23.3 Authentication and File System Access for User-Associated Applications

The Application Launcher components, authentication methods, and file system access used when managing user-associated applications differ from a Windows 98 operating system to a Windows 2000/XP operating system, as explained in the following sections.

23.3.1 Windows 98 (User-Associated Applications)

The following table lists the components, authentication method, and file system access used by Application Launcher when managing a user-associated application on a Windows 98 workstation.

Table 23-1 Windows 98 (User-Associated Applications)

Event

Responsible Component

eDirectory Authentication

Workstation File System Access

Network Server File System Access

Distribution

Application Launcher

eDirectory user (User object)

Windows user 1

NetWare: Folder and file rights assigned to eDirectory user 2

Windows: Permissions assigned to Active Directory user 3

Linux: Rights assigned to Samba user 4

Launch (normal)

Same as Distribution

Launch (force run 5)

Same as Distribution

Caching

Same as Distribution

Uninstall

Application Launcher

eDirectory user (User object)

Windows user

Not applicable

1 The Windows 98 operating system, unlike Windows 2000/XP, does not provide file system security for individual users. Each Windows 98 user account has full access to the local file system, which means that Application Launcher has all the file system access it requires.

2 NetWare server file rights can be assigned through the Application object (Common tab > File Rights page). Any object that is associated with the Application object receives these rights. You can also directly assign rights to users through their User objects (Rights to Files and Folder tab > Trustee File System Rights page) or some other method, such as adding them to a group that has been assigned the appropriate rights.

3 Windows server file permissions must be assigned through the user's Active Directory account, which must have the same username and password as the user's eDirectory account. The user, workstation, Middle Tier Server (if used), and Windows server must be members of the same Windows domain. For information about using Novell DirXML to synchronize user account information between eDirectory and Active Directory, see Installing Nsure Identity Manager 2.02 Bundle Edition in Installing ZENworks 7 Desktop Management in a Windows Network Environment in the Novell ZENworks 7 Desktop Management Installation Guide.

4 Linux server file rights are assigned through Samba. The procedures for doing this depend on the Linux distribution (Open Enterprise Server Linux, SUSE Linux Enterprise Server, etc.) being used. For OES Linux and SUSE Linux Enterprise Server, see Configuring a Linux Server for ZENworks File Access in the Novell ZENworks 7 Desktop Management Installation Guide. For additional information, refer to the OES Linux and SUSE Linux Enterprise Server documentation available on the Novell Documentation Web site or refer to the documentation for your Linux distribution.

5 The Force Run setting causes the application to automatically distribute after it becomes available. For information about configuring an application as Force Run, see Associations Page.

23.3.2 Windows 2000/XP (User-Associated Applications)

The following table lists the components, authentication method, and file system access used by Application Launcher when managing a user-associated application on a Windows 2000/XP workstation.

Table 23-2 Windows 2000/XP (User-Associated Applications)

Event

Responsible Component

eDirectory Authentication

Workstation File System Access

Network Server File System Access

Distribution

NAL Service

eDirectory user

Windows System user 1

NetWare: Folder and file rights assigned to eDirectory user 2

Windows: Permissions assigned to Active Directory user 3

Linux: Rights assigned to Samba user 4

Launch (normal)

Application Launcher

eDirectory user

Windows user

NetWare: Folder and file rights assigned to eDirectory user 2

Windows: Permissions assigned to Active Directory user 3

Linux: Rights assigned to Samba user 4

Launch from Server (secure/unsecure5)

NAL Service (when run as secure/unsecure System user 5)

eDirectory workstation

Windows System user (when run as secure/unsecure System user)

NetWare: Folder and file rights assigned to eDirectory workstation. (Novell Client)

Windows: If the workstation is not a member of Active Directory on the Windows server where it accesses files, then “anonymous logon” permissions should be granted for files to be read there. Otherwise, folder and file rights assigned to everyone (guest).

Linux: Rights assigned to guest/anonymous user

Launch (force run 6)

Same as Launch (normal)

Caching

NAL Service

eDirectory user

Windows System user

NetWare: Folder and file rights assigned to eDirectory user

Windows: Permissions assigned to Active Directory user

Linux: Rights assigned to Samba user

Uninstall

NAL Service

eDirectory user

Windows System user

Not applicable

1 For Application Launcher and its associated programs (NAL Service and Workstation Helper) to work properly, the Windows System user account must have full rights to all areas of the workstation. By default, this access is granted to the System user as a member of the Administrators group. Do not limit the default rights given to the Administrators group or the System user account.

In addition, Application Launcher requires that the user's Windows account provide the following rights:

  • At least Read access to the NAL cache directory (typically, c:\nalcache). For more information, see Section 24.2, File System Rights to the NAL Cache.

  • Full Control access to the user's temp directory (typically, c:\documents and settings\username\local settings\temp).

  • Full Control access to the user's data encryption directory (typically, c:\documents and settings\username\application data\microsoft\crypto). This is required only if the user is using the Desktop Management Agent without a network client.

  • Read\Write rights to the HKEY_CURRENT_USER\Software\NetWare\NAL\1.0 registry key.

  • Read rights to the HKEY_LOCAL_MACHINE\Software\NetWare\NAL\1.0 registry key

  • Read rights to the HKEY_LOCAL_MACHINE\Software\Novell\ZENworks registry key.

2 NetWare file system rights can be assigned through the Application object (Common tab > File Rights page). Any user who is associated with the Application object receives these rights. You can also directly assign rights to users through their User objects (Rights to Files and Folder tab > Trustee File System Rights page) or some other method, such as adding them to a group that has been assigned the appropriate rights.

3 Windows server file permissions must be assigned through the user's Active Directory account, which must have the same username and password as the user's eDirectory account. The user, workstation, Middle Tier Server (if used), and Windows server must be members of the same Windows domain. For information about using Novell DirXML to synchronize user account information between eDirectory and Active Directory, see Installing Nsure Identity Manager 2.02 Bundle Edition in Installing ZENworks 7 Desktop Management in a Windows Network Environment in the Novell ZENworks 7 Desktop Management Installation Guide.

If the workstation is not a member of the Active Directory of the Windows server where it gets files, you need to grant “anonymous logon” permissions for files to be read from the Windows server.

4 Linux server file rights are assigned through Samba. The procedures for doing this depend on the Linux distribution (OES Linux, SUSE Linux Enterprise Server, etc.) being used. For OES Linux and SUSE Linux Enterprise Server, see Configuring a Linux Server for ZENworks File Access in the Novell ZENworks 7 Desktop Management Installation Guide. For additional information, refer to the OES Linux and SUSE Linux Enterprise Server documentation available on the Novell Documentation Web site or refer to the documentation for your Linux distribution.

5 The Secure System User and Unsecure System User settings apply to applications running on Windows 2000/XP only. These settings cause the application to run in the “system” space as the Windows System user rather than in the “user” space as the logged-in user. These settings are intended to ensure that users can run the application even if they have limited access rights to the workstation’s file system. Only server files found in public locations at launch time are accessible to a user-associated application run with Unsecure System User. The user rights are never used for remote files at launch time when running in Unsecure System User mode. If all files are local, they are accessible at launch time. For more information, see Environment Page.

6 The Force Run setting causes the application to automatically distribute after it becomes available. For information about configuring an application as Force Run, see Associations Page.