Anonymous_User Absent Member.
Absent Member.
860 views

Client Login Extension and Credential Provider(s)?!


We are looking to implement SSPR and ideally utilise the Client Login
Extension.
We have eDir and AD, sync'd through an IDM 3.6 Identity Vault (own
eDir)

Regarding the Client Login Extension I am investigating the statement
"This utility does not work with any application that alters the
Microsoft Credential Provider, except the Novell Client 4.91 SP3 or
later."

Does/can it work with chained Credential Providers?

All our Windows 7 machines have Novell Client 2 installed (and ZCM 11.x
agent), but it is NOT primary
i.e.
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Network Provider\Initial Login]
"Login With Non-Novell Credential Provider"="YES"
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Authentication\NCCredProvider]
"Enabled"=dword:00000000

So it logs on to machine/AD and then passively logs into eDirectory
after. We do not use ZCM user management (disabled on agent config), so
it shouldn't even try that (but we also disable it manually in reg too
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\ZCM\ZenLgn]
"DisablePassiveModeLogin"=dword:00000001
"DisablePassiveModeLoginPrompt"=dword:00000001)

I think it should work OK for these machines?

All our laptops/tablets also have Sophos Safeguard disk encryption
installed, which adds their credential provider. We actually perform
pass through authentication from the Safeguard preboot authentication so
it's not really relevant for this scenario (Safeguard passwords
introduce their own and separate issues!;-)

The other credential provider that can exist in our environment is the
Junos Pulse credential provider... We use this for VPN access and it
will automatically authenticate machines (using AD Computer Account) if
within a trusted network environment (NHS N3) but will initiate a 2
factor user authentication (AD and SecurEnvoy) if connected to an
'external' network.

So, I guess this is the real concern/area to investigate.

Does anyone have experience in these areas that they can share?

I shall attempt to configure a test environment to test, but with so
many systems interacting (eDir, AD, IDM, Safeguard, Juniper, SecurEnvoy)
it is difficult to emulate.

Any thoughts and suggestions welcome!
Many thanks

David


--
djbrightman
------------------------------------------------------------------------
djbrightman's Profile: https://forums.netiq.com/member.php?userid=1524
View this thread: https://forums.netiq.com/showthread.php?t=52335

0 Likes
1 Reply
Anonymous_User Absent Member.
Absent Member.

Re: Client Login Extension and Credential Provider(s)?!

1. I do not know how those other bits will apply.

2. Be sure you're on the latest CLE; this may require updating IDM, at
least in terms of maintenance/licensing, but I do not know that. The
reason I mention this is that:

3. I know there have been problems in the past with systems having the
ZCM credential provider, though it was a few years ago so I do not
remember version details. Be sure to test as thoroughly as possible, as
that is likely the only way to know for sure. In the end, what the CLE
does is very sensitive (in the security sense) so it is possible that it
will disable itself if it detects a possible security issue due to other
credential providers.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.