8.0 User Source Authentication

By default, a user is automatically authenticated to the Management Zone when he or she logs in to an LDAP directory (Novell eDirectory or Microsoft Active Directory) that has been defined as a user source in the Management Zone. User authentication to ZENworks can occur only if the user’s LDAP directory (or the user’s LDAP directory context) is defined as a user source in ZENworks.

The ZENworks Agent integrates with the Windows Login or ZENworks Login client to provide a single login experience for users. When users enter their eDirectory or Active Directory credentials in the Windows or Novell client, they are logged in to the Management Zone if the credentials match the ones in a ZENworks user source. Otherwise, a separate ZENworks login screen prompts the user for the correct credentials.

For example, assume that a user has accounts in two eDirectory trees: Tree1 and Tree2. Tree1 is defined as a user source in the Management Zone, but Tree2 is not. If the user logs in to Tree1, he or she is automatically logged in to the Management Zone. However, if the user logs in to Tree2, the ZENworks Agent login screen appears and prompts the user for the Tree1 credentials.

Review the following sections:

Enabling Seamless Authentication on a Device

The first time a user logs in to a device that has more than one user source enabled, the user is prompted to select the user source and specify the user source credentials. During subsequent logins, the user is automatically logged in to the user source selected during the first login. However, if you do not want the user to be prompted to select the user source during the first login, perform the following steps to enable seamless login on the device:

  1. Open the Registry Editor.

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/.

  3. Create a DWORD called EnableSeamlessLogin and set the value to 1.

If seamless login is enabled, a user's first login to a device might be slow. This is because all the existing user sources are searched and the user is logged in to the first user source that matches the user account. If many users use the same device, subsequent logins might also be slow because the user information might not be cached on the device.

Reducing Device Login Time by Specifying the Default User Source

To reduce the login time, specify the default user source for the user to seamlessly log in to the device:

  1. Open the Registry Editor.

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/.

  3. Create a String called DefaultRealm and set its value to the desired user source. The DefaultRealm value is case sensitive since the realm name is case sensitive.

    For example, if all the users should log in to a user source named POLICY-TREE, create a String called DefaultRealm and set its value to POLICY-TREE.

If the login to the specified default user source fails, the other existing user sources are searched, then the user is logged in to the user source that matches the user account.

For successive logins, the cached user source takes precedence over the DefaultRealm setting. If you want to change the DefaultRealm setting and want it to take precedence over other user sources:

  1. Open the Registry Editor

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/History

  3. Delete CachedUserZenNames and RealmName registry keys.

NOTE:

  • The DefaultRealm setting applies only if the EnableSeamlessLogin setting is enabled.

  • The DefaultRealm registry key does not work if you log in by using the ZENworks icon on to a Windows 7 device with UAC enabled.

Disabling the Login Status Messages Display on the Device Screen

During the process of logging in to ZENworks, the user can view the status of the login. By default, the login messages are displayed on the screen.

To disable the login messages:

On a Windows XP, Windows 2000, or Windows Server 2003 device:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\NWGINA.

  3. Create a DWORD called EnableStatusMessages and set its value to 0.

On a Windows 7, Windows Vista, or Windows Server 2008 device:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\Authentication.

  3. Create a DWORD called EnableStatusMessages and set its value to 0.

Identifying the LDAP Directory That the User Has Logged In To

If the Novell Client is installed on a device, the HKLM\Software\Novell\ZCM\ZenLgn registry key that has DWORDS, DomainLogin and eDIRLogin is added by default on the device. The value of DomainLogin and eDIRLogin helps you identify whether a logged-in user has logged into Novell eDirectory or Microsoft Active Directory.

For example:

  • If DomainLogin is set to 1, the user has logged in to Microsoft Active Directory.

  • If eDIRLogin is set to 1, the user has logged in to Novell eDirectory.

  • If both DomainLogin and eDIRLogin are set to 1, the user has logged in to both Microsoft Active Directory and Novell eDirectory.

This login information might be useful in the following scenarios:

Scenario 1: If a user has logged in to Microsoft Active Directory, a DLU policy does not need to be enforced on a device. Even if you choose to enforce a DLU policy on the device, the policy is not effective on the device. Consequently, you can add a system requirement that the DLU policy must be effective on the device only when the user has logged in to Novell eDirectory.

Scenario 2: If a user has not logged in to Novell eDirectory, any bundle that must access content from a Netware shared location fails. Consequently, you can add a system requirement that the bundle must be effective on the device only when the user has logged in to Novell eDirectory.

Logging Directly in to a Workstation That has Both Novell Client and ZENworks Agent Installed

If you log into a device that has both Novell Client and ZENworks Agent installed, you are automatically logged in to ZENworks eDirectory, even if you have chosen to log in to the workstation only.

In the Novell Client dialog box, if you choose to log in to workstation only, then you must perform the following steps on the managed device to directly log in to the workstation:

On Windows XP device:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\ZenLgn\.

  3. Create a DWORD called HonorClient32WorkstationOnlyCheckbox and set its value to 1.

On Windows Vista/Windows 7/Windows 8 device:

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM.

  3. Create a DWORD called HonorWorkstationOnlyLogin and set its value to 1.

Authenticating in to a ZENworks Server That Has Novell SecretStore Configured

If you choose to log into a ZENworks Server that has Novell SecretStore configured, perform the following steps on the managed device:

  1. Open the Registry Editor.

  2. Go to HKLM/Software/Novell/ZCM/ZenLgn/.

  3. Create a DWORD called EnableSecretStore and set its value to 1. However, if the DWORD already exists, then ensure that its value is set to 1.

Enabling SecretStore on the device might increase the time to authenticate to the ZENworks Server, depending on the number of eDirectory servers that have been added to the Management Zone. For more information on SecretStore operations, see TID 10091039 in the Technical Support Knowledgebase.

Authenticating in to a ZENworks Managed Device in a VDI environment

  1. Refresh the ZENworks managed device on the master image of the VDI environment.

  2. Right-click the ZENworks icon and ensure that the Login option is listed in the menu. You might have to refresh the device until the Login option is listed in the menu.

  3. Create the master image. For more information, see the Agent Deployment in VDI environment in theZENworks Discovery, Deployment, and Retirement Reference Guide.

  4. Shutdown the master image device.

  5. The master image of the VDI environment with ZENworks agent is ready. You can use the master image to create multiple virtual machine (VM) images. For information on how to create the VM images, refer to the vendor-specific documentation.

  6. Start the VM image.

  7. Log in to the VM by specifying the correct credentials.

Enabling debug logging on the micasad SecretStore

  1. Use a text editor to create a file named micasad.exe.config with the following content:

    <configuration>
     <system.diagnostics>
       <switches>
         <add name="TraceLevelSwitch" value="4" />
       </switches>
        <trace autoflush="true" indentsize="4">
         <listeners>
            <add name="myListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="c:\logs\micasad.log" />
         </listeners>
        </trace>
      </system.diagnostics>
    </configuration>
  2. (Optional) Edit the value of TraceLevelSwitch. to change the log level.

  3. (Optional) Edit the value of initializeData to change the log level.

  4. Save micasad.exe.config in the same location where micasad.exe file is saved. By default, micasad.exe is saved in the following locations:

    • On 32-bit device: Windows_Install_Drive:\Program Files\Novell\CASA\bin

    • On 64-bit device: Windows_Install_Drive:\Program Files (x86)\Novell\CASA\bin

Using Domain Alias to Authenticate Users

The Domain Alias setting is meant for authenticating mobile device users only. Using these alternate domain alias names, workstation users will fail to authenticate to ZENworks, unless the Kerberos mechanism for authentication is enabled. For more information on the Kerberos authentication mechanism, see Kerberos (Active Directory or Domain Services for Windows). For more information on editing the Domain Alias setting for mobile devices, see Enabling a User Source for Mobile Device Enrollment.

Displaying the Change Password Menu

To display or hide the change password menu in the ZENworks Application tray icon.

  1. Open the Registry Editor.

  2. Go to HKLM\Software\Novell\ZCM\ZenLgn

  3. Create a string called ShowChangePasswordMenuItem and set the value either to true or false.

    • True: Displays the ChangePassword menu option in the ZENworks Application tray icon.

    • False: The ChangePassword menu option in the ZENworks Application tray icon will be hidden.

For information on the various authentication mechanisms, credential storage, and disabling user authentication, review the following sections: