Novell Doc: Novell Enhanced Smart Card Method 3.0.8 Installation and Administration Guide

A.6 Novell Client Options

A.6.1 Single Sign-On

When using the smart card method, users enter the card's PIN for eDirectory login and are then prompted to enter a password for the workstation login. The Novell Client Single Sign-On feature can be used to automatically log in to the workstation after the eDirectory login. This is accomplished by securely storing the workstation credentials in eDirectory and using them for future logins.

During Single Sign-On, the Novell Client prompts for the workstation password the first time and stores it in eDirectory. On subsequent logins, the user is not prompted for the workstation password. This improves the user's login experience and is recommended for all advanced eDirectory authentication methods.

This option is applicable only for Windows XP. For other Windows Client platforms except Windows XP, refer to Setting Up Single Sign-On (SSO) in the Novell Client 2 SP2 for Windows Administration Guide.

A.6.2 Passive Mode Login

Passive Mode Login is functionality added to the Novell Client 4.91 SP3. In passive mode, the Novell Client defers to the default MS GINA for the initial Windows login. After authentication to the workstation, the Novell Client attempts to authenticate to the Novell environment. The functionality was added to the Novell Client to allow environments that use Windows Active Directory* smart card authentication to function correctly. It allows the smart card to be used to authenticate to Active Directory and eDirectory.

In passive mode, the Windows username used for workstation authentication is also used for eDirectory authentication. In order to successfully authenticate, the username must exist in eDirectory, and the client's default location profile must be properly configured with the tree and context information.

To enable passive mode login, the following registry keys must be set:

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA]
"PassiveMode"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"PassiveModeNDSLogin"=dword:00000001
"PassiveModeNDSLoginSilent"=dword:00000000 or 00000001
"PassiveModeNDSLoginRequired"=dword:00000000 or 00000001

Registry setting descriptions:

PassiveMode: (0/1) default is 0
0 = normal mode
1 = passive mode

PassiveModeNDSLogin: (0/1) default is 0
0 = don't do Novell login
1 = do Novell login

PassiveModeNDSLoginSilent: (0/1) default is 0
0 = report Novell login errors
1 = don't report Novell login errors

PassiveModeNDSLoginRequired: (0/1) default is 0
0 = don't require Novell login
1 = require Novell login

If PassiveModeNDSLoginRequired is set to True (1), the login experience requires a successful Novell authentication in order to succeed.

Login scripts are not processed by NWGINA in passive mode. The workaround is to run them after the GINA login. You can do this by placing a run entry in the registry, or you can create an entry in the startup file for Novell login:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "nwscript=reg_expand_sz:loginw32.exe %username% /NA /CONT
In passive mode, the method's card monitoring functionality does not work when the card removal behavior is set to Lock workstation. This is because MSGINA (not NWGINA) is used for the workstation Lock/Unlock functionality.

NOTE:This option is applicable only for Windows XP.