Novell SecureLogin 7.0 Readme

September 18, 2009

1.0 Documentation

The following sources provide information about Novell® SecureLogin 7.0:

2.0 Introduction

Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. It eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.

This document provides you an introduction to the new features introduced in this version of Novell SecureLogin and also lists issues related to the administration, functioning, and other aspects of Novell SecureLogin.

For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..

3.0 New Features

3.1 Enhanced Wizard Support

Novell SecureLogin 7.0 introduces an enhanced administrative wizard. Enhancements are made to improve the wizard engine and provide a unified and intuitive process. The primary improvement is to provide a single wizard that manages different applications types.

Using the wizard, you can create applications definitions for Web, Windows*, and Java* applications. The new wizard simplifies the configurations of complex application definitions.

3.2 Enhancements to Scripting

This version of Novell SecureLogin provides multiple scripting enhancements to continue delivering the most flexible possible solution to accommodate complex scenarios.

3.3 Support for Microsoft Windows Platforms

This release supports:

  • Microsoft* Windows* Vista* SP1, 32-bit and 64 bit.

  • Microsoft Windows Server* 2003 SP2, 32-bit and 64 bit.

  • Microsoft Windows Server 2008 SP2, 32-bit and 64 bit.

4.0 Known Issues

4.1 General Issues

4.1.1 Install NICI Before Installing Novell SecureLogin in LDAP v3 (non-eDirectory) and Novell eDirectory Modes

Before installing Novell SecureLogin on any of the platforms, install Novell International Cryptographic Infrastructure (NICI).

  • Microsoft Windows Vista 64-bit in eDirectory, LDAP (non-eDirectory), and LDAP v3 mode

  • Microsoft Windows Server 2008 (64-bit)

You must install both 32-bit and 64-bit NICI manually. If NICI is not installed before installing Novell SecureLogin, an error message is displayed indicating that NICI is not installed and stops the installation process.

4.1.2 Novell SecureLogin Citrix Passthrough in Novell Client Credential Provider Mode

Novell SecureLogin Citrix* Passthrough to Microsoft Windows 2008 in Novell Client™ Credential Provider mode is not supported.

4.1.3 The Disable Passphrase Security System Option Appears During an Upgrade

When you are upgrading the datastore from 3.5 to 6.0 and upgrading to Novell SecureLogin 7.0, if the Disable passphrase security system is set to Yes, a message indicating "Your cache files have lost synchronization with directory authentication data. Would you like to delete your cache files and have them re-created?

Click Yes to load Novell SecureLogin successfully.

4.1.4 Incorrect Database Mode Version Displayed in the Novell SecureLogin About Window

If you view When you access Novell SecureLogin for the first time after providing the passphrase question and answer, the Database Mode in the About window (accessed from the Novell SecureLogin notification area icon) displays the Database mode version as 3.0 3.0 Data Present PP Enabled.

On subsequent logins, the correct version is displayed.

4.1.5 Offline Message Is Displayed Multiple Times

If Novell SecureLogin is installed on a Citrix server in Novell Client mode and if you select the Workstation Only option when restarting Windows on that Citrix server, a message indicating “You are not logged in to a directory and SecureLogin was unable to find any cached user data" is displayed.

This message appears twice before you are authenticated.

4.1.6 Unable To Delete Logins from the Manage Logins Window

In some scenarios, in the Novell SecureLogin Client Utility, users are unable to delete the logins from the My Logins navigation area on the left pane.

When users right-click the login, both Delete and Rename options are disabled.

However, the login can be deleted from the right pane.

4.1.7 Unable To Instantiate Scriptbroker Module: 80070005

Some Web pages are configured in such a way as to provide information to SecureLogin in a different manner. When working on such Web pages, user can encounter the “Unable to instantiate scriptbroker module: 80070005” error message.

In such scenarios, set the following registry key:

IESSO_USE_COM reg setting (Dword - value '0') under \HKEY_LOCAL_MACHINE\SOFTWARE\protocom\securelogin

This registry key changes the method of interprocess communication between SecureLogin processes, providing a workaround to the Web issue. It will work across all Web pages, not only on the Web page producing the error.

4.1.8 Using Unique Names

User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named Error.

If you install SecureLogin with the SecretStore client in the eDirectory mode, you cannot add an application and name it App1 (for example) if a password policy already exists with the name App1.

4.1.9 Manual Entry of the Smart Card PIN required for Citrix Server Authentication

If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.

4.1.10 ViewNow Terminal Emulator

Contact Novell Support for information on using a ViewNow terminal emulator.

4.1.11 Using the SLLogging Manager on Microsoft Windows Vista

The SLLogging Manager utility is provided to enable advanced logging for support purposes.

Because of Microsoft Windows Vista restrictions, the SLLogging Manager must be enhanced to run on Vista.

Right-click the SLLogging Manager application and select Run as administrator. Any changes made through the SLLogging Manager now change the registry correctly to create the relevant log file.

4.1.12 Novell SecureLogin Login in LDAP GINA Mode with eDirectory

Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user’s fully distinguished name (FDN) has 128 characters or more.

4.1.13 Validating an Old Password

In Microsoft Windows 2003 configurations, users might be able to login to their workstation by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the re-use of an old password.

To disable an old password as soon as a password change occurs, update the domain controller registry setting with the following value:


Create new DWORD value OldPasswordAllowedPeriod

Set this value to 0.

For more information, see the Microsoft Web site.

4.2 Application Definition Wizard Issue

4.2.1 Credentials Fields Are Dimmed

The Username and Password fields in Add Application > Identity Fields are dimmed when the Navigate to field using keystroke option is selected. Deselecting the keystroke option does not automatically enable these fields.

This occurs because when you select the Navigate to field by using keystrokes option, it disables the link to the specified control. When you de select this option, the wizard cannot automatically detect the fields again. You must manually select the fields by dragging the Choose icon to the required text field.

4.3 DAS Issue

4.3.1 Using iManager Fails to Extend the DAS Schema

The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.

Use one of the following workarounds to resolve the issue.

  • Using ConsoleOne: Browse to Tools > Schema > Add Attribute > Add Class. Specify the attribute information.

  • Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option and specify the IP address of the NetWare workstation where you want to extend the schema.

    NOTE:You can use the utility from any workstation on which eDirectory is installed.

4.4 LDAP Issues

4.4.1 The Password Field in the LDAP Credential Provider Window

When NMAS authentication is used with the LDAP Credential Provider on Microsoft Windows Vista, the Password field in the Credential Provider is redundant and is not used.

To proceed with the NMAS authentication, users must specify the LDAP username and server information, then click Submit without specifying any password.

4.4.2 Control Panel Menu Is Slow to Respond

If you launch the Control Panel from the Start menu when LDAPAuth GINA is running on the client, the Control Panel takes more than 20 seconds to display.

4.4.3 ?syspassword Reflects Universal Password or Simple Password

When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user.

In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.

4.5 pcProx Issues

4.5.1 pcProx Identification

pcProx identification fails in Novell Client on Microsoft Windows 2008 64-bit, on the first attempt for a new user. An error message indicating the system cannot log in to the network appears and prompts the user to verify the credentials.

So, during the first attempt, log in to Novell Client using NMAS pcProx sequence. pcProx identification happens correctly in the subsequent logins.

4.5.2 pcProx Unlock Operation in Citrix Session

Unlocking a Citrix* session by using the NMAS pcProx sequence does not work. That is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.

4.6 Scripting Issue

4.6.1 Novell GroupWise 7.0 Web Login Prebuilt Script

In a Windows Vista environment, the prebuilt Novell GroupWise WebAccess script is not detected although the script exists in the application area of the Novell SecureLogin client.

The user is not prompted to use the script. Novell SecureLogin fails to run the script.

To resolve this issue, add the prebuilt script to the list of application definitions.

4.7 SecretStore Issue

4.7.1 SecretStore on the Server

If you plan to use Novell SecretStore on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.

4.8 Secure Workstation Issue

4.8.1 Secure Workstation SMP Is Blocked

Every time a user with administrator privileges logs in to the workstation with User Access Control enabled, the SMP is blocked. The user must unblock this manually. If it is not unblocked, the user cannot log in by using the NMAS secure workstation sequence and you see an error message indicating Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.

This does not happen if a user with non-administrator privileges (that is, a standard user) logs in to the system.

For detailed information, see the Microsoft Developer Network Web site.

4.8.2 Using the NMAS Login with the Secure Workstation Sequence on a Microsoft Windows Vista Desktop

On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with Secure Workstation sequence without the administrator unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.

The issue exists when the NMAS login is used with the Novell Client or Novell SecureLogin-LDAP Client.

4.8.3 Login Fails When the Secure Workstation Post-Login Method Is Added to the Login Sequence

The Secure Workstation policy fails when set through iManager, because the Post-Login method fails for SUSE Linux Enterprise Server 10 and eDirectory 8.8 SP1.

However, users can use the Secure Workstation Policy setting through the client policy.

4.9 Smart Card Issue

4.9.1 Incorrect Smart Card Error Message

If a user logs in without the smart card when the Use Smart card to encrypt SSO Data preference is set to PKI Credentials and Enable Passphrase Passphrase Security System preference is set to No, he or she is not prompted for smart card.

Instead, the user gets an incorrect message The smartcard does not contain any certificates that match the certificate selection criteria, is displayed.

4.10 TLaunch Issues

4.10.1 TLaunch Shortcut Command Line /n Switch

There is a known issue with the TLaunch shortcut command line /n (Number) switch.

Contact Novell Support for information.

4.10.2 TLaunch Fails to Add New Emulators or Save the Changed Configuration of Existing Emulators

When you launch TLaunch and search for the available emulators, TLaunch fails to detect a newly created emulator.

TLaunch also fails to save the changes made to one of the existing emulators.

However, you can add and edit emulators on Microsoft Windows and Windows XP.

As a workaround, click Start > Programs > Novell SecureLogin, Right click Terminal Launcher, then select Run as Administrator.

4.10.3 Prompt to Close Windows Explorer During Upgrade

If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, during upgrade from version 6.1 or 6.1 SP1 to 7.0 you are prompted to close the Windows Explorer.

Click Ignore to proceed with the upgrade.

4.11 Upgrade Issues

4.11.1 Upgrading with Customized Version of Novell SecureLogin

When upgrading to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.

To retain the customized setting, do one of the following:

  • Replicate the customized settings on Novell SecureLogin 7.0 MSI.

  • Take a backup of the customized file and apply it after upgrade.

4.11.2 SLMANAGER.EXE is installed automatically during the upgrade

When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.

To workaround this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:

@echo off 
del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" 
del "C:\Program Files\Novell\SecureLogin\slmanager.exe"

4.11.3 Prompt for Password When Notification Area Icon is Password Protected

During upgrade from Novell SecureLogin 6.1 to 7.0, if the Password protect the system tray icon preference is enabled users are prompted to provide the network password.

To workaround the issue:

  1. Stop Novell SecureLogin manually before starting to upgrade.


    Run slproto/forceshutdown from the commandline to shutdown Novell SecureLogin

    NOTE:If you stop SecureLogin manually, you are prompted to specify the password.

    If you use the slprotoc/forceshutdown command, you are not prompted to specify t he password.

  2. Start the upgrade.

  3. Specify the correct credentials.

4.12 Web-Related Issues

4.12.1 Accessing Web Applications from a Windows 2003 Server

Web applications directly accessed through Internet Explorer on a Microsoft Windows 2003 server might not work correctly until the Windows Enhanced Security option is disabled on the server. Alternatively, you can go to Internet Options > Advanced and enable the third-party Web browser extensions.

This however, does not impact clients connected to a Microsoft Windows 2003 server.

4.12.2 Firefox Issue During Installation

Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings, is displayed during the Novell SecureLogin installation.

If this happens, click Import to import the Internet Explorer setting or click Cancel to cancel the import. The Novell SecureLogin installation proceeds.

5.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (®,™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark