The following sources provide information about Novell® SecureLogin 7.0:
Online documentation: Novell Documentation Web site.
The other set of documentation available with Novell SecureLogin 7.0 are:
Getting Started:
Novell SecureLogin 7.0 Quick Reference Guide
Installation: Novell SecureLogin 7.0 Installation Guide
Administration: Novell SecureLogin 7.0 Administration Guide
Novell SecureLogin Application Definition Wizard Administration Guide
End User: Novell SecureLogin 7.0 User Guide
Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. It eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.
This document provides you an introduction to the new features introduced in this version of Novell SecureLogin and also lists issues related to the administration, functioning, and other aspects of Novell SecureLogin.
For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..
Novell SecureLogin 7.0 introduces an enhanced administrative wizard. Enhancements are made to improve the wizard engine and provide a unified and intuitive process. The primary improvement is to provide a single wizard that manages different applications types.
Using the wizard, you can create applications definitions for Web, Windows*, and Java* applications. The new wizard simplifies the configurations of complex application definitions.
This version of Novell SecureLogin provides multiple scripting enhancements to continue delivering the most flexible possible solution to accommodate complex scenarios.
This release supports:
Microsoft* Windows* Vista* SP1, 32-bit and 64 bit.
Microsoft Windows Server* 2003 SP2, 32-bit and 64 bit.
Microsoft Windows Server 2008 SP2, 32-bit and 64 bit.
Novell SecureLogin Citrix Passthrough in Novell Client Credential Provider Mode
The Disable Passphrase Security System Option Appears During an Upgrade
Incorrect Database Mode Version Displayed in the Novell SecureLogin About Window
Manual Entry of the Smart Card PIN required for Citrix Server Authentication
Before installing Novell SecureLogin on any of the platforms, install Novell International Cryptographic Infrastructure (NICI).
Microsoft Windows Vista 64-bit in eDirectory, LDAP (non-eDirectory), and LDAP v3 mode
Microsoft Windows Server 2008 (64-bit)
You must install both 32-bit and 64-bit NICI manually. If NICI is not installed before installing Novell SecureLogin, an error message is displayed indicating that NICI is not installed and stops the installation process.
Novell SecureLogin Citrix* Passthrough to Microsoft Windows 2008 in Novell Client™ Credential Provider mode is not supported.
When you are upgrading the datastore from 3.5 to 6.0 and upgrading to Novell SecureLogin 7.0, if the is set to , a message indicating "Your cache files have lost synchronization with directory authentication data. Would you like to delete your cache files and have them re-created?”
Click to load Novell SecureLogin successfully.
If you view When you access Novell SecureLogin for the first time after providing the passphrase question and answer, the Database Mode in the About window (accessed from the Novell SecureLogin notification area icon) displays the Database mode version as 3.0 3.0 Data Present PP Enabled.
On subsequent logins, the correct version is displayed.
If Novell SecureLogin is installed on a Citrix server in Novell Client mode and if you select the option when restarting Windows on that Citrix server, a message indicating “You are not logged in to a directory and SecureLogin was unable to find any cached user data" is displayed.
This message appears twice before you are authenticated.
In some scenarios, in the Novell SecureLogin Client Utility, users are unable to delete the logins from the navigation area on the left pane.
When users right-click the login, both and options are disabled.
However, the login can be deleted from the right pane.
Some Web pages are configured in such a way as to provide information to SecureLogin in a different manner. When working on such Web pages, user can encounter the “Unable to instantiate scriptbroker module: 80070005” error message.
In such scenarios, set the following registry key:
IESSO_USE_COM reg setting (Dword - value '0') under \HKEY_LOCAL_MACHINE\SOFTWARE\protocom\securelogin
This registry key changes the method of interprocess communication between SecureLogin processes, providing a workaround to the Web issue. It will work across all Web pages, not only on the Web page producing the error.
User IDs, applications, and password policies must all have unique names. Additionally, you cannot create an application named Error.
If you install SecureLogin with the SecretStore client in the eDirectory mode, you cannot add an application and name it App1 (for example) if a password policy already exists with the name App1.
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
Contact Novell Support for information on using a ViewNow terminal emulator.
The SLLogging Manager utility is provided to enable advanced logging for support purposes.
Because of Microsoft Windows Vista restrictions, the SLLogging Manager must be enhanced to run on Vista.
Right-click the SLLogging Manager application and select . Any changes made through the SLLogging Manager now change the registry correctly to create the relevant log file.
Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the eDirectory user’s fully distinguished name (FDN) has 128 characters or more.
In Microsoft Windows 2003 configurations, users might be able to login to their workstation by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the re-use of an old password.
To disable an old password as soon as a password change occurs, update the domain controller registry setting with the following value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create new DWORD value OldPasswordAllowedPeriod
Set this value to 0.
For more information, see the Microsoft Web site.
The and fields in > are dimmed when the option is selected. Deselecting the keystroke option does not automatically enable these fields.
This occurs because when you select the option, it disables the link to the specified control. When you de select this option, the wizard cannot automatically detect the fields again. You must manually select the fields by dragging the icon to the required text field.
The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.
Use one of the following workarounds to resolve the issue.
Using ConsoleOne: Browse to > > > . Specify the attribute information.
Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option and specify the IP address of the NetWare workstation where you want to extend the schema.
NOTE:You can use the utility from any workstation on which eDirectory is installed.
When NMAS authentication is used with the LDAP Credential Provider on Microsoft Windows Vista, the field in the Credential Provider is redundant and is not used.
To proceed with the NMAS authentication, users must specify the LDAP username and server information, then click without specifying any password.
If you launch the Control Panel from the menu when LDAPAuth GINA is running on the client, the Control Panel takes more than 20 seconds to display.
When SecureLogin is installed in LDAP mode and NMAS authentication is used, ?syspassword reflects the universal password for the logged-in user.
In this mode of operation, it is mandatory to configure and set universal password for the NMAS user.
pcProx identification fails in Novell Client on Microsoft Windows 2008 64-bit, on the first attempt for a new user. An error message indicating the system cannot log in to the network appears and prompts the user to verify the credentials.
So, during the first attempt, log in to Novell Client using NMAS pcProx sequence. pcProx identification happens correctly in the subsequent logins.
Unlocking a Citrix* session by using the NMAS pcProx sequence does not work. That is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.
In a Windows Vista environment, the prebuilt Novell GroupWise WebAccess script is not detected although the script exists in the application area of the Novell SecureLogin client.
The user is not prompted to use the script. Novell SecureLogin fails to run the script.
To resolve this issue, add the prebuilt script to the list of application definitions.
If you plan to use Novell SecretStore on the client (SecretStore mode), install or upgrade to SecretStore 3.3.5 or later on the server before selecting the SecretStore option during the client install.
Every time a user with administrator privileges logs in to the workstation with User Access Control enabled, the SMP is blocked. The user must unblock this manually. If it is not unblocked, the user cannot log in by using the NMAS secure workstation sequence and you see an error message indicating Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.
This does not happen if a user with non-administrator privileges (that is, a standard user) logs in to the system.
For detailed information, see the Microsoft Developer Network Web site.
On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with Secure Workstation sequence without the administrator unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.
The issue exists when the NMAS login is used with the Novell Client or Novell SecureLogin-LDAP Client.
The Secure Workstation policy fails when set through iManager, because the Post-Login method fails for SUSE Linux Enterprise Server 10 and eDirectory 8.8 SP1.
However, users can use the Secure Workstation Policy setting through the client policy.
If a user logs in without the smart card when the preference is set to and preference is set to , he or she is not prompted for smart card.
Instead, the user gets an incorrect message The smartcard does not contain any certificates that match the certificate selection criteria, is displayed.
There is a known issue with the TLaunch shortcut command line /n (Number) switch.
Contact Novell Support for information.
When you launch TLaunch and search for the available emulators, TLaunch fails to detect a newly created emulator.
TLaunch also fails to save the changes made to one of the existing emulators.
However, you can add and edit emulators on Microsoft Windows and Windows XP.
As a workaround, click > > , Right click , then select .
If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, during upgrade from version 6.1 or 6.1 SP1 to 7.0 you are prompted to close the Windows Explorer.
Click to proceed with the upgrade.
When upgrading to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.
To retain the customized setting, do one of the following:
Replicate the customized settings on Novell SecureLogin 7.0 MSI.
Take a backup of the customized file and apply it after upgrade.
When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.
To workaround this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:
@echo off del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" del "C:\Program Files\Novell\SecureLogin\slmanager.exe"
During upgrade from Novell SecureLogin 6.1 to 7.0, if the Password protect the system tray icon preference is enabled users are prompted to provide the network password.
To workaround the issue:
Stop Novell SecureLogin manually before starting to upgrade.
or
Run slproto/forceshutdown from the commandline to shutdown Novell SecureLogin
NOTE:If you stop SecureLogin manually, you are prompted to specify the password.
If you use the slprotoc/forceshutdown command, you are not prompted to specify t he password.
Start the upgrade.
Specify the correct credentials.
Web applications directly accessed through Internet Explorer on a Microsoft Windows 2003 server might not work correctly until the option is disabled on the server. Alternatively, you can go to > and enable the third-party Web browser extensions.
This however, does not impact clients connected to a Microsoft Windows 2003 server.
Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings, is displayed during the Novell SecureLogin installation.
If this happens, click to import the Internet Explorer setting or click to cancel the import. The Novell SecureLogin installation proceeds.
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®,™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2005-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.