Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
tomwagener Absent Member.
Absent Member.
4055 views

Active Directory & eDirectory Smartcard Login

Hi,

I have problems getting Smartcard Login to work with the "login with non-novell credential provider" option enabled.

Setup is as follows:

- Terminal Services running on Windows 2008 R2
- User account in eDirectory and Active Directory with same user name & password
- On the server: Novell Client 2 SP1 IR3, Cryptovision Smartcard middleware (CSP), Enhanced Smart Card Method 3.0.7 (NMAS Authentication = ON in Novell Client)
- Client: tested with both Windows XP and Windows 7 clients with same results


Configuration 1:
- Novell Client setting "login with non-novell credential provider" = ON
- Novell Client setting "Novell Logon" = OFF
- Logging in with username & password
- Result: works as expected: authenticated in AD & eDirectory and Novell scripts are executed

Configuration 2:
- Novell Client setting "login with non-novell credential provider" = doesn't matter
- Novell Client setting "Novell Logon" = ON
- Logging in with username & password
- Result: works as expected: authenticated in AD & eDirectory and Novell scripts are executed

Configuration 3:
- Novell Client setting "login with non-novell credential provider" = doesn't matter
- Novell Client setting "Novell Logon" = ON
- Logging in with Smartcard
- Result: authenticated in eDirectory, Novell scripts executed BUT asks for password for Active Directory login (Novell client passes the typed-in Smart Card PIN to the Active Directory Domain Controllers as password...)

Configuration 4:
- Novell Client setting "login with non-novell credential provider" = ON
- Novell Client setting "Novell Logon" = OFF
- Logging in with Smartcard
- Result: authenticated in Active Directory. Not authenticated in eDirectory and Novell scripts don't run. Doesn't even ask for eDirectory credentials (password or PIN)

In all cases, the "TSClientAutoAdminLogon" policy doesn't change a thing on the behaviour/result.

In configuration 4, with NMAS tracing enabled, nothing is logged in the trace file at all. So it looks like the Enhanced Smart Card Method is not even called. Still in configuration 4, I can right-click the red N in the taskbar and log in to eDirectory using the Smart Card...

Configuration 4 is what we need. As far as I remember, "passive mode" (in the XP/2003 Novell Client) respectively "login with non-novell credential provider" has been implemented by Novell for this very purpose. Or not?

I would REALLY appreciate any help on this. It's been weeks of trying, googling etc to get this running 😞

Thanks a lot!

Tom
Labels (1)
0 Likes
6 Replies
Marcel_Cox Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

tomwagener;2018051 wrote:
Hi,

I have problems getting Smartcard Login to work with the "login with non-novell credential provider" option enabled.

<snip>


I have no solution for your problem, just a hint for a search for answers in case you don't get a reply here.
NESCM questions typically belong to the NMAS forum. So in case you don't get a reply here, you might try in:

Modular Authentication Services & Universal Password
0 Likes
tomwagener Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

Marcel_Cox;2018263 wrote:
I have no solution for your problem, just a hint for a search for answers in case you don't get a reply here.
NESCM questions typically belong to the NMAS forum. So in case you don't get a reply here, you might try in:

Modular Authentication Services & Universal Password


Thanks for the hint!

Tom
0 Likes
tomwagener Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

We opened a call @ Novell on 9th September for this problem. After having our case re-assigned 2 or 3 times to different Novell engineers (and having to explain to each one again what the problem is), the problem is since a few days now officially a bug.

Hope the bug resolution time is shorter than the bug "identification" time of three months....
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

What is working for me (found that approach while playing with Smartcard
authentication in a test environment):

"Novell Logon" = OFF
"login with non-novell credential provider" = OFF
System Login Profiles:
edit "Default"
under credentials deselect "Enable password field"
under NMAS set Sequence to "Enhanced Smart Card"

create an new shortcut in the startup folder pointing to
C:\Windows\System32\loginw32.exe %USERNAME% /CONT

In my case the context configured in Default Login Profile is static so
i don't know, if ldap contextless login would work or if the user could
be found by any other means if you require to search over the tree.
I never investigated the "complex" context scenario.

--
Robert Schlacher
Graz University of Technology, Austria
rschla@gmx.at

0 Likes
tomwagener Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

Thanks, but unfortunately this doesn't work in my environemnt.
It asks for the pin after I launch loginw32.exe. In fact I would wonder where it got the pin from if it wouldn't ask...

Thanks anyway,

Tom

Robert Schlacher;2055421 wrote:
What is working for me (found that approach while playing with Smartcard
authentication in a test environment):

"Novell Logon" = OFF
"login with non-novell credential provider" = OFF
System Login Profiles:
edit "Default"
under credentials deselect "Enable password field"
under NMAS set Sequence to "Enhanced Smart Card"

create an new shortcut in the startup folder pointing to
C:\Windows\System32\loginw32.exe %USERNAME% /CONT

In my case the context configured in Default Login Profile is static so
i don't know, if ldap contextless login would work or if the user could
be found by any other means if you require to search over the tree.
I never investigated the "complex" context scenario.

--
Robert Schlacher
Graz University of Technology, Austria
rschla@gmx.at
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Active Directory & eDirectory Smartcard Login

tomwagener wrote:
> Thanks, but unfortunately this doesn't work in my environemnt.
> It asks for the pin after I launch loginw32.exe. In fact I would wonder
> where it got the pin from if it wouldn't ask...

That seems to be a feature of our smartcard middleware.
There exists a CacheAuthenticationPin setting in the configuration.

--
Robert Schlacher
Graz University of Technology, Austria
rschla@gmx.at
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.