Novell SecureLogin is a single sign-on application. It consists of multiple, integrated security systems that provide authentication and single sign-on to networks and applications. It provides a single entry point to the corporate network and its user resources, increasing security while enhancing compliance with corporate security policies. Novell SecureLogin also eliminates the requirement for users to remember multiple usernames, and passwords and automatically enters them for users when required. For detailed information on Novell SecureLogin, visit the Novell SecureLogin product Web site..
Novell SecureLogin 7.0 Service Pack 3 includes new features, improves usability, and resolves several previous issues. Many of these improvements were made in direct response to suggestions from our customers. We thank you for your time and valuable input. We hope you continue to help us ensure our products meet all your needs.
Novell SecureLogin 7.0 Service Pack 3 includes the following new features, enhancements and software fixes.
NOTE:For the list of software fixes and enhancements in previous releases, see SecureLogin 7.0 SP2 Readme.
SecureLogin uses the advanced authentication infrastructure provided by Authasas for authentication in an Active Directory environment. SecureLogin supports integration of Authasas advance authentication functionality, such as biometric authentication by using fingerprint and authentication by using Smart Card. For more information, see Authasas Support.
With this feature enabled, LDAPAuth encrypts and stores the Windows workstation or the Active Directory domain user password locally and retrieve it when required. You need not re-enter the workstation password from next login onwards through LDAP GINA or Credential Provider. For more information, see Disconnected Login Using NESCM.
A new trigger, on-ad-login, and two actions, ad-logout and test-ad-logged-in, are added to enhance DAS support with Active Directory:
on-ad-login: To identify user login to Active Directory
ad-logout: To un-bind the user from the Active Directory and terminate SecureLogin
test-ad-logged-in: To check if user has logged into Active Directory and execute any necessary actions
For more information, see DAS support with Active Directory.
SecureLogin 7.0 SP3 supports Fujitsu mPollux DigiSign Smart Card middleware.
SecureLogin 7.0 SP3 supports Mozilla Firefox 9.0 and Mozilla Firefox 10.0.
Novell SecureLogin includes the following software fixes and enhancements:
SecureLogin 7.0 SP3 provides a new command, RunEX, that executes a function in the hidden mode based on the options the user provides. (BUG 487462)
The syspassword variable now has the updated password every time the password is changed in the directory. (BUG 300317)
SecureLogin now logs the DataStoreVariableNotAvailable exception to trace errors that occurs while trying to read a directory attribute. (BUG 354507)
User can set(BUG 346691)DWORD to a value equivalent to the sync time required for eDirectory to capture the updated password. If the password is not updated, SecureLogin does not throw an error message, but will wait till the time set in and logs in after the password is synchronised successfully.
When SecureLogin is installed in ADAM mode, SLmanager connects to ADAM and displays only the objects listed in the ADAM directory. (BUG 684223)
When you mouse over the SecureLogin Tray Icon, the currently logged in user name is displayed. To enable this preference set the (BUG 630568)to .
You can now add a new registry key namedHKLM/Protocom/SecureLogin to configure a new directory path which is different from the existing cache directory. (BUG 347806)in
You can enable or disable all the standard Windows navigation keys using the following two new action tags:
<disable-standard-navigation/>: Disables the standard navigation windows keystrokes.
<enable-standard-navigation/>: Restores the standard navigation windows keystrokes.
SecureLogin supports multiple certificates for Fujitsu DigiSignClient. You can now configure more than one certificates and use the same for authentication. (BUG 653
A new registry, DisplayErrorsOnStartup, is added which when set to 1 suppresses any startup error message during login. (BUG 538564)
You can set the time limit to display the password using (BUG 676950)Password option in .
In the application definition, the following two new commands are added to search for a substring within a string:
ReadText: To read the string value.
Substr: To search a sub string from the specified text.
The issue with the SecureLogin client not querying the secondary LDAP server when the primary server is down is now resolved. The fix now works both for (BUG 726972)and options.
The issue with syspassword not storing the password when user tries to unlock the workstation using NESCM is now fixed. The syspassword variable now stores the correct user password after the workstation unlock operation using NESCM method. (BUG 745329)
The issue with SecureLogin displaying an error message and not allowing the user to login when the EnforceConcurrentConnections registry set to 0 is now fixed. (BUG 747880)
Issue: SecureLogin does not display the passphrase question when you change the universal password. This happens if the Universal Password is synced with eDirectory, but the NDS password is not synced with eDirectory.
Fix: A new security preference called (BUG 730379)which when set to in SLManager allows SecureLogin to use the user's password (NDS or Universal) to encrypt or decrypt SecureLogin SSO data.
Tlaunch now launches successfully every time with IBM Personal Communications. (BUG 693804)
To install SecureLogin 7.0 Service Pack 3, see Novell SecureLogin Installation Guide.
When a Web page could not send information to SecureLogin by using a different method, the following error message is shown:
Unable to instantiate scriptbroker module: 80070005
To resolve this error, uninstall SecureLogin, delete its installation directory, delete the registry hive hklm/software/protocom, then reinstall SecureLogin.
This workaround resolves this error for all Web pages, including the Web page that showed this error.
If the problem persists, re-register the following SecureLogin DLL files:
regsvr32 "C:\Program Files\Novell\SecureLogin\iesso.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slbroker.dll
regsvr32 "C:\Program Files\Novell\SecureLogin\slcaptain.dll
If you are using smart card authentication for the Citrix login prompt, enter the smart card PIN manually, because the PIN is not cached for the Citrix server authentication.
Novell SecureLogin in the LDAP GINA mode with eDirectory does not work while setting a passphrase for a new user if the fully distinguished name (FDN) of the eDirectory user has 128 characters or more.
In Microsoft Windows 2003 configurations, users might be able to log in to their workstations by using the old password. Because the user has logged in successfully, Novell SecureLogin loads. A Windows 2003 server attribute (the password lifetime period) allows the reuse of an old password.
To disable an old password as soon as a password change occurs:
Update the domain controller registry setting with the following value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create the new DWORD value OldPasswordAllowedPeriod.
Set this value to 0.
For more information, see the Microsoft Web site..
If password policies already exist, ignore the incorrect error message 0 password policy, which is shown when restoring user data.
The memory used on the workstation by sldotnetsso64 increases from approximately 15 MB to 142 MB.
When you are installing the NMAS client on a Windows 2003 R2 64-bit machine, the following error message is shown:
Windows Vista or later required.
You get this error because the NMAS client is not available for a Windows 2003 R2 64-bit machine.
Securelogin allows single sign-on for web applications in Mozilla Firefox even whenpreference is set to .
When you create a new NSLADSAuth in HKLM\Software\Protocom\SecureLogin\ and set the value of NSLADAuth as 1, then the multiple SecureLogin tray icons are displayed when you cancel the login operation.as
Mouse over the SecureLogin system tray icons, to clear the SecureLogin system tray icons.
The DAS schema extension fails to extend correctly through iManager because of a defect in the Import Conversion Export utility of eDirectory.
Use one of the following workarounds to resolve the issue.
Using ConsoleOne: Browse to> > > . Specify the attribute information.
Using the ndssch Command Line Utility: Use the ndssch utility to extend the schema. The utility is bundled with eDirectory.Use the -h option, then specify the IP address of the NetWare workstation where you want to extend the schema.
NOTE:You can use the utility from any workstation on which eDirectory is installed.
On Windows 7 and Windows Vista, the log file for the DAS feature does not store the DAS data when UAC is enabled. Changing the DASLog.txt file path from the installation location to C:\ enables the log file to store DAS data.
You can use the SecureLogin wizard to, configure a .NET application in the LDAP mode for its login credentials, change the password option, change the password notification, and so on. The performance of the configured application depends on its size and the number of associated controls. If the size and number of controls occupy a large amount of space in the system, the application fails to load on the next login attempt. You should convert the application into an application definition, then reduce its size before logging in.
If an anonymous bind is disabled and the registry is not set in the workstation for the bind, then a concurrent connection is established with a full DN.
After thecheck box is selected and the user logs in to the workstation, the IP address entry is not removed from the iManager connections field. This is applicable if the option is set.
The pcProx identification fails in the Novell Client on Microsoft Windows 2008 and Windows 7, on the first attempt for a new user. An error message indicating that the system cannot log in to the network appears and prompts the user to verify the credentials.
To fix the problem use the NMAS pcProx sequence during the first attempt to log in to the Novell Client. pcProx identification happens correctly in the subsequent logins.
Unlocking a Citrix session by using the NMAS pcProx sequence does not work, that is, if a remote Citrix session is locked by using the Secure Workstation QLL GUI or by using the Windows screen saver option, the unlock operation through the NMAS pcProx sequence does not function.
When an administrator logs in to a workstation on which User Access Control is enabled, the Secure Workstation Session Management Process is blocked and an error message is shown.
On Windows 7, the workaround is to manually run the process.
On Windows Vista, directly unblock the process from the taskbar. If the process is not unblocked, you cannot log in by using the NMAS secure workstation sequence and you see the error message: Error 740: Secure Workstation Session Management Process is blocked. Unblock to continue.
This error occurs only for a user with administrator privileges and not for a user with non-administrator privileges; that is, a standard user.
For detailed information, see the Microsoft Developer Network Web site..
On a Microsoft Windows Vista desktop, when the administrator uses the NMAS login with the Secure Workstation sequence without unblocking the Secure Workstation session management process (wsaccsmp), the NMAS login fails with error code 740.
The issue exists when the NMAS login is used with the Novell Client or the Novell SecureLogin-LDAP Client.
The Secure Workstation policy fails when it is set through iManager because the post-login method fails for NMAS Server version 3.1.0.
To resolve this issue, upgrade to the latest NMAS server version that SecureLogin supports.
After the first successful LDAP NESCM offline authentication, when NSL is closed and reopened and the user logs in using Smart Card PIN, authentication fails.
Use the directory password or passphrase in the SecureLogin offline dialog to login.
If a user logs in without a smart card when thepreference is set to and the preference is set to , the user is not prompted for the smart card.
Instead, the user gets an incorrect message: The smartcard does not contain any certificates that match the certificate selection criteria.
Novell SecureLogin fails to launch using the smart card authentication without the User Principal Name, whenis set to .
This problem can be resolved if you use any of the following options:
preference is set to .
The smart card must be configured with a User Principle Name.
When user logs in with NESCM and SecureLoginis set to yes, then the user cannot unlock the system tray icon using the Smart Card PIN.
To resolve this issue, use the eDirectory password to unlock the system tray icon.
The ChangePasswordOnExpiry feature does not work when Securelogin is installed in SecretStore mode.
When you upgrade to 7.0 from a customized version of Novell SecureLogin (customized bitmaps, LocalHero.dll, and similar files), the new version replaces the customized file with the standard files.
To retain the customized settings, do one of the following:
Replicate the customized settings on Novell SecureLogin 7.0 MSI.
Create a backup of the customized file, then apply it after the upgrade.
If you have installed Novell SecureLogin in LDAP mode on a Microsoft Windows Vista machine, you are prompted to close the Windows Explorer, Windows installer and so on during upgrade from version 6.1, 6.1 SP1, or 7.0 SP2 to 7.0 SP3.
Clickto proceed with the upgrade.
When upgrading from SecureLogin 6.0 to SecureLogin 7.0, SLMANAGER.EXE is automatically installed. There is no option available to stop the installation of SLMANAGER.EXE during the upgrade process.
To work around this issue, create a .bat file with the following lines to manually delete SLMANAGER.EXE:
@echo off del "C:\Documents and Settings\All Users\Start Menu\Programs\Novell SecureLogin\SecureLogin Manager.lnk" del "C:\Program Files\Novell\SecureLogin\slmanager.exe"
During the upgrade from Novell SecureLogin 6.1 to 7.0, if theicon preference is enabled, the users are prompted to provide the network password.
To work around the issue:
Stop Novell SecureLogin manually before starting to upgrade.
Run slproto/forceshutdown from the command line to shut down Novell SecureLogin
If you stop SecureLogin manually, you are prompted to specify the password.
If you use the slprotoc/forceshutdown command, you are not prompted to specify the password.
Start the upgrade.
Specify the correct credentials.
Web applications directly accessed through Internet Explorer on a Microsoft Windows 2000, 2003 or 2008 server might not work correctly until theoption is disabled on the server. Alternatively, you can go to > , then enable the third-party Web browser extensions.
This does not impact the clients connected to a Microsoft Windows 2000, 2003, or 2008 server.
Start Mozilla Firefox at least once before installing Novell SecureLogin. Otherwise, a message prompting you to import Internet Explorer settings is displayed during the Novell SecureLogin installation.
If this happens, clickto import the Internet Explorer settings or click to cancel the import. The Novell SecureLogin installation proceeds.
When a DHTML-enabled Web application is started, SecureLogin fails to prompt for entering the credentials. The error occurs when SecureLogin fails to run the predefined application definition to enable single sign-on for the site.
To resolve this issue close the browser session and relaunch the Web application.
Novell SecureLogin 7.0 SP3 supports Web-enabled Oracle form applications. Therefore, Oracle JInitiator and JRE should be available in the system where Novell SecureLogin 7.0 SP3 will be used. If they are not present on the machine where Novell SecureLogin is already running, add the missing Java components in the machine, and then run the repair option available with the SecureLogin installer. The repair option of the installer adds the new Java component to be used for Oracle form applications.
Clicking thebutton shows authentication fields in an application being defined in the Application Definition Wizard. When you define an Oracle form that is run from a browser, the identified fields might show on the Oracle form and on the browser. You can ignore this behavior.
The Java component assigns a name taken from the title field of the innermost container to an Oracle form application. If the innermost container is not assigned a title when the forms are created, the wizard cannot assign a name to the Oracle form application.
Loading Oracle components requires some time before an application definition for an Oracle form is started. Therefore, the Wizard takes some time when starting the application definition for an Oracle form.
You can use the Client Login Extension tool to specify the text to be shown when a user clicks the Did you forget your Password ? link. However, the text specified for the Novell Client is not shown when the link is clicked.
Using the Forgotten Password link to recover the password forgotten for a locked workstation does not work on Microsoft Credential Provider for Novell Client.
SecureLogin does not support any wizard for Flash applications.
SecureLogin does not recognize the Title command for NSL Flash scripts. Use the ctrl command to match the window title.
The NSL script Select command does not work for Flash applications.
If the window size is changed or the mouse control is pointed to another window, the NSL Flash script execution might not work as expected.
There is a small memory leak of about 20-40 KB every time the NSL Flash script is executed.
The full product documentation is available at the Novell SecureLogin 7.0 SP3 Documentation Web site.
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2005-2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.