Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. Novell SecureLogin also eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.
This document provides you with an introduction to the new features introduced in this version of Novell SecureLogin and also lists the issues related to administration, functioning, and other aspects of Novell SecureLogin.
For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..
SLLogging Manager and TLaunch need administrator privileges to run on the Microsoft Windows Vista or Windows 7 operating systems.
Before installing SecureLogin on a Windows Vista machine, ensure that the operating system is updated with the latest security and service patches or with Microsoft redistributables (32-bit or 64-bit). Otherwise, the SecureLogin installation fails and shows the error message: NSL Event Service failed to start.
With the release of Novell SecureLogin 7.0 SP2 Hotfix 7, you can use slaptool to backup and restore credentials.
With the release of Novell SecureLogin 7.0 SP2 Hotfix 5, Mozilla Firefox 6.0, Mozilla Firefox 7.0 and Mozilla Firefox 8.0 are supported.
With the release of Novell SecureLogin 7.0 SP2 Hotfix 4, Novell Terminal Launcher application queries and verifies the validity of an IBM Personal Communication emulator session before connecting to it.
With the release of Novell SecureLogin 7.0 SP2 Hotfix 3, Mozilla Firefox 4.0 and Mozilla Firefox 5.0 are supported.
In SecureLogin 7.0 SP2 Hotfix 3, scripting of web page content displayed outside of the standard browser windows, that is modal and modeless dialog boxes and popups, is supported.
To enable this, set the DWORD registry key WEBSSO_DHTML to 1 under HKLM\Software\Protocom\SecureLogin.
In SecureLogin 7.0 SP2 Hotfix 3, when the user logs in using NESCM (Novell Enhanced Smart Card Method) in eDirectory mode and the user’s password is expired, SecureLogin detects the expired password and changes it automatically on behalf of the logged in user. For more information, see Novell Administration Guide.
SecureLogin 7.0 SP2 Hotfix 2 supports Internet Explorer 9.
With the release of Novell SecureLogin 7.0 SP2 Hotfix 2, the Limit Concurrent Connection feature is implemented in the nwgina of Novell SecureLogin.
SecureLogin 7.0 SP2 Hotfix 1 supports Citrix XenApp 6.
With the release of Novell SecureLogin 7.0 SP2, the LDAP Contextless Search feature has been enhanced to enable the LDAPAuth component to perform a search even when anonymous bind is disabled.
With the release of Novell SecureLogin 7.0 SP2, the SLManager feature has been enhanced so that you can to query user objects and perform administration operations on directory objects even when LDAP anonymous bind is disabled.
In Windows Vista and Windows 7, password recovery support is available for graphical authentication interfaces such as the Credential Provider for LDAP clients and the Novell Client. In the absence of these clients, password recovery support is provided by the default Micorsoft Credential Provider implemented by the Client Login Extension.
For more information, see the Novell Client Login Extension Guide.
SecureLogin 7.0 SP2 increases One Time Password (OTP) functionality by enabling SecureLogin to expand the SSO support to applications configured to use OTP.
Now, Novell SecureLogin automatically generates the OTP by using the previously configured information for the application and also fills in the credential field; thereby providing a seamless SSO experience.
SecureLogin 7.0 SP2 supports Flash applications.
SecureLogin 7.0 SP2 supports the \n and \t formats in the Messagebox.
SecureLogin 7.0 SP2 supports smart card authentication for Athena Middleware.
In Active Directory mode, by default SecureLogin uses the workstation logged in session to log in to SecureLogin. Users can also update the registry setting to log in to SecureLogin if they want to use different credentials.
The issue with the PressInput command executing thrice everytime it is called is now fixed.
The issue with SecureLogin crashing in either SLBroker.exe or Iexplore.exe, when accessing web pages with multiple frames is now fixed.
The issue with the LDAP login dialog not showing the name of the last user logged in to the workstation is now fixed.
The issue with Lotus Notes Single Logon service not working after installing SecureLogin is now fixed.
The issue with the user not finding the stored login credentilas when a workstation does not have a primary attachment to the server running SecretStore is now fixed.
The issue with SecureLogin in offline mode not being seamless in certain scenarios is now fixed.
The issue with Lotus Notes accepting the old password even after the password is changed is now fixed.
The issue with the schema extension considering the Protocom-SSO-ConnectionTimeToLive attribute as invalid since it has more than 32 characters is now fixed. The attribute is now named Protocom-SSO-ConnectionTTL.
The issue with TLaunch on Windows XP applying excess load on Remote Procedure Call service (RPCSS) and causing RPCSS to leak memory, crash and requiring the Windows host to reboot is now fixed.
The issue with the Matchform command failing intermittently to match certain webpages is now fixed.
The issue with SecureLogin not recognising the Embedded Oracle login forms is now fixed.
The issue with Limit Concurrent Connection not clearing the obsolete IP addresses is now fixed. The obsolete IP addresses stored in the attribute Prot:SSO Connections is cleared in the following scenarios:
Time-to-live parameter expires.
The system crashes.
SecureLogin session terminates.
The issue with SecureLogin wizard actions such asand not functioning properly on .net applications is now fixed.
The issue with the LDAP queries getting a slow response from the directory is now fixed. Changes have been made to LDAPQuery so that it does not dereference alias objects.
The issue with slproto /runstartup command not executing properly is now fixed.
The issue with SLAP tool not running on a client where SecureLogin is not running is now fixed. SLAP tool is now marked as a primary launching application so that it can run the broker if it is not already started.
The issue with SecureLogin seamless login to offline mode not working when bothis set to and is set to 1 is now fixed.
Internet Explorer crashing due tois now fixed.
SecureLogin not starting due to SLbroker application error is now fixed.
Internet Explorer crashing when web applications are opened in many tabs is now fixed.
SecureLogin user prompted twice to login to the LDAP server is now fixed.
The issue with application objects with space characters in the name not getting created on an iManager SSO plugin is now fixed.
The issue with the browser crashing when dialog boxes such asand are displayed is now fixed.
The issue with accessing theoption without having to open the tab is now fixed by creating the option on the main login screen of Novell SecureLogin.
The issue of SLbroker crashing when multiple API connections or disconnections are made to the broker is now fixed.
The issue with the site command being empty when converting the wizard script for logon notification is now fixed.
The issue with detecting theform in the IBM Maximo Web application is now fixed.
The issue with the SSO failing on relaunch for the aSNAP and Maximo pop-up windows in Internet Explorer 8 is now fixed.
The Web page Java script that limited the processing time of the onBeforeNavigate function, and prevented the user from navigating to the next page after clicking the button is now fixed.
The issue with cross thread failures that might hamper the functionality of IESSO is now fixed.
The issue of SLManager crashing when the filtered search returned more than a thousand objects is now fixed.
The issue of manually entering the base DN and filter in SLManager is now fixed. SLManager now saves up to 20 base DN and filter entries.
The issue with the Flash WindowFinder file having the wrong file extension format is now fixed.
The issue with the failure of import in the iManager SSO plug-in when the application name contained a / is now fixed.
The issue with the TLaunch not terminating when its associated emulator sessions were closed is now fixed.
When a Web page could not send information to SecureLogin by using a different method, the following error message is shown:
Unable to instantiate scriptbroker module: 80070005
To resolve this error, uninstall SecureLogin, delete its installation directory, delete the registry hive hklm/software/protocom, then reinstall SecureLogin.
This workaround resolves this error for all Web pages, including the Web page that showed this error.
If the problem persists, re-register the following SecureLogin DLL files:
regsvr32 "C:\Program Files\Novell\SecureLogin\iesso.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slbroker.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slcaptain.dll
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the fully distinguished name (FDN) of the eDirectory user has 128 characters or more.
In Microsoft Windows 2003 configurations, users might be able to log in to their workstations by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the reuse of an old password.
To disable an old password as soon as a password change occurs:
Update the domain controller registry setting with the following value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create the new DWORD value OldPasswordAllowedPeriod.
Set this value to 0.
For more information, see the Microsoft Web site..
If password policies already exist, ignore the incorrect error message 0 password policy, which is shown when restoring user data.
The memory used on the workstation by sldotnetsso64 increases from approximately 15 MB to 142 MB.
When you are installing the NMAS client on a Windows 2003 R2 64-bit machine, the following error message is shown:
Windows Vista or later required.
You get this error because the NMAS client is not available for a Windows 2003 R2 64-bit machine.
Securelogin allows single sign-on for web applications in Mozilla Firefox even whenpreference is set to .
When you create a new NSLADSAuth in HKLM\Software\Protocom\SecureLogin\ and set the value of NSLADAuth as 1, then the multiple SecureLogin tray icons are displayed when you cancel the login operartion.as
Mouse over the SecureLogin system tray icons, to clear the SecureLogin system tray icons.
The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.
Use one of the following workarounds to resolve the issue.
Using ConsoleOne: Browse to> > > . Specify the attribute information.
Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option, then specify the IP address of the NetWare workstation where you want to extend the schema.
NOTE:You can use the utility from any workstation on which eDirectory is installed.
On Windows 7 and Windows Vista, the log file for the DAS feature does not store the DAS data when UAC is enabled. Changing the DASLog.txt file path from the installation location to C:\ enables the log file to store DAS data.
You can use the SecureLogin wizard to, configure a .NET application in the LDAP mode for its login credentials, change the password option, change the password notification, and so on. The performance of the configured application depends on its size and the number of associated controls. If the size and number of controls occupy a large amount of space in the system, the application fails to load on the next login attempt. You should convert the application into an application definition, then reduce its size before logging in.
If an anonymous bind is disabled and the registry is not set in the workstation for the bind, then a concurrent connection is established with a full DN.
After thecheck box is selected and the user logs in to the workstation, the IP address entry is not removed from the iManager connections field.
The pcProx identification fails in the Novell Client on Microsoft Windows 2008 and Windows 7, on the first attempt for a new user. An error message indicating that the system cannot log in to the network appears and prompts the user to verify the credentials.
To fix the problem use the NMAS pcProx sequence during the first attempt to log in to the Novell Client. pcProx identification happens correctly in the subsequent logins.
Unlocking a Citrix session by using the NMAS pcProx sequence does not work, that is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.
When an administrator logs in to a workstation on which User Access Control is enabled, the Secure Workstation Session Management Process is blocked and an error message is shown.
On Windows 7, the workaround is to manually run the process.
On Windows Vista, directly unblock the process from the taskbar. If the process is not unblocked, you cannot log in by using the NMAS secure workstation sequence and you see the error message: Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.
This error occurs only for a user with administrator privileges and not for a user with non-administrator privileges; that is, a standard user.
For detailed information, see the Microsoft Developer Network Web site..
On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with the Secure Workstation sequence without unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.
The issue exists when the NMAS login is used with the Novell Client or the Novell SecureLogin-LDAP Client.
The Secure Workstation policy fails when it is set through iManager because the post-login method fails for NMAS Server version 3.1.0.
To resolve this issue, upgrade to the latest NMAS server version that SecureLogin supports .
If a user logs in without a smart card when thepreference is set to and the preference is set to , the user is not prompted for the smart card.
Instead, the user gets an incorrect message: The smartcard does not contain any certificates that match the certificate selection criteria.
Novell SecureLogin fails to launch using the smart card authentication without the User Principal Name, whenis set to .
This problem can be resolved if you use any of the following options:
preference is set to .
The smart card must be configured with a User Principle Name.
When user logs in with NESCM and SecureLoginis set to yes, then the user cannot unlock the system tray icon using the Smart Card PIN.
To resolve this issue, use the eDirectory password to unlock the system tray icon.
The ChangePasswordOnExpiry feature does not work when Securelogin is installed in SecretStore mode.
When you upgrade to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.
To retain the customized settings, do one of the following:
Replicate the customized settings on Novell SecureLogin 7.0 MSI.
Create a backup of the customized file, then apply it after the upgrade.
If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, you are prompted to close the Windows Explorer, Windows installer and so on during upgrade from version 6.1 or 6.1 SP1 to 7.0 SP2.
Clickto proceed with the upgrade.
When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.
To work around this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:
@echo off del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" del "C:\Program Files\Novell\SecureLogin\slmanager.exe"
During the upgrade from Novell SecureLogin 6.1 to 7.0, if theicon preference is enabled, the users are prompted to provide the network password.
To work around the issue:
Stop Novell SecureLogin manually before starting to upgrade.
Run slproto/forceshutdown from the command line to shut down Novell SecureLogin
If you stop SecureLogin manually, you are prompted to specify the password.
If you use the slprotoc/forceshutdown command, you are not prompted to specify the password.
Start the upgrade.
Specify the correct credentials.
Web applications directly accessed through Internet Explorer on a Microsoft Windows 2000, 2003 or 2008 server might not work correctly until theoption is disabled on the server. Alternatively, you can go to > , then enable the third-party Web browser extensions.
This does not impact the clients connected to a Microsoft Windows 2000, 2003, or 2008 server.
Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings is displayed during the Novell SecureLogin installation.
If this happens, clickto import the Internet Explorer settings or click to cancel the import. The Novell SecureLogin installation proceeds.
When a DHTML-enabled Web application is started, SecureLogin fails to prompt for entering the credentials. The error occurs when SecureLogin fails to run the predefined application definition to enable single sign-on for the site.
To resolve this issue close the browser session and relaunch the Web application.
Novell SecureLogin 7.0 SP2 supports Web-enabled Oracle form applications. Therefore, Oracle JInitiator and JRE should be available in the system where Novell SecureLogin 7.0 SP2 will be used. If they are not present on the machine where Novell SecureLogin is already running, add the missing Java components in the machine, and then run the repair option available with the SecureLogin installer. The repair option of the installer adds the new Java component to be used for Oracle form applications.
Clicking thebutton shows authentication fields in an application being defined in the Application Definition Wizard. When you define an Oracle form that is run from a browser, the identified fields might show on the Oracle form and on the browser. You can ignore this behavior.
The Java component assigns a name taken from the title field of the innermost container to an Oracle form application. If the innermost container is not assigned a title when the forms are created, the wizard cannot assign a name to the Oracle form application.
Loading Oracle components requires some time before an application definition for an Oracle form is started. Therefore, the Wizard takes some time when starting the application definition for an Oracle form.
You can use the Client Login Extension tool to specify the text to be shown when a user clicks the Did you forget your Password ? link. However, the text specified for the Novell Client is not shown when the link is clicked.
Using the Forgotten Password link to recover the password forgotten for a locked workstation does not work on Microsoft Credential Provider for Novell Client.
SecureLogin does not support any wizard for Flash applications.
SecureLogin does not recognize the Title command for NSL Flash scripts. Use the ctrl command to match the window title.
The NSL script Select command does not work for Flash applications.
If the window size is changed or the mouse control is pointed to another window, the NSL Flash script execution might not work as expected.
There is a small memory leak of about 20-40 KB every time the NSL Flash script is executed.
The full product documentation is available at the Novell SecureLogin 7.0 SP2 Documentation Web site.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2005-2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.