Managing Administrative and User Settings

This section provides information on the following:


Understanding the Configuration Hierarchy

You can apply SecureLogin settings to a Container object, a User object, or a workstation.


Viewing SecureLogin Settings

You can view SecureLogin settings by using SecureLogin on the desktop, ConsoleOne, Microsoft Management Console in Active Directory environments, or SecureLogin Manager.

  1. Click Settings.


    The Settings page

    The Description column (Setting Description in MMC and on the desktop) explains a setting's purpose or action.

    The Value column lists the default or changed value.

    The Source column (Inherited From in MMC and on the desktop) displays the origin of the setting's value. The origin can be one of the following:

    • A default value
    • Manually configured at the User object level
    • An inherited value
  2. Scroll to the desired setting.

    The following table provides information on the settings. If you are running in standalone mode, not all settings are displayed.

Configuration Option Description

Activate the Diagnostic Log File

Logs the details of use to the hard drive. Because this preference is used for debugging and troubleshooting, the default is set to No. If you need to investigate a SecureLogin issue on the workstation, set the value to Yes.

NOTE:  If you set this setting to Yes, expect a continuous increase in memory usage, similar to a memory leak.

Add Application Prompts for

  • Internet Explorer (and Netscape)
  • Java Applications
  • Windows Applications

Provides a prompt to enable an application for single sign-on, if a script exists for the application. To prevent a prompt, change the value to No.

If you disable the prompt, users can enable (for single sign-on) only those applications that you configure at the container or OU level.

Allow Single Sign-on to

  • Internet Explorer
  • Java Applications
  • Netscape
  • Windows Applications

Enables single sign-on to the application type. To prevent users from being able to single sign-on to these applications, set the value to No.

In contrast to disabling the SecureLogin prompts, disallowing single sign-on access disables any single sign-on for the application type.

Allow Users to View and Change Settings

Enables users to customize their SecureLogin environment by using the Settings tab to change settings on their workstations. To prevent users from customizing, change the value to No.

Allow Users to View and Modify Scripts

Enables users to view and edit scripts, which are SecureLogin's instructions as to what to do concerning the application. When the value is set to Yes, users can use the New and Edit buttons on the Applications page.

To prevent users from viewing and modifying scripts, set the value to No.

Allow Users to View Passwords

Enables users to check the Display Passwords check box and view passwords that they use to log in to applications. To prevent users (and anyone else) from viewing their SecureLogin passwords, change the value to No.

The Yes setting is useful when a user's SecureLogin configuration needs to be reset. (The Clear Object Data or Clear Cache buttons reset the configuration.) Clearing object data deletes all use information, including passwords and passphrases that need to be entered when the user restarts SecureLogin. Allowing the user to view passwords enables the user to view and record passwords before object data (cache) is cleared.

Change the Cache Refresh Interval

Controls the number of minutes that SecureLogin waits before checking the container or OU cache for updates. The default is 5 minutes. Depending on your network and number of users, a recommended value is 240 minutes.

Customize Text for the Passphrase Setup Dialog Box

Enables you to personalize the text that appears in the Passphrase Setup dialog box that users encounter when they first use SecureLogin. Although you can type 8 lines with 64 characters on each line, limit your text to 415 characters. Otherwise, the text boxes hide the remaining text.

Detect Incorrect Passwords

We recommend that you set this value to No. The response to an incorrect password is included in the SecureLogin application connector (script).

Disable the Advanced Settings of Manage Logins

The Advanced option that is available from the SecureLogin task bar icon enables users to change SecureLogin settings, change their passphrases, and refresh the local cache.

To prevent users from using this functionality, set the value to Yes. The Settings tab is then unavailable through either the Advanced option on the task bar icon or Manage Logins.

Disable Single Sign-On

By default, all users can single sign-on to Windows, Web, and terminal emulator applications. To prevent a user from using single sign-on, select the User object and change the value to Yes.

In the snap-in to MMC, a Yes setting might cause the message "_wremove preference" to appear. If the message appears, click OK. You can ignore this message. It doesn't affect SecureLogin functionality.

Display the System Tray Icon

Whether the icon is displayed depends on the organization's security policies and preferences.

To prevent users from displaying and accessing the system tray (task bar) icon, change the value to No.

Enable the File Cache

Enables SecureLogin to create and use cache files on the workstation.

The cache file stores all user settings, including those inherited from higher-level containers and OUs. Settings are normally stored in a directory on the server. However, if the server is unavailable, or if you are using a laptop, the cache on the workstation is used. The cache is password protected and encrypted.

Enable the New Login Wizard on the System Tray Icon

Enables users to create multiple SecureLogin logins for the same application or server. To disable this feature, change the value to No.

Password Protect the System Tray Icon

Requires users to provide their network passwords before they can access options on the system tray SecureLogin icon. To require a password, change the value to Yes.

Prevent Users from Entering a Passphrase Question

By default, users can enter their own passphrase question, and then provide an answer. To require users to use a passphrase question that the administrator provides, set the value to Yes.

Stop Walking Here

Enables or disables inheritance settings from higher-level containers or OUs. Higher levels might have implemented a different version of SecureLogin. If inheritance from higher levels is required, set the value to No (default).

Use a Passphrase Policy

By default, SecureLogin doesn't require a passphrase policy.

To require a passphrase policy, change the value to Yes, then edit and save the policy.

To access the Settings tab for Active Directory:

  1. Select a Container or User object from the Active Directory Users and Computers in MMC, then select Properties.

  2. Select the Settings tab from the SecureLogin SSO tab of the properties dialog box.


Configuring SecureLogin Settings


The Settings page

The Settings page enables you to control SecureLogin functionality. Users are able to view a subset of these settings. Depending on the values you set, users can change the subset of settings on their workstations. Local settings (subset) override user settings that you make.

You can't delete a setting. When you click Delete in SecureLogin or the snap-in to MMC, the setting changes to the default value.

Also, if SecureLogin can't enforce a policy, SecureLogin changes the specified value to a valid approximation. For example, if you set the minimum password length greater than the maximum password length, SecureLogin can't enforce that setting.

  1. Click Settings.

  2. Click a setting, click Edit, change the value by using the drop-down list, then click OK.

    The following figure illustrates the Editing a Setting dialog box in ConsoleOne:


    The Editing a Setting dialog box

    To customize text for the passphrase setup dialog box, type the text. The customized text replaces the default text.

  3. Save changes by clicking OK or Apply.

    Inherited fields in the SecureLogin Settings page don't apply until the corresponding settings are saved. To save inherited settings, click OK, close SecureLogin, then re-open SecureLogin.


Displaying the System Tray (Task Bar) Icon

When SecureLogin is installed, a Post-Install screen displays the following options:


Post-installation options

If the Start SecureLogin on Windows Startup check box, SecureLogin places the SecureLogin icon on the task bar whenever the workstation is started.


The SecureLogin icon

To prevent users from displaying and accessing the task bar icon:

  1. Using administrative tools, right-click the Container or User object, then click Properties > Novell SecureLogin > General Settings > Settings.

  2. Select Display the System Tray Icon, then click Edit.

  3. Using the drop-down list, change the value to No.

  4. Save the changes by clicking OK twice.

If you turn off the SecureLogin icon on the task bar (workstation) and then use another tool to change the data, the changes won't take effect until the workstation is restarted.


Disabling the Local Cache

To use login data when you work offline, you can store login data in encrypted files on your workstation. By default, these cache files are located in the \documents and settings\profile\application data\securelogin\cache directory.

To disable the cache by using SecureLogin:

  1. Right-click the SecureLogin icon on the task bar, select Advanced, then select Change Settings.

  2. Select Settings > Enable Cache File.

  3. Click Edit, set the value to No, then click OK twice.

To disable the cache by using administrative tools:

  1. Right-click the Container or User object, then click Properties > Novell SecureLogin > General Settings > Settings.

  2. Select Enable File Cache, click Edit, then set the value to No.

  3. Save the changes by clicking OK twice.