Novell SecureLogin Release Notes 7.0 Service Pack 3

April 2012

Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. Novell SecureLogin also eliminates the requirement for users to remember multiple usernames, and passwords and automatically enters them for users when required. For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..

Novell SecureLogin 7.0 Service Pack 3 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.

1.0 What’s New?

Novell SecureLogin 7.0 Service Pack 3 includes the following new features, enhancements and software fixes.

NOTE:For the list of software fixes and enhancements in previous releases, see SecureLogin 7.0 SP2 Readme.

1.1 Authasas Support

SecureLogin uses the advanced authentication infrastructure provided by Authasas for authentication in an Active Directory environment. SecureLogin supports integration of Authasas advance authentication functionality, such as biometric authentication by using fingerprint and authentication by using Smart Card. For more information, see Authasas Support.

1.2 Disconnected Login Using NESCM

With this feature enabled, LDAPAuth encrypts and stores the Windows workstation or the Active Directory domain user password locally and retrieve it when required. You need not re-enter the workstation password from next login onwards through LDAP GINA or Credential Provider. For more information, see Disconnected Login Using NESCM.

1.3 Enhanced DAS Support with Active Directory

A new trigger, on-ad-login, and two actions, ad-logout and test-ad-logged-in, are added to enhance DAS support with Active Directory:

  • on-ad-login: To identify user login to Active Directory

  • ad-logout: To un-bind the user from the Active Directory and terminate SecureLogin

  • test-ad-logged-in: To check if user has logged into Active Directory and execute any necessary actions

For more information, see DAS support with Active Directory.

1.4 Fujitsu Middleware Support

SecureLogin 7.0 SP3 supports Fujitsu mPollux DigiSign Smart Card middleware.

1.5 Mozilla Firefox Support

SecureLogin 7.0 SP3 supports Mozilla Firefox 9.0 and Mozilla Firefox 10.0.

1.6 Enhancements and Software Fixes

Novell SecureLogin includes the following software fixes and enhancements:


RunEx Command Executes in the Hidden Mode

SecureLogin 7.0 SP3 provides a new command, RunEX, that executes a function in the hidden mode based on the options the user provides. (BUG 487462)

syspassword Variable Gets Updated

The syspassword variable now has the updated password every time the password is changed in the directory. (BUG 300317)

Ability to Trap Exceptions Reading Directory Attributes

SecureLogin now logs the DataStoreVariableNotAvailable exception to trace errors that occurs while trying to read a directory attribute. (BUG 354507)

Setting Sync Time to Synchronize Updated Password with eDirectory

User can set SyncDelay DWORD to a value equivalent to the sync time required for eDirectory to capture the updated password. If the password is not updated, SecureLogin does not throw an error message, but will wait till the time set in SyncDelay and logs in after the password is synchronised successfully. (BUG 346691)

SLManager Lists ADAM Objects

When SecureLogin is installed in ADAM mode, SLmanager connects to ADAM and displays only the objects listed in the ADAM directory. (BUG 684223)

User Name Displays Over the SecureLogin Tray Icon

When you mouse over the SecureLogin Tray Icon, the currently logged in user name is displayed. To enable this preference set the Display user name on mouse over tray icon to True. (BUG 630568)

Writing the Log Files in the Path Specified by the User

You can now add a new registry key named LogFileDirectory in HKLM/Protocom/SecureLogin to configure a new directory path which is different from the existing cache directory. (BUG 347806)

Enabling and Disabling Windows Navigation Keys

You can enable or disable all the standard Windows navigation keys using the following two new action tags:

  • <disable-standard-navigation/>: Disables the standard navigation windows keystrokes.

  • <enable-standard-navigation/>: Restores the standard navigation windows keystrokes.

    (BUG 669114)

Supporting Multiple Certificates for Fujitsu DigiSignClient

SecureLogin supports multiple certificates for Fujitsu DigiSignClient. You can now configure more than one certificates and use the same for authentication. (BUG 653

Suppressing the Startup Error Message

A new registry, DisplayErrorsOnStartup, is added which when set to 1 suppresses any startup error message during login. (BUG 538564)

Setting the Time Limit for the Password Display

You can set the time limit to display the password using Obscure Show Password option in Preferences. (BUG 676950)

Searching a Substring within a String

In the application definition, the following two new commands are added to search for a substring within a string:

  • ReadText: To read the string value.

  • Substr: To search a sub string from the specified text.

(BUG 215191)

Software Fixes

SecureLogin Client does not Query the Secondary LDAP Server

The issue with the SecureLogin client not querying the secondary LDAP server when the primary server is down is now resolved. The fix now works both for Anonymous Bind Enabled and Anonymous Bind Disabled options. (BUG 726972)

syspassword Variable not Storing the Password

The issue with syspassword not storing the password when user tries to unlock the workstation using NESCM is now fixed. The syspassword variable now stores the correct user password after the workstation unlock operation using NESCM method. (BUG 745329)

Unable to Log In to the System when EnforceConcurrentConnection Registry is Set to 0

The issue with SecureLogin displaying an error message and not allowing the user to login when the EnforceConcurrentConnections registry set to 0 is now fixed. (BUG 747880)

Passphrase Question not Displayed on Changing the Universal Password

Issue: SecureLogin does not display the passphrase question when you change the universal password. This happens if the Universal Password is synced with eDirectory, but the NDS password is not synced with eDirectory.

Fix: A new security preference called eDirectory Network Authentication using which when set to Password in SLManager allows SecureLogin to use the user's password (NDS or Universal) to encrypt or decrypt SecureLogin SSO data. (BUG 730379)

Tlaunch crashes on the First Launch of IBM Personal Communications

Tlaunch now launches successfully every time with IBM Personal Communications. (BUG 693804)

2.0 System Requirements

For detailed information on supported environments, see Supported Environments in the Novell SecureLogin Quick Start Guide.

3.0 Installing SecureLogin 7.0 Service Pack 3

To install SecureLogin 7.0 Service Pack 3, see Novell SecureLogin Installation Guide.

4.0 Known Issues

4.1 General Issues

Unable to Instantiate the Scriptbroker Module: 80070005

When a Web page could not send information to SecureLogin by using a different method, the following error message is shown:

Unable to instantiate scriptbroker module: 80070005

To resolve this error, uninstall SecureLogin, delete its installation directory, delete the registry hive hklm/software/protocom, then reinstall SecureLogin.

This workaround resolves this error for all Web pages, including the Web page that showed this error.

If the problem persists, re-register the following SecureLogin DLL files:

regsvr32 "C:\Program Files\Novell\SecureLogin\iesso.dll

regsvr32 "C:\Program Files\Novell\SecureLogin\slbroker.dll

regsvr32 "C:\Program Files\Novell\SecureLogin\slcaptain.dll

Manual Entry of the Smart Card PIN for the Citrix Server Authentication

If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.

Novell SecureLogin Login in LDAP GINA Mode with eDirectory

Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the fully distinguished name (FDN) of the eDirectory user has 128 characters or more.

Validating an Old Password

In Microsoft Windows 2003 configurations, users might be able to log in to their workstations by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the reuse of an old password.

To disable an old password as soon as a password change occurs:

  1. Update the domain controller registry setting with the following value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  2. Create the new DWORD value OldPasswordAllowedPeriod.

  3. Set this value to 0.

For more information, see the Microsoft Web site..

Error Message on No Password Policy Is Available

If password policies already exist, ignore the incorrect error message 0 password policy, which is shown when restoring user data.

Memory Leak in sldotnetsso64

The memory used on the workstation by sldotnetsso64 increases from approximately 15 MB to 142 MB.

The NMAS Clients Is Not Available for Windows 2003 R2 64-Bit Machines

When you are installing the NMAS client on a Windows 2003 R2 64-bit machine, the following error message is shown:

Windows Vista or later required.

You get this error because the NMAS client is not available for a Windows 2003 R2 64-bit machine.

Securelogin Allows SSO for Web Applications in Mozilla Firefox

Securelogin allows single sign-on for web applications in Mozilla Firefox even when Allow single sign-on to Mozilla Firefox preference is set to No.

4.2 DAS Issues

SecureLogin System Tray Icons Are Not Cleared During Fast User Switching in the Active Directory Mode

When you create a new DWORD as NSLADSAuth in HKLM\Software\Protocom\SecureLogin\ and set the value of NSLADAuth as 1, then the multiple SecureLogin tray icons are displayed when you cancel the login operation.

Mouse over the SecureLogin system tray icons, to clear the SecureLogin system tray icons.

Using iManager Fails to Extend the DAS Schema

The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.

Use one of the following workarounds to resolve the issue.

  • Using ConsoleOne: Browse to Tools > Schema > Add Attribute > Add Class. Specify the attribute information.

  • Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option, then specify the IP address of the NetWare workstation where you want to extend the schema.

    NOTE:You can use the utility from any workstation on which eDirectory is installed.

DAS Data Is Not Stored in the Log File

On Windows 7 and Windows Vista, the log file for the DAS feature does not store the DAS data when UAC is enabled. Changing the DASLog.txt file path from the installation location to C:\ enables the log file to store DAS data.

4.3 LDAP Issues

Could Not Load an Application

You can use the SecureLogin wizard to, configure a .NET application in the LDAP mode for its login credentials, change the password option, change the password notification, and so on. The performance of the configured application depends on its size and the number of associated controls. If the size and number of controls occupy a large amount of space in the system, the application fails to load on the next login attempt. You should convert the application into an application definition, then reduce its size before logging in.

Concurrent Connection is Established

If an anonymous bind is disabled and the registry is not set in the workstation for the bind, then a concurrent connection is established with a full DN.

IP Address Not Removed

After the Unlock as Workstation check box is selected and the user logs in to the workstation, the IP address entry is not removed from the iManager connections field. This is applicable if the option EnforceConcurrentConnections is set.

4.4 pcProx Issues

pcProx Identification

The pcProx identification fails in the Novell Client on Microsoft Windows 2008 and Windows 7, on the first attempt for a new user. An error message indicating that the system cannot log in to the network appears and prompts the user to verify the credentials.

To fix the problem use the NMAS pcProx sequence during the first attempt to log in to the Novell Client. pcProx identification happens correctly in the subsequent logins.

pcProx Unlock Operation in the Citrix Session

Unlocking a Citrix session by using the NMAS pcProx sequence does not work, that is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.

4.5 Secure Workstation Issue

The Secure Workstation Session Management Process Is Blocked

When an administrator logs in to a workstation on which User Access Control is enabled, the Secure Workstation Session Management Process is blocked and an error message is shown.

On Windows 7, the workaround is to manually run the process.

On Windows Vista, directly unblock the process from the taskbar. If the process is not unblocked, you cannot log in by using the NMAS secure workstation sequence and you see the error message: Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.

This error occurs only for a user with administrator privileges and not for a user with non-administrator privileges; that is, a standard user.

For detailed information, see the Microsoft Developer Network Web site..

Using the NMAS Login with the Secure Workstation Sequence on a Microsoft Windows Vista Desktop

On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with the Secure Workstation sequence without unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.

The issue exists when the NMAS login is used with the Novell Client or the Novell SecureLogin-LDAP Client.

The Login Fails when the Secure Workstation Post-Login Method Is Added to the Login Sequence

The Secure Workstation policy fails when it is set through iManager because the post-login method fails for NMAS Server version 3.1.0.

To resolve this issue, upgrade to the latest NMAS server version that SecureLogin supports.

4.6 Smart Card Issues

SecureLogin Offline Login using Smart Card Fails

After the first successful LDAP NESCM offline authentication, when NSL is closed and reopened and the user logs in using Smart Card PIN, authentication fails.

Use the directory password or passphrase in the SecureLogin offline dialog to login.

Incorrect Smart Card Error Message

If a user logs in without a smart card when the Use Smart card to encrypt SSO Data preference is set to PKI Credentials and the Enable Passphrase Passphrase Security System preference is set to No, the user is not prompted for the smart card.

Instead, the user gets an incorrect message: The smartcard does not contain any certificates that match the certificate selection criteria.

Failure to Launch SecureLogin without the User Principal Name

Novell SecureLogin fails to launch using the smart card authentication without the User Principal Name, when Use Smart card to encrypt SSO Data is set to No.

This problem can be resolved if you use any of the following options:

  • The Use Smart card to encrypt SSO Data preference is set to PKI Credentials.

  • The smart card must be configured with a User Principle Name.

Unable to Unlock the System Tray Icon

When user logs in with NESCM and SecureLogin Password Protected System Tray Icon is set to yes, then the user cannot unlock the system tray icon using the Smart Card PIN.

To resolve this issue, use the eDirectory password to unlock the system tray icon.

SecureLogin in SecretStore Mode

The ChangePasswordOnExpiry feature does not work when Securelogin is installed in SecretStore mode.

4.7 Upgrade Issues

Upgrading with Customized Version of Novell SecureLogin

When you upgrade to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.

To retain the customized settings, do one of the following:

  • Replicate the customized settings on Novell SecureLogin 7.0 MSI.

  • Create a backup of the customized file, then apply it after the upgrade.

Prompt to Close Windows Explorer During Upgrade

If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, you are prompted to close the Windows Explorer, Windows installer and so on during upgrade from version 6.1, 6.1 SP1, or 7.0 SP2 to 7.0 SP3.

Click Ignore to proceed with the upgrade.

SLMANAGER.EXE Is Installed Automatically During the Upgrade

When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.

To work around this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:

@echo off 
del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" 
del "C:\Program Files\Novell\SecureLogin\slmanager.exe"

Prompt for Password When the Notification Area Icon Is Password Protected

During the upgrade from Novell SecureLogin 6.1 to 7.0, if the Password protect the system tray icon preference is enabled, the users are prompted to provide the network password.

To work around the issue:

  1. Stop Novell SecureLogin manually before starting to upgrade.


    Run slproto/forceshutdown from the command line to shut down Novell SecureLogin

    If you stop SecureLogin manually, you are prompted to specify the password.

    If you use the slprotoc/forceshutdown command, you are not prompted to specify the password.

  2. Start the upgrade.

  3. Specify the correct credentials.

4.8 Web-Related Issues

Accessing Web Applications from a Windows Server

Web applications directly accessed through Internet Explorer on a Microsoft Windows 2000, 2003 or 2008 server might not work correctly until the Windows Enhanced Security option is disabled on the server. Alternatively, you can go to Internet Options > Advanced, then enable the third-party Web browser extensions.

This does not impact the clients connected to a Microsoft Windows 2000, 2003, or 2008 server.

Firefox Issue During Installation

Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings is displayed during the Novell SecureLogin installation.

If this happens, click Import to import the Internet Explorer settings or click Cancel to cancel the import. The Novell SecureLogin installation proceeds.

Not Prompted for Credentials

When a DHTML-enabled Web application is started, SecureLogin fails to prompt for entering the credentials. The error occurs when SecureLogin fails to run the predefined application definition to enable single sign-on for the site.

To resolve this issue close the browser session and relaunch the Web application.

4.9 Oracle Form Issues

Support for Oracle Forms

Novell SecureLogin 7.0 SP3 supports Web-enabled Oracle form applications. Therefore, Oracle JInitiator and JRE should be available in the system where Novell SecureLogin 7.0 SP3 will be used. If they are not present on the machine where Novell SecureLogin is already running, add the missing Java components in the machine, and then run the repair option available with the SecureLogin installer. The repair option of the installer adds the new Java component to be used for Oracle form applications.

Authentication Fields Shown on Two Windows

Clicking the Show Me button shows authentication fields in an application being defined in the Application Definition Wizard. When you define an Oracle form that is run from a browser, the identified fields might show on the Oracle form and on the browser. You can ignore this behavior.

Naming an Oracle Form Application

The Java component assigns a name taken from the title field of the innermost container to an Oracle form application. If the innermost container is not assigned a title when the forms are created, the wizard cannot assign a name to the Oracle form application.

An Application Definition Takes Time to Open

Loading Oracle components requires some time before an application definition for an Oracle form is started. Therefore, the Wizard takes some time when starting the application definition for an Oracle form.

4.10 Client Login Extension Issues

The Specified Text Is not Displayed

You can use the Client Login Extension tool to specify the text to be shown when a user clicks the Did you forget your Password ? link. However, the text specified for the Novell Client is not shown when the link is clicked.

Forgotten Password Link is not Working

Using the Forgotten Password link to recover the password forgotten for a locked workstation does not work on Microsoft Credential Provider for Novell Client.

4.11 Flash SSO Script Issues

No Wizard Support

SecureLogin does not support any wizard for Flash applications.

Title Command Is not Recognized

SecureLogin does not recognize the Title command for NSL Flash scripts. Use the ctrl command to match the window title.

Select Command Is not Working

The NSL script Select command does not work for Flash applications.

Change in the Windows Size

If the window size is changed or the mouse control is pointed to another window, the NSL Flash script execution might not work as expected.

Memory Leak

There is a small memory leak of about 20-40 KB every time the NSL Flash script is executed.

5.0 Documentation

The full product documentation is available at the Novell SecureLogin 7.0 SP3 Documentation Web site.