Authenticating to Applications that require Active Directory-Style Authentication with Novell Domain Services for Windows


Written by: Norm O'Neal

Integrity Network Solutions

2010 Novell Knowledge Partner

In this case, the application is Citrix XenApp 6, formally known as Presentation Server. Follow me for layman's terms on getting it done. Remember, there are SEVERAL scenarios for utilizing DSfW, this is just one of many. Novell has awesome documentation at At the end of this doc, I have listed helful TID's and places where we had to make adjustments to the DSfW Server.

In your Lab environment…

Read TID#7002172 – Preparing for DSfW

Perform your eDirectory Health Checks. Make sure you do not have ANY errors in the tree. NONE. See Novell support site for eDirectory Health Checks utilizing dstrace, dsrepair etc. Good timesync is mission critcal, you must be able to use ldap, secure ldap, LUM etc. – NO ERRORS

Configure Universal Password and set the Universal Password for your test users.

Remember that in its current state, eDirectory Partitioning is critical for DSfW. During this install the customer only had one partition, which was at the root. We then partioned off the Organizational Unit. O=CPSC. Take note and read about the limitations regarding partitioning until the next version of DSfW. TID# 7002172 explains it well.

Now, our Active Directory emulation will be at the O – CPSC. The end result is that we will create an Active Directory Domain called CPSC.INT.

Install your OES 2 SP2 Server into your existing tree

Choose ONLY DSfW for your pattern during the installation. The Server will correctly choose its dependencies and you can drive on.

Once the server is in the tree, properly register it with the Novell Customer Care Center. Once that process is done, you can properly apply the post SP2 updates for OES2 via the online channel.

NOTE – there are CRITICAL POST SP2 Updates that DSfW needs to properly run in a XenApp 6 environment. Please search for my article "Debugging the Novell Customer Care Center," if you need help.

Lets get started with the OES2 Configuration portion of the install. You should be comfortable with where we are here….

Now to the DSfW Config – REMEMBER, if the server install fails here, you should go ahead and clean up eDirectory and REINSTALL. Have a good Template or Snapshot of a SLES10 SP3 Server.

Note: See above where our DNS Name for our new domain is This is being read from the Network Card configuration during the server install. NOTE – in most cases you would have set this to look like the rest of your network, In this case it would have been CPSC.K12.IN.US – HOWEVER, remember, this is DSfW and you are creating a new Active Directory Domain. So, configure your NIC and your Domain Suffixes as if it were the first server in Active Directory DURING THE SERVER INSTALL. This comes from Novell TID# 7002172

Note here the FDN of the new Administrator account & where it is in eDirectory. It will be a ? icon in Console One….

Remember, earlier we talked about our eDirectory Organization Unit is going to be mapped as our AD which is CPSC.INT – We also created our partition there for DSfW.

Ok, now prepare DNS for this new DSfW Server…Note – to all of us newbie's to Active Directory we need to realize that DNS is as critical as SLP so this has to be correct. In this case I checked "Get Context and proxy user info from existing DNS Server." So, you MUST know where your DNS Locator Objects are in eDirectory.

CRITICAL – YOU MUST LEAVE THE CHECK BOX FOR "USE SECURE LDAP PORT." The install will break if you uncheck this.

Once I clicked on Retrieve, the boxes were populated automatically. NOTE – this is an example, do not use Admin as your Proxy User.

Once you click next, you will get a config screen showing you what is getting ready to take place. You have one last chance to make adjustments.

The install is a success. No errors…remember, if you had errors you might as well cash it in and start over. Now that everything is successful we can configure DSfW.

Please launch YaST and open the DSfW Provisioning Wizard.

Now, log in with the credentials that you created during the install of DSfW earlier in this process.

Please follow the installation sequence. Pay close attention to what is going on in case you get an error. However, if you properly followed this document for this type of scenario, this should work just fine.

Once the services are installed without any errors whatsoever you can now join your Windows Machines to the new Active Directory Domain. Check it out!

Finally, I will login to the Citrix Delivery Center Console and XenApp 6 will see eDirectory as an Active Directory Domain…..See CPSC.INT…..Nice huh!!! Now just associate your end users to their respective applications and voila! You have, "Apps On Demand" for your eDirectory user accounts!

Enjoy DSfW!

Issues encountered during our install:

  • Error 139 during DNS installation portion of the install when NOT using Secure LDAP for DNS configuration.

  • BUG 589440 – namuseradd improperly handles existing uniqueID values – the exact problem was that the admin had multiple unique id's. This will not be an issue in OES3. If you run into this issue you need the binary "bug-589440_namuseradd"

  • Domain Trust errors between the Member Server and Domain Controller. This was fixed with the Post SP2 Updates for OES2 – IF YOU INSTALLED THE SAMBA PATCH, you MUST DO THIS:

    • Add  "unix extensions = no"  to the global section in /etc/samba/smb.conf

  • Add  "wide links = yes" to sysvol section in the /etc/samba/smb.conf

Now, if you have troubles see TID# 7002366 however I only needed 2 of the 35.

Thank you very much for reading. We hope this helps someone be successful with DSfW in this particular use case.


Norm O'Neal

Integrity Network Solutions

Team NUGI (Novell Users Group of Indiana)

2010 Novell Knowledge Partner

Articles in this series:

  1. Authenticating to Applications that require Active Directory-Style Authentication with Novell Domain Services for Windows - Part 1


How To-Best Practice
Comment List
  • Hello noneal,
    I have tried the same to install and i have seen the same problems. Thank you for your post. The user can login to the domain after you have resetted the user password, which will create the universal password at this moment for the existing users.