If you want your users to log in to the network through the Desktop Management Agent login dialog box, you need to understand how the Desktop Management Agent can be customized, and understand the other preparations that you must make to customize the login experience you want the users to have.
This section contains the following information:
This section lists the credentials that are required in order for Desktop Management User and Workstation policies to authenticate to eDirectory when the user's workstation has the Desktop Management Agent installed and is communicating through the ZENworks Middle Tier Server.
This information should help you understand why you supply these credential sets during the installation. The sections include:
The following table shows the credentials needed by Desktop Management User policies that use the Desktop Management Agent and the ZENworks Middle Tier Server to authenticate to eDirectory. It is assumed that the user's workstation has the Desktop Management Agent installed.
The following table shows the credentials needed by Desktop Management Workstation policies that use the Desktop Management Agent and the ZENworks Middle Tier Server to authenticate to eDirectory. It is assumed that the user's workstation has the Desktop Management Agent installed.
If the Novell Client is not present on the workstation when the Desktop Management Agent is installed, the installation program displays the Workstation Manager Settings page. This page lets you customize what the user will see at login time.
If you select Display ZENworks Middle Tier Server Authentication Dialog, a customized Novell login dialog box is always displayed to the user.
You might want to select this option if you plan to have more than one Middle Tier Server available in the network that the users can use for authentication to the Desktop Management Server.
NOTE: If the user workstation is a Windows 2000/XP platform, you should use this option if you want to apply Dynamic Local User policies to the workstation.
This login dialog box requires the user to enter a User ID and password (that is, the "authentication credentials") for the Desktop Management Server. These are the same credentials that the user is accustomed to using for connecting to the network (that is, connecting to eDirectory).
During the installation program, if you selected Allow Users to Change the ZENworks Middle Tier Server Address on Authentication Dialog, the users on this workstation can edit the DNS name/IP address of the ZENworks Middle Tier Server that is used for authenticating to eDirectory. They can also specify an alternate port for authenticating to the Apache Web server (NetWare®) or the IIS Web server (Windows). Users can do this by clicking the Options button on the Desktop Management Agent login dialog box.
Users specify an alternate port by entering a colon and the port number at the end of the IP Address or DNS name. For example:
151.155.155.000:5080
IMPORTANT: Entering a protocol (such as http: or https:) along with the IP address does not allow the Desktop Management Agent to connect to the ZENworks Middle Tier Server.
If you want the user to never see a Novell login dialog box, or in other words, to "pass through" the Desktop Management Agent and authenticate to the location of ZENworks files, you should first make sure that the user's local workstation credentials are the same as the eDirectory credentials. This is also called "passive mode" login.
If this synchronization is ready, then the authentication happens like this:
To configure the Desktop Management Agent for pass through authentication, simply do not deselect the options in the Workstation Manager Settings dialog box that are selected by default in the Desktop Management Agent installation. For more information, see Customizing the Agent Login.
If the user logs in to Windows with credentials that are not valid in eDirectory, a Novell Desktop Management Agent login dialog is displayed.
If the server where you want to install ZENworks Desktop Management is part of a Windows network environment (that is, a network with no Novell NetWare servers), that network probably has Microsoft Active Directory installed and the users are members of Microsoft domains. As mentioned in Desktop Management Server Software Requirements, the installation of Novell eDirectory 8.7.3 (recommended) is also a prerequisite in the network (in this case the Microsoft domain) where you will install ZENworks Desktop Management.
The following scenarios provide information about the way ZENworks Desktop Management authenticates after logging in to a Windows network environment:
If you want users to log in using the Desktop Management Agent login dialog box and local machine credentials, you must synchronize the local workstation credentials with the eDirectory credentials. If this synchronization is ready, then the authentication happens like this:
If you want users to log in using the Desktop Management Agent login dialog box and Microsoft domain credentials, the Windows 2000/2003 server where ZENworks Middle Tier Server software is installed and the Windows 2000/2003 server where Desktop Management Server software is installed must be part of the same Microsoft domain or trust relationship. The user's workstation doesn't log on to the domain unless the Desktop Management Server will be delivering MSI applications to it.
The authentication happens like this:
If you have already installed The Desktop Management Agent on a workstation, and if the Workstation Manager on that workstation has been scheduled to receive a workstation group policy, the workstation can still be authenticated to a Windows network and receive the policy files when the time for the group policy execution arrives, even if the user is not logged in. This is sometimes called "lights-out" authentication. The authentication happens like this: