Before you begin installing Novell SecureLogin, note the following behavior and limitations.
Before installing Novell SecureLogin, ensure that the latest security patches are already installed in the machine. If SecureLogin is installed on a machine that is not updated with latest patches, the The aplication (slnrmonitorserver) failed to start because a side by side configurationis incorrect message is shown. To resolve this problem, either update the machine with latest operating system patches or manually install the Microsoft Redistributable Package (32-bit or 64-bit). After this update, re-install Novell SecureLogin.
SLLogging Manager and TLaunch need administrator privileges to run on the Microsoft Windows Vista or Windows 7 operating systems.
After installing SecureLogin 7.0 and 7.0 SP1 in the eDirectory LDAP mode or NDS mode, you must at once extract the fix FIX701100501_185, run the ndsschema schema file, and extend the schema. This step is mandatory for the smooth functioning of SecureLogin.
Before installing SecureLogin on a Windows Vista machine, ensure that the operating system is updated with the latest security and service patches or with Microsoft redistributables (32-bit or 64-bit). Otherwise, the SecureLogin installation fails and shows the error message: NSL Event Service failed to start.
For detailed information on operating systems, see Operational Environment
in the Novell SecureLogin Overview Guide.
User Account Control (UAC) is a new setting on Microsoft Windows Vista. If the UAC is enabled during the installation of Novell SecureLogin, you are prompted about whether you want to continue with the installation process. If you do not respond to the prompts for a long time, a screen saver might come up (depending on the desktop setting) and interrupt the installation process, requiring you to restart the installation.
If the UAC prompts must be avoided, the administrator must disable the UAC setting within the Microsoft Windows Vista.
Novell International Cryptography Infrastructure (NICI) is installed automatically when SecureLogin is installed in any of the following modes:
LDAP
eDirectory with LDAP
eDirectory with Client32 as the protocol and Novell SecretStore is selected for installation
However, if you uninstall SecureLogin, the NICI client remains because other Novell services (for example, NMAS, Novell Client, and SecretStore) might also need the NICI client.
If you plan to uninstall the NICI client, ensure that it is no longer needed before you remove it. To uninstall the NICI client, use .
In Microsoft Windows 2003 configurations, users might be able to login to their workstation by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the re-use of an old password.
To disable an old password as soon as a password change occurs, update the domain controller registry setting with the following value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create new DWORD value OldPasswordAllowedPeriod
Set this value to 0.
For more information, see the Microsoft Web site.
If a new version of Java is installed after installing Novell SecureLogin, the next time you run Novell SecureLogin, it checks for new versions of Java to enable single sign-on.
If a new version of Java is detected, the required information must be updated in C:\Program Files\Java, and some files must also be modified in the process. However, Windows Vista does not permit you to write to the C:\Program Files\Java files unless you elevate privileges.
To resolve this:
Stop the Novell SecureLogin application.
Locate slproto.exe > right-click it, then select .
Specify the administrator password.
You are now working with administrator privileges and can successfully write to the Java folder.
NSL in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user’s fully distinguished name (FDN) has 128 characters or more.
On VMWare, SecureLogin in LDAP mode fails to detect the network connection status. Therefore, SecureLogin never switches to the Offline Login dialog box directly and always displays the LDAP Login dialog box.
When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user.
In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.
If Novell SecureLogin 7.0 SP1is installed on a workstation with conflicting IP addresses and restarted, it is observed that the LDAP GINA dialog is not displayed. Instead the Novell security message, You have Encountered unexpected Login Failure: status:0X6f634 is displayed. Users cannot login to workstation or the network.
The resolve the issue:
Boot the workstation in .
Change the IP address of the workstation.
Restart the workstation.
The login function provided by the option was enhanced in hotfix 4 of Novell SecureLogin 6.1 release.
With the release of Novell SecureLogin 6.1, if a user logged in to the workstation through the Workstation only option, he or she was prompted to provide the username and password or passphrase. Because the user was not connected to the network, Novell SecureLogin could not retrieve the user’s eDirectory credentials and needed to prompt for them again after Windows launched.
This issue is fixed in Novell SecureLogin hotfix 4.
During the Workstation only login, if the workstation or local credentials are the same as eDirectory credentials, the user is not prompted for the credentials. Novell SecureLogin seamlessly logs in the user.
However, to allow this, the user must manually change the DWORD value of the TryRegCredInOffline registry.
IMPORTANT:The user must have logged in to eDirectory at least once to make the change, and must have Novell SecureLogin 6.1 with hotfix 4 and the Novell Client 4.91 SP4 with the latest patch
To change the DWORD value:
Use a registry editor to access the Windows registry.
Change the DWORD value of TryRegCredInOffline in HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\ as follows:
DWORD value of 0 == disabled (default behavior if key is not defined)
DWORD value of 1 == enabled (try to login WS only with GINA creds)
A seamless login to offline mode by using the Windows user credentials happens if the DWORD value is set to 1. Also, the following conditions must be met:
LDAP is installed in Credential Manager, GINA mode, or Credential Provider mode.
The network or the server is not reachable for the client workstation.
The LDAP and Windows user credentials are same.
The LDAP user is associated to the Windows user.
NOTE:This is applicable for LDAP Credential Manager mode.
During the log in for GINA or Credential Provider mode, the option is selected.
When a user with the same name and context in two different eDirectory trees tries to log in to the same Windows machine, an error message “Your Cache files have lost synchronization with your directory data. Would you like to delete your local cache files have them re-created?” appears.When you click and proceed, credentials of the previous user with same name are deleted and the cache file has only your credentials.
On VMWare, SecureLogin in LDAP mode fails to detect the network connection status. Therefore, SecureLogin never switches to the Offline Login dialog box directly and always displays the LDAP Login dialog box.
When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user. In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.
If users have a login with the post-login method (Secure Workstation), users are unable to log in if the Directory is eDirectory 8.8 SP1, because the default NMAS server version installed is NMAS 3.1.0.If users have a login with the post-login method (Secure Workstation), users are unable to log in after upgrading eDirectory to 8.8 SP1 or to NMAS 3.1.0.To resolve this, users must upgrade to NMAS 3.1.1 or later by using the Security Service 2.0.2 available at the Novell Download Web site.
We recommend that you start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings, is displayed during the Novell SecureLogin installation.If this happens, click to import the Internet Explorer setting or click to cancel the import. Novell SecureLogin installation proceeds.
You cannot unlock the SecureLogin notification area (system tray) icon using the NMAS pcProx authentication. Unlock the icon by using the passphrase if you have enabled one, or by using your directory password. Alternatively, you can set and use an universal password.
Under the following conditions, you might not be able to log in to your workstation:
ZENworks® for Desktops 4.0.1 Management Agent is installed.
SecureLogin is installed
You uninstall the ZENworks for Desktop Management Agent and then restart the workstation.
To solve the problem:
Start the workstation in Safe mode.
Copy the nwgina.dll file to the windows\system32 directory.
If you plan to use Novell SecretStore® on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.