After AD password change, immediate Middle Tier authentication fails

  • 3874098
  • 05-May-2007
  • 30-Apr-2012

Environment

Novell ZENworks 6.5 Desktop Management Support Pack 2 - ZDM6.5 SP2 ZENworks Middle Tier
Novell ZENworks 7 Desktop Management - ZDM7 Middle Tier
Novell ZENworks for Desktops 4.0.1 - ZfD4.0.1
Novell ZENworks Management Agent
Nsure Identity Manager 2.0
Microsoft Active Directory

Situation

User associated applications and policies do not show in NAL or apply when you change an expired password on boot up with clientless login in passive authentication mode.

Resolution

For ZDM6.5 SP2: fixed in ZENworks 6.5 Desktop Management SP2 IR1 or newer found athttps://download.novell.com

For ZDM7: Fixed in ZENworks 7 with SP1 Desktop Management, available athttps://download.novell.com
To realize the fix, you will want to add the following registry keys to each workstation, and set appropriate values for each:

HKLM\Software\Novell\LgnXTier\

PassiveModeLoginRetryCount

PassiveModeLoginRetryInterval

The first value dictates how many times to retry the passive mode login while IDM is trying to sync the password and the second one tells how many seconds to wait in between each retry.

Additional Information

When you are using IDM to synchronize passwords from Active Directory to eDirectory with the ZENworks Agent set to "passive mode" (login to AD first) and your password expires, the ZENworks agent tries to pass the new password to eDirectory too soon. IDM will not have had a chance to synch the password change from AD yet. Thus you fail authentication to eDirectory and no user associated applications or policies will work.

Formerly known as TID# 10098092 NOVL102557