in, the user must either retrieve the original smart card or get a replacement card.
If Novell SecureLogin in deployed in a shared workstation where more than one users share the local credentials, users must either use Secure Workstation or DAS to close all programs and log out of the network.
The option is mandated because,
If a user who has logged in to Novell SecureLogin in Novell Client™ mode in Microsoft* Windows* Vista* or Microsoft Windows XP or in LDAP mode (in Microsoft Windows Vista) locks the workstation and later tries to unlock using the workstation credentials, Novell SecureLogin fails to log off the directory user.
However, the directory user is still logged in and Novell SecureLogin continues to run. Because of this, the user who has logged in using workstation credentials has access to the directory credential store.
In such a scenario, avoid using the workstation lock. Instead, use secure workstation or DAS to configure the workstation to close all programs and log out of the network on an inactivity timer.
If you have used a smart card to store the credentials when enabling single sign-on for Web applications such as Gmail*; the next time you access the Web site with the smart card removed, you are prompted to insert the smart card. If you cancel the message, SecureLogin closes. An error might also occur in executing the application definition.
SLManager displays the history of the LDAP tree browser. A maximum of 20 history entries are available. History data beyond 20 entries are overwritten to the first data entry. This is not a limitation in Novell SecureLogin. This is working as per design.
You can view the history from > > regedit > > > > .
If the HKLM\Software\Protocom\SecureLogin\TryRegCredinOffline registry value is set to 1 when Novell SecureLogin is installed in LDAP GINA or Credential Provider mode, Novell SecureLogin behaves in the following ways:
If the user logs in to the workstation by selecting the option, the user logs in to Novell SecureLogin seamlessly and the desktop is launched.
If network connection is not available, the workstation dialog box appears. After successful authentication, users can log in after and the desktop is launched.
If the server is not accessible, Novell SecureLogin authenticates to the workstation with the user’s credentials. Users can then seamlessly log in to Novell SecureLogin.
In the 6.1 release, at the initial login in GINA mode, if the eDirectory password had expired the user was not warned of the password expiry. Instead, the user was successfully authenticated without any notification.
The user was warned about the password expiry and the number of grace logins available only Novell SecureLogin starts after the Desktop appears. The user was then prompted to change the password.
This is now rectified and a warning is displayed at the initial login.
Novell SecureLogin fails to go seamlessly into offline mode on subsequent logins where Novell SecureLogin is installed in LDAP GINA mode and is disconnected from the network. and eDirectory™ or any LDAP directory is online. Because of this, users are prompted to specify the offline credentials.To avoid prompting for credentials and allow Novell SecureLogin to go to offline mode seamlessly, edit the registry and set the TryRegCredInOffline value to 1.
When you install DAS in eDirectory mode with Novell Client™, sometimes an error indicating Error in parsing xml file during install appears. This occurs because the server or the specified config object is invalid.
To rectify, ignore the message and proceed with the install. After the installation or restarting,
Log in as an administrator.
Set the ConfigObject and ConfigTree registries values correctly.
The ConfigObject is the ArsControl Object and the ConfigTree - Server or the Tree information. The registries are at HKLM\Software\Novell\Login\ARS
Run ARSControl /RegServer.
In SLManager, the leaf objects are displayed like the container objects. That is, you see a folder icon and a plus (+) symbol when you use SLManager to open the directory leaf objects.
If you click the plus symbol, the folder icon changes to the file icon.
During the Workstation Only login, if the workstation or local credentials are not the same as the eDirectory credentials, the user is prompted for credentials. Novell SecureLogin fails to seamlessly log in the user. To allow seamless login, users must manually change the DWORD value of the TryRegCredOffline registry entry to 1.
For LDAPAuth to search on any attributes specified in SearchAttributes under the LDAPSearch key, the attribute must be publicly readable.
Create the LDAPSearch key in the registry under HKLM\Software\Novell\Login\LDAP.
Under HKLM\Software\Novell\Login\LDAP, create a SearchAttributes REG_MULTI_SZ entry.
In the entry you just created, use the value of the attribute list that you want LDAP to search, for example, cn sn samAccountname.
To enable LDAP search for sAMccountName attribute, the previous Anonymous Logon requires Read General Information and Read Public Information permissions.
Novell SecureLogin 6.1 includes support for the Microsoft* Vista* operating system. Vista Ultimate, Vista Business, and Vista Enterprise editions are supported.
The install package supports both 32-bit and 64-bit operating systems.
This release of Novell SecureLogin introduces the MSI installer package for installing Novell SecureLogin.
NOTE:The MSI installer supports upgrading from the previous versions of Novell SecureLogin, which did not use an MSI installer.
For details, see the Novell SecureLogin 6.1 SP1 Installation Guide.
This release of Novell SecureLogin introduces support for Novell eDirectory™ groups.
Novell SecureLogin preferences can now be applied at the group level, in addition to the container and user level support provided in the earlier releases.
You can specify the group from which the object inherits its Novell SecureLogin configuration through the option in the tab of the pane of the Administrative Management utilities.
Groups are configured at the container or the organizational unit level. Groups take precedence over containers, and users take precedence over groups and groups and containers.
For more information, see Configuring Groups Within eDirectory
in the Novell SecureLogin 6.1 Administration Guide.
This release of Novell SecureLogin introduces a change in the way the smart card preferences are handled.
If user is logging in to the workstation with a smart card, the smart card preference must be selected at installation even if the administrator sets preferences in Novell SecureLogin.
NOTE:This applies to all Microsoft Windows* 2000, XP, and Vista workstation.
Novell SecureLogin 6.1 supports ActivClient*, Gemalto* (formerly Axalto), and AET SafeSign* smart card middleware for SecureLogin functions.
No other middleware vendors are supported.
This includes:
Encrypting PKI credentials.
Storing Novell SecureLogin credentials on a smart card.
Enforcing smart card presence for Novell SecureLogin operations.
This preference is available in the Administrative Management utility under the preference as .
For more information on the preferences, see the The Security Preferences Properties Table
table in the Novell SecureLogin 6.1 Administration Guide.
For Active Directory* installations using the Microsoft Group Policy Object functionality, Novell SecureLogin now allows administrators to see the effective set of single sign-on settings that are applied through the group policies. This requires that the Microsoft Group Policy Management Console be installed on the administration workstation.
For more information, see the Novell SecureLogin 6.1 SP1 Administration Guide.
This release of Novell SecureLogin automates the published application single sign-on process for Citrix* published applications. Citrix published applications can now be enabled for single sign-on through a Web wizard or application definition, like any other application.
Novell SecureLogin now supports multiple instances of Java* Runtime Engine (JRE*). The installation detects and automatically enables single sign-on for multiple JREs on the client. This occurs automatically. No manual selection of Java options is required at installation.
After installation and on startup, Novell SecureLogin checks for new JREs on the client. All JREs are automatically enabled for single sign-on with no user prompt or intervention.
NOTE:This update process requires the user to have administrative rights on the local machine. If the user does not have administrative rights, the update process fails silently.
This release supports Oracle* JInitiator* 1.3.1 and later and Sun* JRE 1.3 and later.
Novell SecureLogin 6.1 supports MEDITECH* 3.x and 4.x.
This feature depends on the presence of the MEDITECH mrwscript.dll file. This file must be installed during the installation of the MEDITECH application on the workstation.
For more information on MEDITECH support, see Support for the MEDITECH Predefined Application
in the Novell SecureLogin 6.1 Administration Guide.
Novell SecureLogin 6.1 supports Desktop Automation Services. Novell SecureLogin is mandatory for Desktop Automation Services to function.
Desktop Automation Services is an add-on to Novell SecureLogin that handles unique use cases associated with shared workstations or kiosks (multiple users using the same workstation during the day).
For more information, see the Desktop Automation Services Administration Guide at the Novell Documentation Web site.
With this release of Novell SecureLogin, administrators have the option to export all or selected scripts through the iManager SSO plug-in. A new dialog box prompts the administrator to select the scripts he or she wants to export.
For details, see the Novell SecureLogin 6.1 SP1 Installation Guide.
LDAP GINA is no longer supported on Windows Vista.
Instead, the LDAP credential provider replaces the LDAP GINA in Windows Vista.
In this version, the approach for language support is different from the previous versions of Novell SecureLogin. In the earlier versions, the user was prompted to choose a language for the setup during the installation.
In this version of Novell SecureLogin, this option is not offered, and the installation uses English throughout.
However, you can use a command line option to install in non-English languages.
At the command line, specify the following command:
msiexec.exe /i "Novell SecureLogin.msi" TRANSFORMS=<lang-code>.mst
<lang-code> denotes a specific language.
1041 represents the Japanese language
1036 represents the French language
1046 represents the Brazilian language
1031 represents the German language
1034 represents the Spanish language
This release of Novell SecureLogin introduces some more Preference options that can be applied through any of the Administrative Management utilities: iManager, Microsoft Management Console, or SLManager.
These are administrative preferences only, not user preferences.
Hiding the Novell SecureLogin splash screen when Novell SecureLogin is switched off.
Removing the option on the Novell SecureLogin notification area icon.
Allowing the administrator to remove the option from the Novell SecureLogin notification area icon.
Disabling the option in the Novell SecureLogin notification area icon.
Disabling the option in the Novell SecureLogin notification area icon.
Enhancing the options for editing and deleting credentials.
Separation of the and scripts preference into two separate preferences.
New settings in the Password Policy preference.
For detailed information of these preferences, see the Novell SecureLogin 6.1 SP1 Administration Guide.
Following are issues you might encounter in this version of Novell SecureLogin:
The Novell Client™ login fails after upgrading Novell SecureLogin from 6.0 to 6.1 in the Novell Client mode.
To resolve this, do the following before upgrading the Novell SecureLogin client:
Upgrade NICI
Restart the client.
IMPORTANT:Restarting is mandatory.
Upgrade NMAS™.
Upgrade Novell SecureLogin.
Restart the client.
If the login to the Novell Client fails because of NICI, re-install NICI, and restart the client.
When installing Novell SecureLogin on a Citrix server, although the Citrix server goes in to the install mode, it does not install Novell SecureLogin. To install, you must revert the Citrix server to the execute mode.
Go to the DOS prompt.
Type change user/install at the prompt.
This puts the Citrix server in the install mode.
Press Enter.
Install Novell SecureLogin.
WARNING:Do not restart the server after completing the installation.
After completing the installation, go to the DOS prompt.
Type change user/execute at the prompt.
Press Enter.
This reverts the Citrix server to the execute mode.
Restart the server.
Novell SecureLogin might not pass the correct domain name while performing a single sign-on operation for the Microsoft Windows Vista Remote Desktop client in either the Novell Client or LDAP mode.
To start an RDP session on a Microsoft Windows 2000 server that is a domain controller, the user must be added in the domain controller policy to act as part of the operating system.
This is Microsoft setting.
When logging in to a Citrix ICA client with the option set to , application credentials added by the user during the Citrix session might not be stored on the card. The credentials are stored successfully in the directory.
If you selected the smart card support option during the installation of Novell SecureLogin, do not attempt to modify and remove the smart card support option through the option of the installer, or the secondary datastore (offline cache) might not be available.
NOTE:You can control user access to smart card options through Novell SecureLogin preferences.
When you are upgrading the datastore from 3.5 to 6.0 and upgrading to Novell SecureLogin 6.1, if the is set to , a message indicating "Your cache files have lost synchronization with directory authentication data. Would you like to delete your cache files and have them re-created?”
Click to load Novell SecureLogin successfully.
The information displayed in the Novell SecureLogin About window is created at login. A change applied to the user’s Database mode is not updated in the user’s About window display until after the next login.
If you view When you access Novell SecureLogin for the first time after providing the passphrase question and answer, the Database Mode in the About window (accessed from the Novell SecureLogin notification area icon) displays the Database mode version as 3.0 3.0 Data Present PP Enabled.
On subsequent logins, the correct version is displayed.
If the administrator disables the option when you have already set up the passphrase system, a warning message that the administrator has disabled the passphrase security system appears. The passphrase setting change is not applied until you accept the change. If you do not accept the change, you can continue using the passphrase security system. This is the expected behavior because it prevents an administrator from disabling the passphrase protection without the user’s knowledge.
However if this occurs, the option that is available through the menu on the Novell SecureLogin notification area is not available until the administrator resets the passphrase setting.
If the option is set to when configuring Novell SecureLogin 3.5, then you upgrade Novell SecureLogin from 3.5.x to 6.1 and upgrade the data store from 3.5 to 6.0, the value is displayed as in Novell SecureLogin 6.1.
NOTE:The preference was changed to in version 6 releases and above.
The option must be set to , because the value was set to in Novell SecureLogin 3.5.
This issue appears only in SecureLogin Manager.
In a Microsoft Windows Vista environment, when you log in to Novell SecureLogin in an offline mode with an incorrect password, you are prompted to provide the passphrase answer. If an incorrect passphrase answer is specified, you are prompted to retry the authentication.
However, if you again provide a wrong password, instead of seeing a prompt for the passphrase answer, you are prompted to specify the password (that is, instead of the passphrase dialog box, the password dialog box is displayed).
Close and relaunch Novell SecureLogin to be prompted for the password first, then prompted for the passphrase answer if the incorrect password is specified.
LDAP error 49 is thrown when you click in the NDS® password prompt window when NMAS-NDS authentication is used with LDAP.
Click in the error window to proceed with the login.
If Novell SecureLogin is installed on a Citrix server in Novell Client mode and if you select the option when restarting Windows on that Citrix server, a message indicating “You are not logged in to a directory and SecureLogin was unable to find any cached user data" is displayed.
This message appears twice before you are authenticated.
In some scenarios, in the Personal Management utility, users are unable to delete the logins from the navigation area on the left pane.
When users right-click the login, both and options are disabled.
However, the login can be deleted from the right pane.
User Account Control (UAC) is a new setting on Microsoft Windows Vista. If the UAC is enabled during the installation of Novell SecureLogin, you are prompted about whether you want to continue with the installation process. If you do not respond to the prompts for a long time, a screen saver might come up (depending on the desktop setting) and interrupt the installation process, requiring you to restart the installation.
If the UAC prompts must be avoided, the administrator must disable the UAC setting within the Microsoft Windows Vista.
There are two modes in a server-based Windows operating system: Install and Execute.
While upgrading Novell SecureLogin on Microsoft Windows 2003, the administrator must be in the Install mode or must switch to the Install mode.
Even when the administrator continues to upgrade Novell SecureLogin in the Install mode, the dialog boxes might be confusing about whether to click before or after the upgrade is complete.
Click to proceed and complete the upgrade.
When a user with the same name and context in two different eDirectory trees tries to log in to the same Windows machine, an error message “Your Cache files have lost synchronization with your directory data. Would you like to delete your local cache files have them re-created?” appears.
When the user clicks and proceeds, user credentials of the previous user with same name are deleted and the cache file has only the credentials of the newly logged in user with same name.
When you upgrade Novell SecureLogin from 3.51 SP3 to Novell SecureLogin 6.1 in standalone mode, then decide during Novell SecureLogin upgrade that you do not want to move to seamless mode, after the upgrade the user cannot add new users to the standalone Novell SecureLogin client.
Playing an AVI file from a network mapped drive as part of an Inactivity timeout warning does not work on Windows Vista.
The workaround is to copy the file to a local drive and set the local path in Secure Workstation in the policy editor.
When a user logs in to a workstation, NSL does not automatically recognize the Novell iFolder® 2.1.8 login window at startup.
The workaround is to manually add the Novell iFolder prebuilt script and login again to the workstation, after which NSL identifies the iFolder 2.1.8 login window.
On the Windows 2000 server, when a user cancels logging into NSL in LDAP mode, a SecureLogin message prompts the user to select whether to perform SSO or not. In this scenario, using SSO to connect to a Web application might result in crashing Internet Explorer*.
Some Web pages are configured in such a way as to provide information to SecureLogin in a different manner. When working on such Web pages, user can encounter the “Unable to instantiate scriptbroker module: 80070005” error message.
In such scenarios, set the following registry key:
IESSO_USE_COM reg setting (Dword - value '0') under \HKEY_LOCAL_MACHINE\SOFTWARE\protocom\securelogin
This registry key changes the method of interprocess communication between SecureLogin processes, providing a workaround to the Web issue. It will work across all Web pages, not only on the Web page producing the error.
If a user tries to log into SecureLogin in the LDAP mode, using the same smart card used to authenticate in eDirectory mode, the authentication fails. This is because SecureLogin smart card implementation sees them as two different users.
The security preference to use the AES algorithm to encrypt the SSO data in the directory can only be used with Windows Vista, XP, or 2003 machines and not Windows 2000, because Windows 2000 does not support the Microsoft cryptographic libraries.
When installed in Client32™ mode, SecureLogin does not take into account the case sensitivity of passwords while unlocking the notification area icon, if the Novell Client™ 4.91 SP2 is used. To use this feature, update the Novell Client to version 4.91 SP3.
You cannot unlock the SecureLogin notification area icon using the NMAS pcProx authentication. Unlock the icon by using the passphrase if you have enabled one, or by using your directory password. Alternatively, you can set and use a universal password.
If Novell SecureLogin is installed in LDAP mode and the LDAP user password expires, the number of grace logins is reduced by one every time the cache login is refreshed. This happens because every time the cache is refreshed, SecureLogin tries to re-authenticate to the directory.
Novell International Cryptography Infrastructure (NICI) is installed automatically when SecureLogin is installed in any of the following modes:
LDAP
eDirectory with LDAP
eDirectory with Client32 as the protocol and Novell SecretStore is selected for installation
However, if you uninstall SecureLogin, the NICI client remains because other Novell services (for example, NMAS, Novell Client, and SecretStore) might also need the NICI client.
If you plan to uninstall the NICI client, ensure that it is no longer needed before you remove it. To uninstall the NICI client, use .
User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named Error.
If you install SecureLogin with the SecretStore client in the eDirectory mode, you cannot add an application and name it App1 (for example) if a password policy already exists with the name App1.
Under the following conditions, you might not be able to log in to your workstation:
ZENworks® for Desktops 4.0.1 Management Agent is installed.
SecureLogin is installed
You uninstall the ZENworks for Desktop Management Agent and then restart the workstation.
To solve the problem:
Start the workstation in Safe mode.
Copy the nwgina.dll file to the windows\system32 directory.
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
In Active Directory’s MMC, the current datastore version (displayed in the page) might not update immediately when the directory database version is changed. To update, click , then exit the MMC Properties dialog box.
If the option is modified, you must log in again before launching SecureLogin for the settings to take effect.
Novell SecureLogin supports setting a cache expiry by using the following registry entry on the client:
HKEY_LOCAL_MACHINE/SOFTWARE/Protocom/SecureLogin
DWORD Value CacheExpiryDays
The value data is the number of days. Do not provide zero (o) because the cache would expire immediately on refresh. The cache expiry period is updated at each cache or directory synchronization, or each time Novell SecureLogin loads in an online mode.
NOTE:No warning is provided at cache expiry. If a cache is expired, the users cannot access Novell SecureLogin in an offline mode until they log in, and create the cache again in an online session.
Contact Novell Support for information on using a ViewNow* terminal emulator.
The ?syspassword variable does not work in standalone mode.
Because smart card options cannot be selected in a standalone mode installation, smart card login to standalone mode installs is not supported.
The SLLogging Manager utility is provided to enable advanced logging for support purposes.
Because of Microsoft Windows Vista restrictions, the SLLogging Manager must be enhanced to run on Vista.
Right-click the SLLogging Manager application and select . Any changes made through the SLLogging Manager now change the registry correctly to create the relevant log file.
The Novell SecureLogin application definitions containing the event commands are not executed on existing applications that are opened before launching Novell SecureLogin. The event commands work correctly if Novell SecureLogin is launched before the application is started.
In SLManager, select the objects from the left pane network list instead of selecting from the drop-down list.
In Microsoft Windows 2003 configurations, users might be able to login to their workstation by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the re-use of an old password.
To disable an old password as soon as a password change occurs, update the domain controller registry setting with the following value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create new DWORD value OldPasswordAllowedPeriod
Set this value to 0.
For more information, see the Microsoft Web site.
Some commands are not working in Telnet windows on Microsoft Windows XP, 2003, and Vista because the default configuration for Telnet has changed.
This issue does not occur on Windows 2000 because the configuration for is set to .
On the operating systems, the configuration for is off. Because of this, the current adapter is unable to select the screen text.
As a workaround, set the following registry key:
HKEY_CURRENT_USER\Console\%SystemRoot%_system32_telnet.exe
"QuickEdit"=dword:00000001
The applications and policies added at the group level through iManager are not reflected on the client.
Every time a new group is created, you must re-assign the rights. You must manually assign read permissions for the correct functioning of the configured group.
Do the following on iManager for the applications, preferences, policies, and others added at the level to be reflected on the client:
Log in to iManager.
Select > .
Specify the object name.
Click . Browse and locate more objects.
Selection of multiple trustees is allowed.
Select > . Add the following attributes:
Proto:SSO Entry
Proto:SSO Entry Checksum
Proto:SSO Security Prefs
Proto:SSO Security Prefs Checksum
Click .
Click to save the changes and exit.
This release of Novell SecureLogin does not support Web wizard application management through iManager. Use SLManager instead.
If you open the iManager SSO snap-in with Internet Explorer as the browser on a client machine with SecureLogin running, the system might not respond immediately (for about 10 seconds).
tab options are not visible in iManager after upgrading from SecureLogin 3.51.305, if you set the option to in SecureLogin 3.51.305 by using ConsoleOne®.
In this case, change the datastore mode in iManager to 6.0 to view the security settings.
If a new version of Java is installed after installing Novell SecureLogin, the next time you run Novell SecureLogin, it checks for new versions of Java to enable single sign-on.
If a new version of Java is detected, the required information must be updated in C:\Program Files\Java, and some files must also be modified in the process. However, Windows Vista does not permit you to write to the C:\Program Files\Java files unless you elevate privileges.
To resolve this:
Stop the Novell SecureLogin application.
Locate slproto.exe > right-click it, then select .
Specify the administrator password.
You are now working with administrator privileges and can successfully write to the Java folder.
When NMAS authentication is used with the LDAP Credential Provider on Microsoft Windows Vista, the field in the Credential Provider is redundant and is not used.
To proceed with the NMAS authentication, users must specify the LDAP username and server information, then click without specifying any password.
If you launch the Control Panel from the menu when LDAPAuth GINA is running on the client, the Control Panel takes more than 20 seconds to display.
If Novell SecureLogin is installed on Windows 2000 Advanced Server and if you log in to the workstation by using the option, the LDAP login dialog box appears more than once. A message appears, indicating “Your connection to the directory has been lost. SecureLogin can continue to work but changes/additions to single sign-on data may be lost. Do you wish to continue?”
To proceed, cancel all the LDAP login dialog boxes.
NSL in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user’s fully distinguished name (FDN) has 128 characters or more.
On VMWare*, SecureLogin in LDAP mode fails to detect the network connection status. Therefore, SecureLogin never switches to the Offline Login dialog box directly and always displays the LDAP Login dialog box.
When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user.
In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.
If users have a login with the post-login method (Secure Workstation), users are unable to log in if the Directory is eDirectory 8.8 SP1, because the default NMAS server version installed is NMAS 3.1.0.
If users have a login with the post-login method (Secure Workstation), users are unable to log in after upgrading eDirectory to 8.8 SP1 or to NMAS 3.1.0.
To resolve this, users must upgrade to NMAS 3.1.1 or later by using the Security Service 2.0.2 available at the Novell Download Web site..
If the password field in the Novell Client is disabled and the notification area icon is password-protected, a user cannot unlock the notification area icon.
However, the user can unlock the notification area icon, if Universal Password is defined. This is the recommended mode of deployment for customers who require the password field in the NovellClient to be disabled.
If you log in using an NMAS method, any script that accesses the ?syspassword variable displays incorrect values (instead of the password) if you have not selected in the Novell Client Login dialog box.
To select :
Right-click the Novell Client icon in the notification area, click , then click.
In the window, double-click .
Select as the service instance, then click .
On the tabbed page, select field, then click .
Citrix passthrough is not supported if Novell SecureLogin is installed in Novell Client mode because Novell SecureLogin does not store the card details under the ?syspassword variable with pcProx login method.
Citrix passthrough fails in the mixed mode scenario with NMAS 2.7 on the client and NMAS 3.x on the server.
In this case, upgrade all the clients to NMAS 3.2. Also, for non-password-based authentication, disable the NMAS virtual channel.
SecureLogin using the Novell Client does not support non-password-based NMAS logins if the passphrase options are disabled. This is not supported because SecureLogin either fails to open the local cache or opens the local cache file without any password.
Offline authentication does not work if you do a non-password-based NMAS authentication with the disabled. This is because SecureLogin in offline mode accepts only passphrases for non-password-based NMAS authentication. This scenario occurs only if SecureLogin is installed in Novell Client mode.
Unlocking a Citrix session by using the NMAS pcProx sequence does not work. That is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.
If you want to use the NMAS pcProx client method, manually upgrade the pcProx client method before or after upgrading to Novell SecureLogin 6.0 or later.
Ensure that you uninstall the existing pcProx client method and install the pcProx client method that is available with Novell SecureLogin 6.0 or later.
Installing the NMAS Login Server Method for pcProx by using the iManager plug-in for NMAS with iManager 2.6 fails to extend the schema definition of the User object class with the sasPcProxID attribute. This means that you are unable to associate the pcProx card ID with the User object for identification.
To resolve the issue, you must manually add the sasPcProxID attribute to the user object class by using the iManager schema plug-in.
The latest USB card readers have compatibility issues with the current pcProx method. For example, pcProx does not work with USB card reader model number bse-rfid1356I-usb.
This release of Novell SecureLogin provides new prebuilt applications to handle terminal services and RDP passthrough on Vista.
If the QuickFinder™ script is used with Mozilla* Firefox*, a message indicating “Would you like to login again?” is displayed when you are already logged in to QuickFinder and try to do a search.
To continue with your search, click at the prompt.
NOTE:This behavior is not observed in Internet Explorer.
This release of Novell SecureLogin does not include a predefined application definition for AOL* Instant Messenger.
This release of Novell SecureLogin does not include a predefined application definition for Hotmail*.
In a Windows Vista environment, the prebuilt Novell GroupWise® WebAccess script is not detected although the script exists in the application area of the Novell SecureLogin client.
The user is not prompted to use the script. Novell SecureLogin fails to run the script.
To resolve this issue, add the prebuilt script to the list of application definitions.
The Novell SecureLogin 6.1 does not prompt the users to select the credentials when multiple logins are present. Multiple logins are not working with Yahoo* e-mail and Novell GroupWise.
For example, when SecureLogin is running and users launch Novell GroupWise e-mail, they are prompted to save the credentials. The users save the credentials. Later, users could add more login IDs to the GroupWise application. They save these credentials and exit.
The next time they launch the GroupWise application, they are not prompted to select the credentials; instead, the credentials stored on the first occasion are stored to log in.
For applications that do not have a prebuilt script:
Click > > and verify whether the option is selected.
If it is selected, deselect it to make multiple logins work.
Users must manually insert the GroupWise client script to enable single sign-on for GroupWise WebAccess.
If you plan to use Novell SecretStore® on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.
When Secure Workstation is upgraded from Novell SecureLogin 3.51 or 6.0 to Novell SecureLogin 6.1, the Quick Login and Logout interface is installed even if this component was not installed with Novell SecureLogin 3.51 or 6.0. This is because NSL 6.1 uses a .msi based install, and prior versions use a .exe based install. A .msi install can not detect sub-components laid down by a .exe install.
If the Quick Login and Logout interface is not wanted, it can be easily removed from the Startup programs menu. Delete the NSWQLL entry from the registry at HLKM\Software\Microsoft\Windows\Current Version\Run. Removing this entry will not impact the functioning of Novell SecureLogin or Secure Workstation.
The Secure Workstation device removal policy configured for Terminal Services clients on a Citrix server fails to work on Citrix remote sessions from clients.
To resolve the issue, manually restart the Novell Secure Workstation service on the Citrix server.
On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with Secure Workstation sequence without the administrator unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.
The issue exists when the NMAS login is used with the Novell Client or Novell SecureLogin-LDAP Client.
The Secure Workstation policy fails when set through iManager, because the Post-Login method fails for SUSE® Linux Enterprise Server 10 and eDirectory 8.8 SP1.
However, users can use the Secure Workstation Policy setting through the client policy.
When you launch TLaunch and search for the available emulators, TLaunch fails to detect a newly created emulator.
TLaunch also fails to save the changes made to one of the existing emulators.
However, you can add and edit emulators on Microsoft Windows and Windows XP.
As a workaround, click > > , Right click , then select .
There is a known issue with the TLaunch shortcut command line /n (Number) switch.
Contact Novell Support for information.
Web applications directly accessed through Internet Explorer on a Microsoft Windows 2003 server might not work correctly until the option is disabled on the server. Alternatively, you can go to > and enable the third-party Web browser extensions.
This however, does not impact clients connected to a Microsoft Windows 2003 server.
With Novell SecureLogin in Novell Client mode on a Windows 2000 setup, single sign-on prompts the Citrix MetaFrame* Web browser to store again the credentials.
When users launch the Citrix Metaframe Web browser (http://serverip/Citrix/Metaframe) and provide the credentials, Novell SecureLogin prompts the users to save the credentials. When users log out and relaunch the browser, they are prompted to save the credentials again.
At the prompt, click and proceed.
Because Firefox and Internet Explorer have different controls, you must create the Web application definition for the two browsers separately.
When you use iManager to add the predefined application to a container, some Web-based applications are incorrectly identified as Win32 applications.
Check the properties of each application after the addition to validate that the configuration is correct.
If you uninstall SecureLogin, the Mozilla Firefox browser displays an error message when it restarts. This error occurs because the Firefox extensions do not have command line parameters for uninstalling.
If this happens, uninstall the Firefox extension manually as follows:
Click > .
Select the extension files that you want to delete.
Click .
Restart the browser.
We recommend that you start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings, is displayed during the Novell SecureLogin installation.
If this happens, click to import the Internet Explorer setting or click to cancel the import. The Novell SecureLogin installation proceeds.
The Activate the Diagnostic Log File option on the Settings tabbed page starts logging by itself. For advanced debugging, see TID 10088017 on the Novell Support Web site..
If you need information on LDAP Client registry settings, see TID 3790292 on the Novell Support Web site..
For support, refer to the following:
Online documentation at the Novell Documentation Web site..
Knowledgebase, updates, or chats at the Novell Support Web site.
Customers can also call Novell Support for technical support problems. The support phone number is 1-800-858-4000.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.