Novell SecureLogin Readme 7.0 SP2 Hotfix 7

February 2012

Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. Novell SecureLogin also eliminates the requirement for users to remember multiple usernames and passwords and automatically enters them for users when required.

1.0 Introduction

This document provides you with an introduction to the new features introduced in this version of Novell SecureLogin and also lists the issues related to administration, functioning, and other aspects of Novell SecureLogin.

For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..

2.0 Prerequisites

2.1 Administrator Access for Microsoft Windows

SLLogging Manager and TLaunch need administrator privileges to run on the Microsoft Windows Vista or Windows 7 operating systems.

2.2 Installing on Microsoft Windows Vista

Before installing SecureLogin on a Windows Vista machine, ensure that the operating system is updated with the latest security and service patches or with Microsoft redistributables (32-bit or 64-bit). Otherwise, the SecureLogin installation fails and shows the error message: NSL Event Service failed to start.

For detailed information on operating systems, see Operational Environment in the Novell SecureLogin Overview Guide.

3.0 New Features

3.1 Slaptool Support

With the release of Novell SecureLogin 7.0 SP2 Hotfix 7, you can use slaptool to backup and restore credentials.

3.2 Mozilla Firefox Support

With the release of Novell SecureLogin 7.0 SP2 Hotfix 5, Mozilla Firefox 6.0, Mozilla Firefox 7.0 and Mozilla Firefox 8.0 are supported.

3.3 TLaunch Verifies the IBM Personal Communication Emulator Session Before Connecting to it.

With the release of Novell SecureLogin 7.0 SP2 Hotfix 4, Novell Terminal Launcher application queries and verifies the validity of an IBM Personal Communication emulator session before connecting to it.

3.4 Mozilla Firefox Support

With the release of Novell SecureLogin 7.0 SP2 Hotfix 3, Mozilla Firefox 4.0 and Mozilla Firefox 5.0 are supported.

3.5 Modal and Modeless Dialog Box Support

In SecureLogin 7.0 SP2 Hotfix 3, scripting of web page content displayed outside of the standard browser windows, that is modal and modeless dialog boxes and popups, is supported.

To enable this, set the DWORD registry key WEBSSO_DHTML to 1 under HKLM\Software\Protocom\SecureLogin.

3.6 Changing Smart Card Login Password on Expiry

In SecureLogin 7.0 SP2 Hotfix 3, when the user logs in using NESCM (Novell Enhanced Smart Card Method) in eDirectory mode and the user’s password is expired, SecureLogin detects the expired password and changes it automatically on behalf of the logged in user. For more information, see Changing Smart Card Login Password on Expiry in the Novell Administration Guide.

3.7 Internet Explorer 9 Support

SecureLogin 7.0 SP2 Hotfix 2 supports Internet Explorer 9.

3.8 Limit Concurrent Connection

With the release of Novell SecureLogin 7.0 SP2 Hotfix 2, the Limit Concurrent Connection feature is implemented in the nwgina of Novell SecureLogin.

3.9 Citrix XenApp 6 Support

SecureLogin 7.0 SP2 Hotfix 1 supports Citrix XenApp 6.

3.10 Secured LDAP Browsing Option

With the release of Novell SecureLogin 7.0 SP2, the LDAP Contextless Search feature has been enhanced to enable the LDAPAuth component to perform a search even when anonymous bind is disabled.

For more information, see Contextless Login in the Novell SecureLogin Installation Guide.

3.11 SLManager Support Enhanced

With the release of Novell SecureLogin 7.0 SP2, the SLManager feature has been enhanced so that you can to query user objects and perform administration operations on directory objects even when LDAP anonymous bind is disabled.

3.12 Microsoft Credential Provider Support for CLE

In Windows Vista and Windows 7, password recovery support is available for graphical authentication interfaces such as the Credential Provider for LDAP clients and the Novell Client. In the absence of these clients, password recovery support is provided by the default Micorsoft Credential Provider implemented by the Client Login Extension.

For more information, see the Novell Client Login Extension Guide.

3.13 One Time Password Support

SecureLogin 7.0 SP2 increases One Time Password (OTP) functionality by enabling SecureLogin to expand the SSO support to applications configured to use OTP.

Now, Novell SecureLogin automatically generates the OTP by using the previously configured information for the application and also fills in the credential field; thereby providing a seamless SSO experience.

For more information, see GenerateOTP in the Novell SecureLogin Application Definition Guide.

3.14 Flash SSO Script Support

SecureLogin 7.0 SP2 supports Flash applications.

3.15 Formatting Message Box

SecureLogin 7.0 SP2 supports the \n and \t formats in the Messagebox.

3.16 Smart Card Support for Athena Middleware

SecureLogin 7.0 SP2 supports smart card authentication for Athena Middleware.

3.17 SecureLogin in Kiosk Mode

In Active Directory mode, by default SecureLogin uses the workstation logged in session to log in to SecureLogin. Users can also update the registry setting to log in to SecureLogin if they want to use different credentials.

For detailed infomation on registry settings, see SecureLogin in Kiosk Mode in the Novell Administration Guide.

3.18 Enable Pin Caching for a Smart Card

You can enable pin caching for a smart card by updating the registry setting. For detailed information on registry settings, see Enable Pin Caching for Smart Card in the Novell Administration Guide.

4.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix7

  • The issue with the PressInput command executing thrice everytime it is called is now fixed.

  • The issue with SecureLogin crashing in either SLBroker.exe or Iexplore.exe, when accessing web pages with multiple frames is now fixed.

  • The issue with the LDAP login dialog not showing the name of the last user logged in to the workstation is now fixed.

  • The issue with Lotus Notes Single Logon service not working after installing SecureLogin is now fixed.

  • The issue with the user not finding the stored login credentilas when a workstation does not have a primary attachment to the server running SecretStore is now fixed.

  • The issue with SecureLogin in offline mode not being seamless in certain scenarios is now fixed.

  • The issue with Lotus Notes accepting the old password even after the password is changed is now fixed.

5.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix6

  • The issue with the schema extension considering the Protocom-SSO-ConnectionTimeToLive attribute as invalid since it has more than 32 characters is now fixed. The attribute is now named Protocom-SSO-ConnectionTTL.

  • The issue with TLaunch on Windows XP applying excess load on Remote Procedure Call service (RPCSS) and causing RPCSS to leak memory, crash and requiring the Windows host to reboot is now fixed.

  • The issue with the Matchform command failing intermittently to match certain webpages is now fixed.

6.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix5

  • The issue with SecureLogin not recognising the Embedded Oracle login forms is now fixed.

  • The issue with Limit Concurrent Connection not clearing the obsolete IP addresses is now fixed. The obsolete IP addresses stored in the attribute Prot:SSO Connections is cleared in the following scenarios:

    • Time-to-live parameter expires.

    • The system crashes.

    • SecureLogin session terminates.

  • The issue with SecureLogin wizard actions such as Drag and Drop and Showme not functioning properly on .net applications is now fixed.

  • The issue with the LDAP queries getting a slow response from the directory is now fixed. Changes have been made to LDAPQuery so that it does not dereference alias objects.

  • The issue with slproto /runstartup command not executing properly is now fixed.

7.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix3

  • The issue with SLAP tool not running on a client where SecureLogin is not running is now fixed. SLAP tool is now marked as a primary launching application so that it can run the broker if it is not already started.

  • The issue with SecureLogin seamless login to offline mode not working when both Password protect the system tray icon is set to Yes and TryRegCredInOffline is set to 1 is now fixed.

  • Internet Explorer crashing due to 0xc0000005 Access Violation is now fixed.

  • SecureLogin not starting due to SLbroker application error is now fixed.

  • Internet Explorer crashing when web applications are opened in many tabs is now fixed.

  • SecureLogin user prompted twice to login to the LDAP server is now fixed.

8.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix2

  • The issue with application objects with space characters in the name not getting created on an iManager SSO plugin is now fixed.

  • The issue with the browser crashing when dialog boxes such as ChangePassword and DisplayVariables are displayed is now fixed.

  • The issue with accessing the Workstation Only option without having to open the Advanced tab is now fixed by creating the Workstation Only option on the main login screen of Novell SecureLogin.

  • The issue of SLbroker crashing when multiple API connections or disconnections are made to the broker is now fixed.

9.0 Bugs Fixed in SecureLogin 7.0 SP2 Hotfix1

  • The issue with the site command being empty when converting the wizard script for logon notification is now fixed.

  • The issue with detecting the Change Password form in the IBM Maximo Web application is now fixed.

  • The issue with the SSO failing on relaunch for the aSNAP and Maximo pop-up windows in Internet Explorer 8 is now fixed.

  • The Web page Java script that limited the processing time of the onBeforeNavigate function, and prevented the user from navigating to the next page after clicking the Submit button is now fixed.

  • The issue with cross thread failures that might hamper the functionality of IESSO is now fixed.

  • The issue of SLManager crashing when the filtered search returned more than a thousand objects is now fixed.

  • The issue of manually entering the base DN and filter in SLManager is now fixed. SLManager now saves up to 20 base DN and filter entries.

  • The issue with the Flash WindowFinder file having the wrong file extension format is now fixed.

  • The issue with the failure of import in the iManager SSO plug-in when the application name contained a / is now fixed.

  • The issue with the TLaunch not terminating when its associated emulator sessions were closed is now fixed.

10.0 Known Issues

10.1 General Issues

10.1.1 Unable to Instantiate the Scriptbroker Module: 80070005

When a Web page could not send information to SecureLogin by using a different method, the following error message is shown:

Unable to instantiate scriptbroker module: 80070005

To resolve this error, uninstall SecureLogin, delete its installation directory, delete the registry hive hklm/software/protocom, then reinstall SecureLogin.

This workaround resolves this error for all Web pages, including the Web page that showed this error.

If the problem persists, re-register the following SecureLogin DLL files:

regsvr32 "C:\Program Files\Novell\SecureLogin\iesso.dll

regsvr32 "C:\Program Files\Novell\SecureLogin\slbroker.dll

regsvr32 "C:\Program Files\Novell\SecureLogin\slcaptain.dll

10.1.2 Manual Entry of the Smart Card PIN for the Citrix Server Authentication

If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.

10.1.3 Novell SecureLogin Login in LDAP GINA Mode with eDirectory

Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the fully distinguished name (FDN) of the eDirectory user has 128 characters or more.

10.1.4 Validating an Old Password

In Microsoft Windows 2003 configurations, users might be able to log in to their workstations by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the reuse of an old password.

To disable an old password as soon as a password change occurs:

  1. Update the domain controller registry setting with the following value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  2. Create the new DWORD value OldPasswordAllowedPeriod.

  3. Set this value to 0.

For more information, see the Microsoft Web site..

10.1.5 Error Message on No Password Policy Is Available

If password policies already exist, ignore the incorrect error message 0 password policy, which is shown when restoring user data.

10.1.6 Memory Leak in sldotnetsso64

The memory used on the workstation by sldotnetsso64 increases from approximately 15 MB to 142 MB.

10.1.7 The NMAS Clients Is Not Available for Windows 2003 R2 64-Bit Machines

When you are installing the NMAS client on a Windows 2003 R2 64-bit machine, the following error message is shown:

Windows Vista or later required.

You get this error because the NMAS client is not available for a Windows 2003 R2 64-bit machine.

10.1.8 Securelogin Allows SSO for Web Applications in Mozilla Firefox

Securelogin allows single sign-on for web applications in Mozilla Firefox even when Allow single sign-on to Mozilla Firefox preference is set to No.

10.2 DAS Issues

10.2.1 SecureLogin System Tray Icons Are Not Cleared During Fast User Switching in the Active Directory Mode

When you create a new DWORD as NSLADSAuth in HKLM\Software\Protocom\SecureLogin\ and set the value of NSLADAuth as 1, then the multiple SecureLogin tray icons are displayed when you cancel the login operartion.

Mouse over the SecureLogin system tray icons, to clear the SecureLogin system tray icons.

10.2.2 Using iManager Fails to Extend the DAS Schema

The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.

Use one of the following workarounds to resolve the issue.

  • Using ConsoleOne: Browse to Tools > Schema > Add Attribute > Add Class. Specify the attribute information.

  • Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option, then specify the IP address of the NetWare workstation where you want to extend the schema.

    NOTE:You can use the utility from any workstation on which eDirectory is installed.

10.2.3 DAS Data Is Not Stored in the Log File

On Windows 7 and Windows Vista, the log file for the DAS feature does not store the DAS data when UAC is enabled. Changing the DASLog.txt file path from the installation location to C:\ enables the log file to store DAS data.

10.3 LDAP Issues

10.3.1 Could Not Load an Application

You can use the SecureLogin wizard to, configure a .NET application in the LDAP mode for its login credentials, change the password option, change the password notification, and so on. The performance of the configured application depends on its size and the number of associated controls. If the size and number of controls occupy a large amount of space in the system, the application fails to load on the next login attempt. You should convert the application into an application definition, then reduce its size before logging in.

10.3.2 Concurrent Connection is Established

If an anonymous bind is disabled and the registry is not set in the workstation for the bind, then a concurrent connection is established with a full DN.

10.3.3 IP Address Not Removed

After the Unlock as Workstation check box is selected and the user logs in to the workstation, the IP address entry is not removed from the iManager connections field.

10.4 pcProx Issues

10.4.1 pcProx Identification

The pcProx identification fails in the Novell Client on Microsoft Windows 2008 and Windows 7, on the first attempt for a new user. An error message indicating that the system cannot log in to the network appears and prompts the user to verify the credentials.

To fix the problem use the NMAS pcProx sequence during the first attempt to log in to the Novell Client. pcProx identification happens correctly in the subsequent logins.

10.4.2 pcProx Unlock Operation in the Citrix Session

Unlocking a Citrix session by using the NMAS pcProx sequence does not work, that is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.

10.5 Secure Workstation Issue

10.5.1 The Secure Workstation Session Management Process Is Blocked

When an administrator logs in to a workstation on which User Access Control is enabled, the Secure Workstation Session Management Process is blocked and an error message is shown.

On Windows 7, the workaround is to manually run the process.

On Windows Vista, directly unblock the process from the taskbar. If the process is not unblocked, you cannot log in by using the NMAS secure workstation sequence and you see the error message: Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.

This error occurs only for a user with administrator privileges and not for a user with non-administrator privileges; that is, a standard user.

For detailed information, see the Microsoft Developer Network Web site..

10.5.2 Using the NMAS Login with the Secure Workstation Sequence on a Microsoft Windows Vista Desktop

On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with the Secure Workstation sequence without unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.

The issue exists when the NMAS login is used with the Novell Client or the Novell SecureLogin-LDAP Client.

10.5.3 The Login Fails when the Secure Workstation Post-Login Method Is Added to the Login Sequence

The Secure Workstation policy fails when it is set through iManager because the post-login method fails for NMAS Server version 3.1.0.

To resolve this issue, upgrade to the latest NMAS server version that SecureLogin supports .

10.6 Smart Card Issues

10.6.1 Incorrect Smart Card Error Message

If a user logs in without a smart card when the Use Smart card to encrypt SSO Data preference is set to PKI Credentials and the Enable Passphrase Passphrase Security System preference is set to No, the user is not prompted for the smart card.

Instead, the user gets an incorrect message: The smartcard does not contain any certificates that match the certificate selection criteria.

10.6.2 Failure to Launch SecureLogin without the User Principal Name

Novell SecureLogin fails to launch using the smart card authentication without the User Principal Name, when Use Smart card to encrypt SSO Data is set to No.

This problem can be resolved if you use any of the following options:

  • The Use Smart card to encrypt SSO Data preference is set to PKI Credentials.

  • The smart card must be configured with a User Principle Name.

10.6.3 Unable to Unlock the System Tray Icon

When user logs in with NESCM and SecureLogin Password Protected System Tray Icon is set to yes, then the user cannot unlock the system tray icon using the Smart Card PIN.

To resolve this issue, use the eDirectory password to unlock the system tray icon.

10.6.4 SecureLogin in SecretStore Mode

The ChangePasswordOnExpiry feature does not work when Securelogin is installed in SecretStore mode.

10.7 Upgrade Issues

10.7.1 Upgrading with Customized Version of Novell SecureLogin

When you upgrade to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.

To retain the customized settings, do one of the following:

  • Replicate the customized settings on Novell SecureLogin 7.0 MSI.

  • Create a backup of the customized file, then apply it after the upgrade.

10.7.2 Prompt to Close Windows Explorer During Upgrade

If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, you are prompted to close the Windows Explorer, Windows installer and so on during upgrade from version 6.1 or 6.1 SP1 to 7.0 SP2.

Click Ignore to proceed with the upgrade.

10.7.3 SLMANAGER.EXE Is Installed Automatically During the Upgrade

When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.

To work around this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:

@echo off 
del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" 
del "C:\Program Files\Novell\SecureLogin\slmanager.exe"

10.7.4 Prompt for Password When the Notification Area Icon Is Password Protected

During the upgrade from Novell SecureLogin 6.1 to 7.0, if the Password protect the system tray icon preference is enabled, the users are prompted to provide the network password.

To work around the issue:

  1. Stop Novell SecureLogin manually before starting to upgrade.


    Run slproto/forceshutdown from the command line to shut down Novell SecureLogin

    If you stop SecureLogin manually, you are prompted to specify the password.

    If you use the slprotoc/forceshutdown command, you are not prompted to specify the password.

  2. Start the upgrade.

  3. Specify the correct credentials.

10.8 Web-Related Issues

10.8.1 Accessing Web Applications from a Windows Server

Web applications directly accessed through Internet Explorer on a Microsoft Windows 2000, 2003 or 2008 server might not work correctly until the Windows Enhanced Security option is disabled on the server. Alternatively, you can go to Internet Options > Advanced, then enable the third-party Web browser extensions.

This does not impact the clients connected to a Microsoft Windows 2000, 2003, or 2008 server.

10.8.2 Firefox Issue During Installation

Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings is displayed during the Novell SecureLogin installation.

If this happens, click Import to import the Internet Explorer settings or click Cancel to cancel the import. The Novell SecureLogin installation proceeds.

10.8.3 Not Prompted for Credentials

When a DHTML-enabled Web application is started, SecureLogin fails to prompt for entering the credentials. The error occurs when SecureLogin fails to run the predefined application definition to enable single sign-on for the site.

To resolve this issue close the browser session and relaunch the Web application.

10.9 Oracle Form Issues

10.9.1 Support for Oracle Forms

Novell SecureLogin 7.0 SP2 supports Web-enabled Oracle form applications. Therefore, Oracle JInitiator and JRE should be available in the system where Novell SecureLogin 7.0 SP2 will be used. If they are not present on the machine where Novell SecureLogin is already running, add the missing Java components in the machine, and then run the repair option available with the SecureLogin installer. The repair option of the installer adds the new Java component to be used for Oracle form applications.

10.9.2 Authentication Fields Shown on Two Windows

Clicking the Show Me button shows authentication fields in an application being defined in the Application Definition Wizard. When you define an Oracle form that is run from a browser, the identified fields might show on the Oracle form and on the browser. You can ignore this behavior.

10.9.3 Naming an Oracle Form Application

The Java component assigns a name taken from the title field of the innermost container to an Oracle form application. If the innermost container is not assigned a title when the forms are created, the wizard cannot assign a name to the Oracle form application.

10.9.4 An Application Definition Takes Time to Open

Loading Oracle components requires some time before an application definition for an Oracle form is started. Therefore, the Wizard takes some time when starting the application definition for an Oracle form.

10.10 Client Login Extension Issues

10.10.1 The Specified Text Is not Displayed

You can use the Client Login Extension tool to specify the text to be shown when a user clicks the Did you forget your Password ? link. However, the text specified for the Novell Client is not shown when the link is clicked.

10.10.2 Forgotten Password Link is not Working

Using the Forgotten Password link to recover the password forgotten for a locked workstation does not work on Microsoft Credential Provider for Novell Client.

10.11 Flash SSO Script Issues

10.11.1 No Wizard Support

SecureLogin does not support any wizard for Flash applications.

10.11.2 Title Command Is not Recognized

SecureLogin does not recognize the Title command for NSL Flash scripts. Use the ctrl command to match the window title.

10.11.3 Select Command Is not Working

The NSL script Select command does not work for Flash applications.

10.11.4 Change in the Windows Size

If the window size is changed or the mouse control is pointed to another window, the NSL Flash script execution might not work as expected.

10.11.5 Memory Leak

There is a small memory leak of about 20-40 KB every time the NSL Flash script is executed.

11.0 Documentation

The full product documentation is available at the Novell SecureLogin 7.0 SP2 Documentation Web site.