Dangers of using SYSPREP after NICI has been installed

  • Document ID:3057160
  • Creation Date:05-Feb-2007
  • Modified Date:14-Feb-2017
    • Micro Focus Products:
      NetWare

Environment

Novell NetWare 6.5

Situation

Novell International Cryptographic Infrastructure (NICI)
Error -1460 and -1418 changing passwords with NMAS authentication enabled
Mircrosoft SYSPREP
Preparing an image for deployment
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled
Error -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27) FFFFFA27
Dangers of running SYSPREP after NICI has been installed

Resolution

If you are going to image a workstation and run SYSPREP, it would be best to NOT install the Novell Client (which installs NICI) until after SYSPREP has been run and the image has been restored to the workstation.

Additional Information

If Novell International Cryptographic Infrastructure (NICI) is present on a workstation when SYSPREP is run, users will not be able to access their NICI keys to authenticate to the workstation. SYSPREP changes the SID of the user which invalidates the file system rights for the NICI keys. For security reasons, NICI uses the Windows file system security to ensure secure access to these keys.

Per Microsoft's web site onHow to use Sysprep- Microsoft warns of using SYSPREP, under "General notes about sysprep"

"You cannot run Sysprep on a computer that has been configured as a Cluster Service server, a Certificate Services server, or a domain controller. You can run Sysprep on a standalone server. If you run Sysprep on an NTFS file system partition that contains encrypted files or folders, the data in those folders become completely unreadable and unrecoverable."

With that said, NICI is part of this Certificate Services and running SYSPREP will cause problems with NICI.

If SYSPREP has been run on a workstation after the Novell client (and NICI) was installed, you will have to do the following uninstall/reinstall NICI. Do not follow these steps is SYSPREP was not run.

1. Uninstall NICI from Add/Remove programs in the Control Panel.
2. Reboot the workstation into Safe Mode. Make the Administrator the owner, with full rights, of the C:\WINNT\system32\Novell\nici directory and all child directories and files.
3. Delete the entire nici directory structure where you just set the rights. Example: Delete the nici directory in C:\WINNT\system32\Novell\
4. Boot back into Windows 2000 normal mode and re-install nici.

Formerly known as TID# 10091539

Formerly known as TID# NOVL95769