July 12, 2000 Novell Confidential - ITwelzel.bizgwise.itwelzel.biz/Novellpdf/Single Sign On...

July 12, 2000Novell Confidential

Manual Rev 99a28 9 June 00

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

This product may require export authorization from the U.S. Department of Commerce prior to exporting from the U.S. or Canada.

Copyright © 2000 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

U.S. Patent Nos. 5,157,663; 5,349,642; 5,553,139; 5,553,143; 5,594,863; 5,633,931; 5,671,414; 5,758,069; 5,781,724; 5,781,733; 5,818,936; 5,864,865; 5,905,860; 5,910,803; 5,925,108; 5,933,602; 5,964,872; 5,983,234; 6,002,398; 6,047,312; 6,052,724; 6,061,743; 6,067,093. Patents Pending.

Novell, Inc.

1800 South Novell Place

Provo, UT 84606

U.S.A.

www.novell.com

Installation and Administration Guide

July 2000

100-004620-001

Online Documentation: To access the online documentation for this and other Novell products, and to get

updates, see www.novell.com/documentation.

Installation and Administration GuidePlace Part Number Here



Novell Trademarks

ConsoleOne is a trademark of Novell, Inc.

eDirectory is a trademark of Novell, Inc.

GroupWise is a registered trademark of Novell, Inc. in the United States and other countries.

NetWare is a registered trademark of Novell, Inc. in the United States and other countries.

NetWare Loadable Module and NLM are trademarks of Novell, Inc.

Novell is a registered trademark of Novell, Inc. in the United States and other countries.

Novell Client is a trademark of Novell, Inc.

ConsoleOne is a trademark of Novell, Inc.

Novell Directory Services and NDS are registered trademarks of Novell, Inc. in the United States and other countries.

Novell SecretStore is a trademark of Novell, Inc.

ZENworks is a trademark of Novell, Inc.

Third-Party Trademarks

v-GO is a trademark of Passlogix, Inc.

All other third-party trademarks are the property of their respective owners.



Contents


Preface 9User Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Part Part Part Part IIII Introduction

1111 Introducing Novell Single Sign-on 13Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Single Sign-on Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Novell Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Server Installation Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Client Installation Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15New NDS Schema Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15SecretStore with ConsoleOne . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15v-GO Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Single Sign-on Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

v-GO for Novell Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Web Application Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Windows Application Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Terminal Emulator Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Disconnected Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Administrative Override. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Client End User Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Part Part Part Part IIIIIIII Installing Single Sign-on

2222 Installing SecretStore on a Server 21Installing SecretStore on NetWare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

NetWare 5 Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Installing SecretStore on Windows NT/2000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Windows NT/2000 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Contents 5




3333 Installing Single Sign-on Administrative Components 25Administration Workstation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Next Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

4444 Upgrading to v-GO for Novell Single Sign-on 27Next Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

5555 Installing Single Sign-on User Components 29Client Workstation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Installing User Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Using the Novell Single Sign-on CD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Using ZENWorks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Part Part Part Part IIIIIIIIIIII Administering Novell Single Sign-on

6666 Configuring Novell Single Sign-on 33Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Single Sign-on NDS Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34v-GO Administrative Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

v-GO General Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34v-GO Password Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36v-GO Logons Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37v-GO Mainframe Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Setting Up the nssoSingleSignon Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Setting Up nssoApplication Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Setting Properties for Predefined Applications . . . . . . . . . . . . . . . . . . . . . . . . 39Adding New Applications to v-GO for Novell Single Sign-on . . . . . . . . . . . . . . . . . 39

Creating and Applying a Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

7777 Security Considerations with Novell Single Sign-on 45Enhanced Protection Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

SecretStore Lock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Master Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Application Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Disconnected Workstation Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47NICI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Windows Password Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Deleting Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Customizable Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

NDS Screen Saver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

6 Installation and Administration Guide




Part Part Part Part IVIVIVIV Using Novell Single Sign-on

8888 Using the v-GO Client 57v-GO Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Using Logon Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Setting Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Using Disconnected Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Changing Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

9999 Managing Passwords 59Using ConsoleOne to Manage SecretStore . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Using the Single Sign-on Manager Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

10101010 Using Single Sign-on with Internet Browsers 61Supported Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuring Browser/Password Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

11111111 Using Single Sign-on with Windows Applications 63Configuring Application/Password Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

12121212 Using Single Sign-on with Mainframe Terminal Emulators 65Terminal Emulation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Special Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

IBM Personal Communications 4.3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Attachmate EXTRA! 6.3 and 6.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66RUMBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66WRQ Reflection 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Hummingbird HostExplorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

13131313 Using the Single Sign-on Connectors 69Connectors Download Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Supported Applications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Continuus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Entrust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Lotus Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Microsoft Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70PeopleSoft 7.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70SQL Integrator 1.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Vantive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70GroupWise 5.5 Enhancement Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

AAAA SecretStore Error Codes and Descriptions 73

BBBB Setting Up the Security Domain Infrastructure (SDI) Key 75

Contents 7




Preface

This manual describes how to install and manage Novell® Single Sign-on and v-GO* for Novell Single Sign-on.

For the latest product information and updates, visit the Novell Single Sign-on product Web page (http://www.novell.com/products/sso/).

User Comments

We want to hear your comments and suggestions about this manual and the other documentation included with the Novell Single Sign-on products.

To contact us, send e-mail to [email protected], or send comments to:

Novell, Inc.

Product Documentation

MS PRV-C-231

1800 South Novell Place

Provo, UT 84606-6194 USA

Fax 1-801-861-3002

Preface 9




I Introduction

This section describes the Novell® Single Sign-on products.

Introduction 11




1 Introducing Novell Single Sign-on

This chapter describes the Novell® Single Sign-on product line.

Product Overview

Novell Single Sign-on software allows you to store application and Web site login information within the NDS® User object. Once you�ve authenticated to the network via NDS, Single Sign-on stores and retrieves the appropriate login credentials, eliminating the need to remember all the multiple passwords, etc., required for accessing password-protected applications and Web sites.

SecretStore

The Single Sign-on installation program extends the NDS schema to support the Novell SecretStoreTM technology.

When a user authenticates to NDS and launches an application, the application password is moved to the SecretStore that resides within the user�s NDS User object. From then on, when the user logs into NDS and launches the application, NDS retrieves the application password from SecretStore and provides it to the application or Web site in the background.

For more information on SecretStore, see the November 1999 edition of Novell Developer Notes (http://developer.novell.com/research/devnotes/1999/november/a5frame.htm).

Introducing Novell Single Sign-on 13




Single Sign-on Products

Two separately licensed Single Sign-on products are available:

! Novell Single Sign-on

! v-GO* for Novell Single Sign-on (additional purchase required)

Novell Single Sign-on

Novell Single Sign-on software contains the following:

! Server installation programs for NetWare® 5 and NDS eDirectoryTM or NDS Corporate Edition running on Windows* NT* and/or Windows 2000.

! Client installation program for Windows 95/98 and Windows NT/2000 workstations.

! New NDS® schema classes.

! SecretStoreTM administration support using ConsoleOneTM.

! A limited version of the v-GO* client that allows single sign-on access to five Web sites and to a limited number of predefined Windows applications.

! Support for Single Sign-on connectors.

Server Installation Programs

For NetWare, Single Sign-on is installed using the NWCONFIG utility. Specifically, the SecretStore Service NetWare Loadable ModuleTM (SSS.NLM) is installed, the schema is extended to support the new Single Sign-on objects, and the Security Domain Infrastructure (SDI) is initialized and/or validated.

For NDS eDirectory and NDS Corporate Edition running on Windows NT/2000, an InstallShield wizard program (SETUP.EXE) is used to install the appropriate SecretStore Service files to your NDS eDirectory or NDS Corporate Edition directory, the schema is extended, and the security domain infrastructure is set up.





Client Installation Programs

A client workstation setup program (NSSOINSTALL.EXE) is included on the Novell Single Sign-on CD-ROM. The program allows you to choose which items to install, including the Single Sign-on client components and the client version of Novell International Cryptographic Infrastructure (NICI).

ConsoleOne and the Single Sign-on snap-in for ConsoleOne can also be installed from the client workstation setup program when it is auto-run from the CD or started with an administrator-mode command line parameter.

New NDS Schema Classes

New schema classes are added to your NDS tree when you install Single Sign-on. These classes are used to instantiate Single Sign-on objects in your NDS tree for use in the administration of the Novell Single Sign-on and v-GO for Novell Single Sign-on systems.

The new classes are:

! nssoSingleSignon container

! nssoApplication

! nssoPasswordPolicy

! nssoPasswordExludeList

For more information on the Single Sign-on schema extensions, see Chapter 6, �Configuring Novell Single Sign-on,� on page 33.

SecretStore with ConsoleOne

SecretStore provides a secure infrastructure for storing and retrieving application credentials in NDS. All SecretStore functionality is managed using the ConsoleOne utility. SecretStore works with NICI and SDI to safely and securely store a user�s single sign-on passwords.

v-GO Client Software

Novell Single Sign-on includes a base version of v-GO that provides single sign-on to five Web logons of the user�s choice, as well as a number of predefined Windows applications.





Single Sign-on Connectors

Connector software is available that provides integration between Novell Single Sign-on and other database-type applications.

Application launchers and unique login windows are provided that intercept the username and password for storage in and retrieval from SecretStore. Subsequent logins to the application via the application launcher will not require users to manually enter a username and password.

v-GO for Novell Single Sign-on

v-GO for Novell Single Sign-on is a separately purchased and licensed product. It is installed as part of Novell Single Sign-on and runs in a limited mode until specifically enabled by the administrator.

v-GO for Novell Single Sign-on contains the following:

! All of the functionality included in the Novell Single Sign-on product.

! Unlimited single sign-on to most Web sites and Web-based applications.

! Unlimited single sign-on to Windows applications.

! Terminal emulator support.

! Disconnected access to stored logon data.

! Administrative override functionality.

! Administrative utility designed for client end users.

Web Application Support

v-GO for Novell Single Sign-on supports an unlimited number of Web logons using interfaces to Internet Explorer and Netscape* versions 4 and later. Most Web application logons are recognized by v-GO, which can provide credentials for an automated logon, or it can prompt the user whether to create a logon entry for the current Web site.

When registering at new sites, v-GO can generate a strong password, store it as a Web logon entry in SecretStore, and insert the generated password into the registration form.





Windows Application Support

v-GO for Novell Single Sign-on provides almost unlimited support for logons to Windows applications. v-GO can watch for and automatically detect and respond to most logon dialog boxes.

After v-GO captures credentials when applications are first run, it reapplies the credentials whenever that logon dialog is detected. If an application has a recognized password change dialog, v-GO will provide the old password and allow the user to choose or generate a new password.

Terminal Emulator Support

v-GO provides single sign-on support for the following HLLAPI-based terminal emulators:

! Attachmate* EXTRA!*

! Hummingbird HostExplorer

! IBM* Personal Communications

! RUMBA*

! WRQ* Reflection*

Disconnected Access

v-GO for Novell Single Sign-on uses v-GO Local Store technology to access cached secrets after the NDS authenticated session is closed. Synchronization occurs when v-GO is started in the NDS connected network, whenever logon data is updated in the Local Store, and when v-GO shuts down.

Administrative Override

Network administrators have override control to all v-GO for Novell Single Sign-on functions.





Client End User Utility

The SecretStore Manager utility allows end users to perform basic maintenance tasks on their SecretStore. This includes setting or changing the Enhanced Protection Master Password data, unlocking SecretStore, deleting unneeded or expired application secrets, and performing basic troubleshooting tests against SecretStore.

Although the SecretStore Manager utility is not intended as the primary interface to Single Sign-on, it helps users manage SecretStore outside the interfaces provided by the single sign-on-enabled applications.





II Installing Single Sign-on

Novell® Single Sign-on requires the following installation steps:

1. Install the SecretStoreTM service on a NetWare® 5 server or on a Windows* NT* or Windows 2000 server running NDS® eDirectoryTM or NDS Corporate Edition.

2. Install client and administrative components on the administrator�s Windows workstation.

3. Upgrade to v-GO* for Novell Single Sign-on (if you purchased this product).

4. Install Single Sign-on software on users� Windows client workstations.

Installing Single Sign-on 19




2 Installing SecretStore on a Server

This chapter describes how to install the SecretStoreTM service on a NetWare® 5 server or on a Windows* NT* or Windows 2000 server running NDS® eDirectoryTM or NDS Corporate Edition.

Installing SecretStore on NetWare

NetWare 5 Requirements

" NetWare 5.x server

" Supervisor rights to the NDS® tree on the NetWare 5.x server

Procedures

To install SecretStore on a NetWare 5.x server:

1111 Install the server version of Novell® International Cryptographic Infrastructure (NICI) 1.5.4.

1a1a1a1a At the NetWare server, insert the Novell Single Sign-on CD.

1b1b1b1b From the server console, load CDROM.NLM to mount the Novell Single Sign-on CD as a NetWare volume.

1c1c1c1c From the server console, start NWCONFIG.NLM.

1d1d1d1d Select Product Options > Install a Product Not Listed.

1e1e1e1e Highlight any path and press Enter.

1f1f1f1f Press F3 to enter a directory location.

1g1g1g1g Enter cd_volume_name:SERVER\NICI_1.5\NWSERVER.

Installing SecretStore on a Server 21




1h1h1h1h Follow the on-screen instructions.

1i1i1i1i Exit NWCONFIG.

1j1j1j1j Shut down and restart the server.

2222 Install the Novell SecretStore software.

2a2a2a2a At the NetWare server, insert the Novell Single Sign-on CD.

2b2b2b2b From the server console, load CDROM.NLM to mount the Novell Single Sign-on CD as a NetWare volume.

2c2c2c2c From the server console, start NWCONFIG.NLM.

2d2d2d2d Select Product Options > Install a Product Not Listed.

2e2e2e2e Highlight any path and press Enter.

2f2f2f2f Press F3 to enter a directory location.

2g2g2g2g Enter SERVER\NETWARE.

2h2h2h2h Follow the on-screen instructions.

2i2i2i2i Exit NWCONFIG.

2j2j2j2j Shut down and restart the server.

The SecretStore service (SSS.NLM) is now added to the AUTOEXEC.NCF file and should load automatically. The schema has also been extended to accommodate the new Single Sign-on objects.

Next Steps

! To install the Single Sign-on administrative components, see Chapter 3, �Installing Single Sign-on Administrative Components,� on page 25.

! To install v-GO* for Novell Single Sign-on, see Chapter 4, �Upgrading to v-GO for Novell Single Sign-on,� on page 27.

! To install Single Sign-on software on user workstations, see Chapter 5, �Installing Single Sign-on User Components,� on page 29.





Installing SecretStore on Windows NT/2000

Windows NT/2000 Requirements

" Windows NT* Server 4.0 with Service Pack 2 or later or Windows 2000 Server

" NDS eDirectory or NDS Corporate Edition installed with a functioning NDS tree

IMPORTANT: Make sure that the Windows NT/2000 server running NDS eDirectory or NDS Corporate Edition is being used only as a server and not a Novell client.

" Supervisor rights to the NDS tree on the Windows NT/2000 server

Procedures

To install SecretStore on a Windows NT/2000 server running NDS eDirectory or NDS Corporate Edition:

1111 Install the server version of NICI 1.5.4.

1a1a1a1a Log in as user Administrator on the Windows NT/2000 server.

IMPORTANT: You must be logged in as user Administrator for the NICI software to be installed correctly.

1b1b1b1b On the Windows NT/2000 server running NDS eDirectory or NDS Corporate Edition, close all applications.

1c1c1c1c Insert the Novell Single Sign-on CD. Exit the auto-start client installation program if it starts.

1d1d1d1d Run the program NTNICIU0.EXE from the SERVER\NICI_1.5\NTSERVER directory on the Novell Single Sign-on CD. Overwrite all files. Restart the server.

1e1e1e1e If it is not already open, launch the NDS Services console window (NDSCONS.EXE) from the NDS eDirectory or NDS Corporate Edition directory (C:\NOVELL\NDS by default) on the Windows NT/2000 server.

The NICI NCP Handlers service (NICIEXT) should now start automatically.

Installing SecretStore on a Server 23




2222 Create or get the NICI tree key by running TREEKEY.BAT.

TREEKEY.BAT is located in the SERVER\NICI_1.5\ TREEKEY4NT directory on the Novell Single Sign-on CD.

IMPORTANT: The NICI tree key is limited to one per tree. Follow these procedures only if no key exists and this server is going to be one that creates the key.

If you think you might already have a tree key installed, follow the instructions in Appendix B, �Setting Up the Security Domain Infrastructure (SDI) Key,� on page 75 before running the Single Sign-on installation program.

3333 Once you have successfully installed the tree key, shut down and restart the server.

4444 Run SETUP.EXE, located in the SERVER\NT directory on the Novell Single Sign-on CD. Follow the on-screen instructions.

IMPORTANT: Make sure that the destination directory corresponds to the directory where NDS eDirectory or NDS Corporate Edition resides on your Windows NT/2000 server (C:\NOVELL\NDS by default).

5555 If necessary, launch the NDS Services console window (NDSCONS.EXE). If the NDS Services console window was already open, you must close and reopen the window to see the SecretStore Service (SSS).

Next Steps

! To install the Single Sign-on administrative components, see Chapter 3, �Installing Single Sign-on Administrative Components,� on page 25.

! To install v-GO for Novell Single Sign-on, see Chapter 4, �Upgrading to v-GO for Novell Single Sign-on,� on page 27.

! To install Single Sign-on software on user workstations, see Chapter 5, �Installing Single Sign-on User Components,� on page 29.





3 Installing Single Sign-on Administrative Components

This chapterdescribes how to install the client and administrative components necessary to manage Novell® Single Sign-on.

Administration Workstation Requirements

" Windows* 95, Windows 98, Windows NT* 4.0, or Windows 2000 workstation used exclusively as a client workstation

" Supervisor rights to the NDS® tree where the SecretStoreTM service is installed

Procedures

To install Single Sign-on administrative components:

1111 From the client workstation, log in to the NDS tree and server where the SecretStore service is located.

IMPORTANT: If you are installing on Windows NT or Windows 2000, you must be logged in as user Administrator in order for the NICI software to be installed correctly.

2222 Insert the Novell Single Sign-on CD.

3333 Choose the setup language.

The Novell Single Sign-on Administrator Installation screen appears.

4444 Determine from the box on the right of the dialog which products you need to install.

Installing Single Sign-on Administrative Components 25




5555 If not selected already, select all Client and Administrative Components and click Install.

6666 Follow the on-screen instructions.

Next Steps

! If you purchased the additional software, see Chapter 4, �Upgrading to v-GO for Novell Single Sign-on,� on page 27.

! To install Single Sign-on software on your users� workstations, see Chapter 5, �Installing Single Sign-on User Components,� on page 29.





4 Upgrading to v-GO for Novell Single Sign-on

v-GO* for Novell® Single Sign-on is a separately purchased and licensed product. It is installed as part of Novell Single Sign-on and runs in a limited mode until specifically enabled by the administrator.

To enable v-GO for Novell Single Sign-on:

1111 From ConsoleOneTM, create an nssoSingleSignon object in your NDS® tree at or above the context of the users that you want to administer.

2222 Edit the properties of the nssoSingleSignon object that you just created to enable the v-GO for NSSO product.

2a2a2a2a Select the v-GO General property tab.

2b2b2b2b Check the Enable v-GO for Novell Single Sign-on for All Users in This Container check box.

2c2c2c2c Click the Accept button on the License Agreement dialog.

2d2d2d2d Click Generate.

2e2e2e2e Click OK to apply and close the property dialog.

3333 Start (or restart) v-GO on the user workstation to have v-GO read the updated administrative overrides from the nssoSingleSingon object.

Next Steps

! To configure your specific implementation of Single Sign-on, see Chapter 6, �Configuring Novell Single Sign-on,� on page 33.

Upgrading to v-GO for Novell Single Sign-on 27




5 Installing Single Sign-on User Components

This chapter describes how to install Novell® Single Sign-on software on users� Windows* client workstations.

Client Workstation Requirements

" Each user must have an assigned User object in the NDS® tree where the SecretStore service is installed

" Windows* 95, Windows 98, Windows NT* 4.0, or Windows 2000 workstation

Installing User Components

Using the Novell Single Sign-on CD

To install Single Sign-on using the Novell Single Sign-on CD:

1111 From the client workstation, log in to the NDS tree as the appropriate user.

2222 Insert the Novell Single Sign-on CD.

The client auto-start screen appears.

3333 Follow the on-screen instructions.

Using ZENWorks

Single Sign-on can be distributed to user workstations via ZENworksTM. A sample .AOT file is included on the Novell Single Sign-on CD.

Installing Single Sign-on User Components 29




III Administering Novell Single Sign-on

This section describes administrative functions of Novell® Single Sign-on.

Administering Novell Single Sign-on 31




6 Configuring Novell Single Sign-on

This chapter describes how to set up the Novell® Single Sign-on in your NDS® tree using ConsoleOneTM.

Configuration Overview

Novell Single Sign-on has been designed to run out-of-the-box with little or no administrative setup. The default server and client installation options provide basic Novell Single Sign-on connector support and client capabilities. However, there are some reasons why you may want to additionally configure Novell Single Sign-on using the ConsoleOne management utility.

Many advanced v-GO* features are available only in the full v-GO for Novell Single Sign-on product. For example, in order to administer v-GO settings in NDS, support terminal emulators, permit unlimited Web logons per user, or define additional Windows applications that v-GO will recognize, you must license and enable v-GO for Novell Single Sign-on within ConsoleOne.

If you want to define v-GO recognition characteristics for undefined applications or establish application password policies to be enforced by v-GO for Novell Single Sign-on, you must use the Single Sign-on ConsoleOne snap-in to create and edit these settings.

Configuring Novell Single Sign-on 33




Single Sign-on NDS Objects

When you install the SecretStoreTM Service on your NetWare® 5 or Windows* NT* or Windows 2000 server, the NDS schema is extended to accommodate the following additional objects:

! nssoSingleSignon container object

! nssoApplication object

! nssoPasswordPolicy object

! nssoPasswordExcludeList object

You first need to create and configure the nssoSingleSignon object. The nssoApplication, nssoPasswordPolicy, and nssoPasswordExcludeList objects must reside in the nssoSingleSignon container.

Each of these objects has its own set of property pages that are accessed using ConsoleOne.

v-GO Administrative Overrides

The nssoSingleSignon object has a v-GO property page that allows you to set up administrative overrides for Single Sign-on users residing within the container.

Some of the options have three settings: User-Defined, Yes, and No. User-Defined leaves the choice to the end user. Yes and No are forced settings and result in disabled options in the user�s preferences.

There are four sub-pages on the v-GO property page: General, Password, Logons, and Mainframe.

v-GO General Page

Setting Description

Allow for Disconnected Operations If checked, v-GO will function even when disconnected from NDS. This is most useful for laptop users and provides single sign-on functionality to local and Web applications while away from the office.





Remove Local Logon Data at Shutdown

Most useful for environments in which machine logons (but not NDS logons) are shared. If set to Yes, v-GO will remove the local cache of secrets when it is shut down.

Generate v-GO Configuration Data v-GO downloads compiled configuration data from the nssoSingleSignon object at startup. This option populates the data for the attribute that contains application and password policy data.

Whenever you update objects within the nssoSingleSignon container, you must use Generate to update the compiled form of this data.

Enable v-GO for Novell Single Sign-on for All Users in This Container

Checking this option and accepting the v-GO for Novell Single Sign-on license agreement enables the full v-GO feature set. No other administrative configuration settings are honored by v-GO unless this option is set.

Import v-GO Application List This option (also available when you�re creating this object) creates nssoApplication Windows Application (Override) objects that allow you to set policy for v-GO�s predefined applications. By default, Enhanced Protection is added to these application objects.

To use, browse to the installation directory for v-GO on your workstation (for example, C:\NOVELL\SSO\PASSLOGIX) and select the APPLIST.INI file.

Setting Description





v-GO Password Page

Setting Description

Auto-Prompt Controls v-GO�s behavior when application logon events are detected for which no logon data has been stored.

If turned on (or left at the default user-defined setting), v-GO will prompt users whether they want to add a Logon for the detected logon. If they respond yes, the Add Logon wizard will run.

If turned off, users can still add logon data by selecting Add Logon from the Single Sign-on icon on the application�s title bar or from the Novell Single Sign-on icon in the Windows system tray.

Auto-Enter Controls v-GO�s behavior when application logon events are detected for which logon data has been stored.

If turned on (or left at the default setting), v-GO will press Enter after providing the username and/or password.

If turned off, v-GO will simply enter the data and allow the user to make any needed modifications to the logon screen before pressing Enter.

Reveal ID/Password By default, users can use the v-GO My Logons interface to display saved logon details. If turned off, the reveal function is not allowed. (This setting can be controlled at the application level by setting this property on each nssoApplication object.)





v-GO Logons Page

Special Characters For password policy implementation, this field lets administrators define the superset of special characters that can be used in passwords for any application.

(An exclude special characters setting on the nssoPasswordPolicy object subtracts from this list for a given application or set of applications that reference that policy.)

Setting Description

Access Icon Controls the display of the small Novell Single Sign-on icon that appears on the title bar of the active window. This icon provides access to v-GO�s Add Logon and Logon functions and is most useful if Auto-Prompt and/or Auto-Recognize are set to Off.

Display Dropdown If the Access Icon is displayed and the dropdown is turned off, clicking the Icon results in either an Add Logon or Logon event, depending on whether or not a logon exists for the application window.

Auto-Recognize Controls whether or not v-GO automatically provides logon data to applications for which Logons have been created.

Setting Description





v-GO Mainframe Page

NOTE: You generally don�t need to override the mainframe support settings unless you want to disable support or specify which emulator is used. The v-GO client will auto-detect support emulators using information located in the MFRMLIST.INI file.

Setting Up the nssoSingleSignon Object

The nssoSingleSignon object should be placed in your NDS tree at or below the context of the users you want to administer.

You can place an nssoSingleSignon container object anywhere in the NDS tree except at the [Root]. Ideally, the nssoSingleSignon container object should be located at or above the context of the users it is intended to affect; default search behavior is used to locate the Single Sign-on object in the user�s context or higher in the tree. All users in the context at or below the object are administered by a single Single Sign-on object.

For example, if you want to administer Novell Single Sign-on for a username of CN=Pat.OU=Sales.O=Acme, you would place the nssoSingleSignon object in the NDS tree in the Sales or Acme container objects. Placing it in the Sales Organizational Unit container object would affect all users in Sales; placing it within the Acme Organization object would affect users in Sales (unless a nssoSingleSignon object also existed there).

Setting Description

Enable Mainframe Support Can override user setting for HLLAPI terminal emulator support.

Default Terminal Emulator Can override the user setting for choice of terminal emulator. See MFRMLIST.INI in the v-GO client installation directory (C:\NOVELL\SSO\PASSLOGIX) for a list of acceptable names.

Unless users� workstations have more than one emulator, this setting is not necessary. Also, this setting should not be used if users being administered by this nssoSingleSignon object have different emulators.





When using v-GO* for Novell Single Sign-on, all Novell Single Sign-on users gain access to the v-GO for Novell Single Sign-on product and, therefore, must be licensed. If you intend to upgrade only certain users to the full v-GO product, Novell Single Sign-on users and v-GO for Novell Single Sign-on users must be located in separate containers.

Setting Up nssoApplication Objects

v-GO for Novell Single Sign-on supports three application types:

! Windows Override (for predefined applications)

! Windows (for administrator-defined applications)

! Terminal Emulator (for mainframe applications)

Setting Properties for Predefined Applications

If you want to administratively control settings for applications supported by v-GO for Novell Single Sign-on, you must create nssoApplication objects of the type Windows Application (Override). You can create these objects when creating or editing properties of the nssoSingleSignon object by using the Import v-GO application list option.

Once the override objects are created, you can apply application and password policies to them by editing the properties of each object. By default, these objects are created with the Enhanced Protection and Allow User to Reveal Password options enabled.

Adding New Applications to v-GO for Novell Single Sign-on

Although v-GO for Novell Single Sign-on can detect and add new applications on-the-fly using the Add Logon wizard, it is usually more efficient to have the administrator do this once for all users in NDS. Using administrator-defined applications streamlines the v-GO user�s Add Logon experience to one in which only the username and password need be collected.

For applications that aren�t widely used, it may be appropriate to let this small number of users rely on v-GO�s full Add Logon wizard to both define the application characteristics and collect authentication information.





Novell Single Sign-on provides administrative support to add Windows and mainframe applications to v-GO�s predefined list of applications. To add an application, you will create an nssoApplication object within the nssoSingleSignon object and set recognition characteristics that allow v-GO to recognize the application and subsequently associate that application with the appropriate logon information in SecretStore.

Defining Common Attributes

To define the common attributes of an application:

1111 Right-click the nssoSingleSignon object.

2222 Select New > Object.

3333 Select nssoApplication.

4444 Name the object, select Define Additional Properties, and click OK.

5555 Define properties of the nssoApplication object.

Setting Description

Application ID The mandatory portion of the Secret_ID field used when storing this application�s secrets.

Enable Enhanced Protection If selected, this secret is protected when SecretStore is locked after an administrative password change. Select this option if the application is sensitive.

Use Enhanced Protection Application Password

This enhanced protection feature results in secrets that are stored with an application and user-specific password and can help protect the most sensitive secrets from processes running on a user�s authenticated workstation.

If set and implemented by v-GO or a Single Sign-on-enabled application, the user will be unable to read the secret using SecretStore Manager or ConsoleOne without a Master Password.





6666 Determine if you want to set up a Windows application or a mainframe application. Follow the appropriate steps.

Defining a Windows Application

To recognize a Windows application, v-GO will match the Windows title bar text, module name, and username and password control IDs for newly created dialogs on the desktop with those it knows about. Defining applications in ConsoleOne adds this data to v-GO�s list of predefined applications.

NOTE: You must be able to run v-GO for Novell Single Sign-on and the application that you want to add on the administrative workstation.

With ConsoleOne still up and the nssoApplication object�s property page open, launch the Windows application that you want to add so that its logon dialog is displayed. If v-GO prompts you to add the logon, press Cancel before proceeding.

To define a Windows application:

1111 In ConsoleOne, right-click the nssoApplication object and select Properties.

2222 Select the Single Sign-on Application Type property page.

Password Policy DN Can point to an nssoPasswordPolicy object that can be used to enforce password rules when a application password change event occurs.

Allow User to Reveal Password Lets users reveal the password for this application in v-GO. Unless you don�t want users to be able to display their password, you should leave this option selected.

Auto-Generate Password If you�re using a password policy (either a default policy on the nssoSingleSignon object or a policy specified on the nssoApplication object), you can have v-GO generate a password when the application�s password change event is detected. Not all applications support this option.

Setting Description





3333 From the Application Type drop-down list, select Windows Application.

4444 Complete the Login Settings fields.

You can use the auto-detection support by clicking the icons next to the User Control ID and Password Control ID fields and then clicking on the appropriate input fields on the application�s logon dialog box. You need to do this one field at a time, and it will result in the control ID fields being filled in for you. If the application doesn�t use one or the other field, skip that icon.

Once this step is complete, you can close the application dialog box.

5555 Complete the Change Password Settings fields.

This is optional and only applies to applications that present change password dialogs to the user. To set up this feature, launch the application and start the password change dialog. As in the previous step, use the auto-detection icons to complete each field that has a match in the application�s password change dialog.

6666 Close the object to save the updated property values.

7777 Open the property page for the nssoSingleSignon object and select the v-GO tab.

8888 Click Generate to regenerate the v-GO configuration data attribute. (This attribute contains data that v-GO needs from the individual application and password policy objects within the nssoSingleSignon container.)

NOTE: Some applications use nonstandard controls that cannot be auto-detected using the steps noted above. You can also manually enter the information in the Logon Settings and Change Password Settings fields. This information is easily obtained using a Windows spy tool such as Spy++ that ships in the Microsoft* Visual Studio development suite.

Defining a Mainframe Application

v-GO�s mainframe terminal emulator support is based on its ability to recognize a screen by looking for specific strings of data at specific screen locations. This recognition data is entered by the administrator in the Single Sign-on Application Type property page of the nssoApplication object.

To define a mainframe application, you will provide row, column, and match string information that will help v-GO detect the application�s logon screen and indicate where the secret data should be entered.





NOTE: For multi-screen logons, you can create nssoApplication objects for as many screens as may be required, as long as each screen depicts a unique event for which the same information is entered by each individual user.

To define a mainframe application:

1111 Launch a terminal emulator session and the mainframe application so that you can reference the logon screen in the subsequent steps.

2222 In ConsoleOne, right-click the nssoApplication object and select Properties.

3333 From the Application Type drop-down list, select Terminal Emulator Logon.

4444 If this application logon screen requires a username (or ID), modify the [Username] entry in the Terminal Emulator Logon string list. Specify the row and column number of the first character of the input field associated with the username value.

These values can be determined in most emulators by positioning the cursor (using the Tab key) to the field and referencing the row/col indicator on the session status bar.

5555 If the application logon screen requires a password, repeat the process above for the [Password] field. Again, specify the row and column values for the first character of the password input field.

6666 Use the Add function to create as many Match String entries as may be needed to uniquely identify this logon screen. This must be data that is static.

Terminal IDs, dates, etc. should not be used as match strings. You may want to use cut-and-paste to ensure that strings are entered exactly as they appear in the application logon screen. The row and column values are for the first character in the string.

7777 Close the object to save the updated property values.

8888 Open the property page for the nssoSingleSignon object and select the v-GO tab.

9999 Click Generate to regenerate the v-GO configuration data attribute. (This attribute contains data that v-GO needs from the individual application and password policy objects within the nssoSingleSignon container.)





Creating and Applying a Password Policy

With Novell Single Sign-on and v-GO for Novell Single Sign-on, you can apply password policies to user-entered passwords in some applications that don�t provide this capability natively.

Because passwords are entered into v-GO�s logon wizard, rather than directly into the application�s password change dialog, v-GO can enforce password policy if it has been properly configured to detect the password change event.

To set up a password policy:

1111 In ConsoleOne, right-click the desired nssoApplication object.

2222 Click New > Create.

3333 Select the nssoPasswordPolicy object.

4444 Select Define Additional Properties.

5555 Configure the desired password policies and behaviors.

6666 Click Apply and OK.





7 Security Considerations with Novell Single Sign-on

This chapter describes issues related to your network security with the use of Novell® Single Sign-on.

Refer to the Novell Single Sign-on product Web page (http://www.novell.com/products/sso/) for up-to-date information on this and other important topics.

Enhanced Protection Feature

The Novell Single Sign-on Enhanced Protection feature set optionally enhances the security of SecretStoreTM by providing additional protection for secrets stored with Enhanced Protection enabled. These features are among key security advantages provided by the patented SecretStore technology.

SecretStore Lock

With the Enhanced Protection option enabled for any secret in SecretStore, if the administrator changes the user�s NDS® password, SecretStore enters a �locked� state. When locked, no secrets stored with the Enhanced Protection option can be read until SecretStore is unlocked.

SecretStore can only be unlocked if the last NDS password set by the end user is provided. Since an administrator should not know the user�s previous NDS password, Enhanced Protection-protected secrets are kept safe.

NDS and SecretStore can distinguish between user-initiated password changes and those done by an administrator; SecretStore locks only on administrator password changes and an encrypted hash of the user�s previous password is updated in SecretStore only if the change was initiated by the user.

Security Considerations with Novell Single Sign-on 45




This protection is foolproof, of course, only if the user has made an NDS password change at least once since the account was created and before Enhanced Protection-protected secrets are stored so the administrator doesn�t know the previous password. This suggests that a standard practice when setting up new user objects in NDS should be to require a password change at first login.

Users that have admin-equivalent rights (that is, they have supervisor rights but are not the actual network administrator) need to be careful when setting their own passwords. If a user sets a password when logged in as an admin-equivalent user, his or her SecretStore will be locked.

Master Password

The Enhanced Protection Master Password feature provides an alternative way for users to unlock SecretStore. The Master Password feature allows users to store a persistent password and associated �hint� in SecretStore that can be used instead of the previous NDS password to unlock SecretStore after an administrative NDS password reset.

The SecretStore Manager (SSMANAGER.EXE) provides an interface that lets users store and update the Master Password data. Then, when unlocking SecretStore, either the previous NDS password or the persistent Master Password can be used.

If the user enters an incorrect password when unlocking SecretStore from the SecretStore Manager and a Master Password and Hint have been stored, the hint will be displayed to remind the user of the master password.

Other interfaces that unlock SecretStore (such as those built in to the Notes and Entrust connectors) will accept the Master Password in place of the previous NDS password, but they may not be capable of displaying the hint.

To set a Master Password and Hint, start SecretStore Manager from the Single Sign-on program group and select Options > Set Master Password.

Alternatively, SecretStore Manager can be invoked with a command line switch (SSMANAGER.EXE /SP) that will directly launch the Set Master Password dialog and exit on completion. This capability might be useful if you want to encourage users to set their Master Password data.





Application Password

Application Password is an optional Enhanced Protection feature designed to secure an application�s secrets from other applications running on the authenticated workstation. This optional password, stored on a per-secret basis when secrets are written, will prevent an application from reading a secret unless it can supply the correct application password on the nssoReadSecret() function call.

Application Passwords are defined by the Single Sign-on-enabled application that creates the secret, and they should be unique for each application and user. They are true �application secrets� that will not be known by the user or by any other application.

v-GO for Novell Single Sign-on will use the Application Password feature when the Use Application Password option is set for that application in the Single Sign-on configuration of that application in NDS. The Application Password feature is also available to any developer of Single Sign-on-enabled applications and connectors.

If secrets are stored with Application Passwords, they cannot be viewed or read by the user unless a Master Password has been stored by the user. SecretStore Manager will prompt for the Master Password when the user attempts to view a secret stored with an Application Password.

Disconnected Workstation Authentication

Disconnected Workstation Authentication provides an authentication service to help prevent casual and unauthorized access to a user profile on Windows 95 and Windows 98 workstations.

IMPORTANT: Disconnected Workstation Authentication support is provided in Novell ClientTM for Windows 95/98 version 3.30 or later. Download the latest Novell Client software at the Novell Web site (http://www.novell.com/download/).

Disconnected Workstation Authentication extends the Novell Client for Windows 95 and 98 workstations. It provides an authentication service while the computer is not connected to the network (in disconnected mode). Without this added service, users are given access to the computer without authenticating after the Novell Client determines that no network exists.

Disconnected Workstation Authentication gives network administrators the ability to force the user to authenticate regardless of whether or not the computer is connected to the network.





NICI

All cryptographic services used for Disconnected Workstation Authentication are based on the Novell International Cryptographic Infrastructure (NICI).

When a user account is created Disconnected Workstation Authentication uses NICI to produce a hash of the password. The password is discarded once this hash is produced. The username and hash are then stored in the registry on the local machine for later authentication.

The username and hash constitute a single Disconnected Workstation Authentication account (meaning username and hash). This account is completely separate from the typical Windows profile, but normally corresponds to one.

For example, when a user has an account and logs in through Disconnected Workstation Authentication successfully for the first time, a Windows profile is created for the user. During subsequent successful logons, the user assumes the same Windows profile that was created.

Windows Password Cache

A security service called the Windows password cache is built into Windows 95 and 98. It is enabled by default and provides for a limited authentication service.

Applications use the Windows password cache to store a user�s password on the local machine. The user�s application password is stored in a profile�s [username].PWL file, where [username] is the name of the profile. This .PWL file is encrypted.

When a user logs in to Windows successfully and gains a profile, the .PWL file is unlocked. After the .PWL file is unlocked, the user can log in to an application without having to remember the password associated with that application. This service allows the user to log in once, but authenticate with multiple applications.

When this service is enabled, a user�s profile is associated with a password. This password will be referred to the user�s profile password. This password must be supplied before a login to that user�s Windows profile is possible. When using the default Windows logon, it is possible to cancel out of logging in, which means that the user gains access to the machine but not a profile.

NOTE: This means that it is not possible to log in to a profile when booting from �safe mode,� since the user is never prompted to log in.





Tools exist that allow others to decrypt .PWL files. This means it is possible for user A to gain user B�s profile password. This allows the user A to then log in to user B�s profile, and thus user A gains access to user B�s secrets.

Disconnected Workstation Authentication addresses these security concerns when enabled. It replaces the need for the default Windows. Users are forced to authenticate with Disconnected Workstation Authentication before access to the machine is given. User A cannot gain access to user B�s profile because Disconnected Workstation Authentication does not use the .PWL file.

Disconnected Workstation Authentication replaces the need for the Windows password cache. We recommend that the password cache be disabled for security purposes. When the password cache is disabled, a profile for each user still exists.

Access to other applications that utilize the Windows password cache is still possible, but the passwords for these applications will not be remembered or stored in a .PWL file. In other words, when the password cache is disabled, a user must remember passwords for applications that normally use the Windows password cache.

We recommend that Novell Single Sign-on be used in addition to Disconnected Workstation Authentication instead of using the Windows password cache. These services, when used together, completely replace the Windows logon and the Windows password cache. Security of Windows 95 and Windows 98 machines is thereby increased.

If you want to use the Windows password cache service in addition to Disconnected Workstation Authentication, we recommend that you use a different password for each service. That way, user A cannot use the .PWL file to learn user B�s Disconnected Workstation Authentication password.

Deleting Accounts

You can delete accounts by removing their corresponding key in the registry. Each account is stored under the key HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Local Passwords\[username] (where username is the user�s account name). In each user�s key is a value named data that contains the hashed password.

Deleting the registry key that is associated with a given account will delete the user�s Disconnected Workstation Authentication account.

NOTE: This will not alter the Windows password account on the local machine in any way.





Customizable Settings

Disconnected Workstation Authentication has six settings that allow the service to be customized according to Administrators� needs. Each setting has an important security implication.

Each setting can be changed by opening the Novell Client Properties window and by clicking on the Advanced Settings tab. The settings are under the Disconnected Workstation Authentication parameter group. The settings can also be changed by modifying their corresponding key in the Windows registry.

Client Property Settings

Setting Description

Enable Disconnected Authentication Forces the user to authenticate even if the workstation is not connected to the network, so that an unauthorized user cannot log in to the workstation and gain access to the user�s profile. (Disconnected Authentication and NICI must be installed on the workstation.)

Sync NDS Password Updates the Disconnected Workstation Authentication password with the NDS password. (Disconnected Authentication must be enabled and NICI must be installed on the workstation.) This does not alter the Windows User Profile password.

Login Attempt Retry Count Specifies the number of failed login attempts allowed before the user is prompted to shut down and restart the workstation. (Disconnected Authentication must be enabled and NICI must be installed on the workstation.)





Registry Settings

All registry keys for Disconnected Workstation Authentication are located under the base key HKEY_LOCAL_MACHINE. Each can only have a DWORD value. The possible values and default value are displayed below. The default determines how an option is interpreted when its corresponding key does not exist or is corrupt.

Disable Account Creation (Network) Disables the creation of a new Disconnected Authentication account for a user who does not currently have an account on the workstation if the user attempts to authenticate to the network. (Disconnected Authentication must be enabled and NICI must be installed on the workstation.) This only applies to the initial login.

Disable Account Creation (Local) Disables the creation of a new Disconnected Authentication account for a user who does not currently have an account on the workstation if the user attempts to log in locally while the workstation is disconnected from the network. (Disconnected Authentication must be enabled and NICI must be installed on the workstation.)

Disable Windows Password Cache Disables the Windows User Profile password file (.PWL file). Disabling the Windows Password Cache prevents others from obtaining a user�s NDS password. Other applications will not be able to use the Windows Password Cache. This does not disable Single Sign-on.

Setting Key and Values

Enable Disconnected Authentication

Key: SOFTWARE\Novell\Login\DisconnectMode\EnableDisconnectAuthent

Possible Values: 0, 1

Default Value: 0

Setting Description





Sync NDS Password Key: SOFTWARE\Novell\Login\DisconnectMode\SyncNDSPass


Default Value: 1

Login Attempt Retry Count

Key: SOFTWARE\Novell\Login\DisconnectMode\RetryCount

Possible Values: 0, 1, 2, � , 200

Default Value: 3

Disable Account Creation (Network)

Key:SOFTWARE\Novell\Login\DisconnectMode\DisableNewAccounts\Connected


Default Value: 0

Disable Account Creation (Local)

Key:SOFTWARE\Novell\Login\DisconnectMode\DisableNewAccounts\Disconnected


Default Value: 0

Disable Windows Password Cache

Key:SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DisablePwdCaching


Default Value: 0

NOTE: Although this setting belongs to Windows and not to Disconnected Workstation Authentication, it is of great importance.

Setting Key and Values





NDS Screen Saver

NDS Screen Saver uses NDS to authenticate a user to unlock his or her Windows workstation. This optional product is installed with the main Single Sign-on client installation. The product is installed by default on Windows 95/98 workstations and optionally on Windows NT/2000 workstations.

When disconnected from the network, NDS Screen Saver works by using NICI services to securely store an encrypted hash of the user�s password in the registry, allowing a re-authentication similar to NDS to the workstation after the screen has been locked.

An .ADM file is provided for administration. The .ADM file can be used with ZENWorks extensible policies or with Microsoft* policy management. The configuration allows you to

! Enable or disable whether the user can select a screen saver

! Enable or disable whether the user can access the screen saver�s Settings and Preview buttons

! Enable or disable whether the user can set or modify the screen saver�s Wait timeout value

All settings available to the user will be displayed on the Display Control Panel. The workstation user can access the setting the administrator has allowed.

Once installed on the workstation, this component will automatically be used. When ever the workstation is locked or the screen saver has started, an NDS dialog will be presented to the user to allow him or her to authenticate to NDS. If the authentication succeeds, then the workstation will be unlocked and the user can get to his or her desktop.

An NDS administrator can also unlock the workstation, but this will cause the user to be logged out. In this case, any programs that the user was running will be terminated. Use this feature with caution, because unsaved files may be lost.





IV Using Novell Single Sign-on

This section describes the basic uses and functionality of the Novell® Single Sign-on software.

Using Novell Single Sign-on 55




8 Using the v-GO Client

This chapter explains how to configure the v-GO* client included with Novell® Single Sign-on.

v-GO Client Overview

v-GO is a client residing solution that extends the benefits of Novell Single Sign-on to 70 to 90% of all Windows, Web, and host-based applications without requiring any additional programming. The specific settings for v-GO can be configured either centrally through ConsoleOne or on the client workstation by the user.

After you install the Single Sign-on client software, a Single Sign-on icon appears in the Windows system tray. You can access all client management tools by clicking on this icon.

Using Logon Manager

The Logon Manager utility is built in to the v-GO client. This utility allows you to manage all of your logons stored with Single Sign-on. To use this utility:

1111 Log in to your NDS® tree.

2222 From the Windows system tray, click the Single Sign-on icon.

3333 Select My Logons.

The Logon Manager utility displays.

4444 Complete the desired actions.

Using the v-GO Client 57




Setting Preferences

You can use the v-GO client to modify your client preferences. To change preferences:

1111 Log in to your NDS tree.

2222 From the Windows system tray, click the Single Sign-on icon.

3333 Select Settings.


Using Disconnected Mode

For performance, v-GO caches its secrets from SecretStoreTM in NDS to an encrypted information store on the workstation�s Windows directory as <username> AML.INI.

In v-GO for Novell Single Sign-on, this local store can be configured by the administrator to persist after the NDS authenticated session is closed. For laptop users, this can provide access to logon data while on the road.

Synchronization occurs when the machine (and v-GO) is started in the NDS-connected network, whenever logon data is updated in the local store, and when v-GO shuts down. Access to the local store is granted when the user logs in to Windows.

Changing Passwords

If you change your password directly within an application or other password-protected program, v-GO might experience a problem detecting the change. In some cases, you might need to delete your password in v-GO and create a new one.





9 Managing Passwords

This chapter describes how to set up and manage user passwords using SecretStoreTM.

Using ConsoleOne to Manage SecretStore

You can view and manage SecretStore with ConsoleOneTM. To manage your secrets with ConsoleOne:

1111 Log in to your NDS® tree.

2222 From ConsoleOne, select your User object.

3333 Right-click and select Properties.

4444 Select the Security property page.

5555 Complete the desired transactions and click OK.

Using the Single Sign-on Manager Utility

The SecretStore Manager utility (SSMANAGER.EXE) lets users perform basic maintenance tasks on their SecretStore, such as setting or changing the Enhanced Protection Master Password data, unlocking SecretStore, deleting unneeded or expired application secrets, performing basic troubleshooting tests against SecretStore, etc.

Although the SecretStore Manager utility is not intended to be a primary interface to Single Sign-on, it is a relatively simple-to-use tool that will help users manager SecretStore outside the interfaces provided by Single Sign-on-enabled applications.

Managing Passwords 59




To use the SecretStore Manager utility:

1111 Log in to your NDS tree.

2222 Run SSMANAGER.EXE, located in the C:\NOVELL\SSO directory and on the Start > Programs > Single Sign-on menu.


For more information on setting passwords, see Chapter 7, �Security Considerations with Novell Single Sign-on,� on page 45.





10 Using Single Sign-on with Internet Browsers

Novell® Single Sign-on software saves user credentials required to access various Web sites.

With Novell Single Sign-on, users can store up to five passwords to access password-protected Web sites. With v-GO* for Novell Single Sign-on, users can store an unlimited number of user credentials for password-protected Web sites.

Supported Browsers

! Netscape* Navigator* 4.x

! Microsoft* Internet Explorer 4.x or 5.1

IMPORTANT: If you are using Internet Explorer 5.0, you must upgrade to version 5.1 in order for v-GO to function properly.

Configuring Browser/Password Behavior

To set up how Single Sign-on handles Web sites, see Chapter 6, �Configuring Novell Single Sign-on,� on page 33.

Using Single Sign-on with Internet Browsers 61




11 Using Single Sign-on with Windows Applications

Novell® Single Sign-on software can store password data for accessing Windows* applications.

Novell Single Sign-on provides access for a finite list of Windows applications. Refer to the APPLIST.INI file for a list of the Windows applications supported.

v-GO* for Novell Single Sign-on supports an unlimited number of Windows applications.

Configuring Application/Password Behavior

To set up how Single Sign-on handles application passwords, see Chapter 6, �Configuring Novell Single Sign-on,� on page 33.

Using Single Sign-on with Windows Applications 63




12 Using Single Sign-on with Mainframe Terminal Emulators

Novell® Single Sign-on software provides single sign-on support for the following mainframe terminal emulators:

! IBM* Personal Communications

! Attachmate* EXTRA!*

! RUMBA*

! WRQ* Reflection*

! Hummingbird HostExplorer

Terminal Emulation Overview

A terminal emulator enables a user to connect to a UNIX*, mainframe, AS/400*, or other host-based session via a program on a Windows* workstation. v-GO* for Novell Single Sign-on provides single sign-on functionality to IBM S/390* mainframe applications via several terminal emulators that implement the IBM HLLAPI (high-level language API).

Using Single Sign-on with Mainframe Terminal Emulators 65




Special Settings

Use the following settings when setting up terminal emulation with Novell Single Sign-on software.

IBM Personal Communications 4.3

To set up IBM Personal Communications 4.3:

1111 Select File > API Settings.

2222 Set the DDE/EHLLAPI box.

Attachmate EXTRA! 6.3 and 6.5

To set up Attachmate EXTRA! 6.3 and 6.5:

1111 Select Options > Global Preferences.

2222 Set the HLLAPI short name and Enhance Transport.

NOTE: Background processes are sometimes left after a session has ended. This may disrupt the autologin process and will prevent the session from being restarted.

RUMBA

To set up RUMBA:

1111 Select Options > API > Identification.

2222 Set the session short name.

NOTE: RUMBA generally has a functional implementation of HLLAPI. It connects and sees the PS, though it does not appear to support connections on more than one session. v-GO can only provide single sign-on support to the last session started.

WRQ Reflection 7

To set up WRQ Reflection 7:

1111 Call HLLSETUP.EXE and register VGOMHO.EXE.

2222 Under the Setup menu item, select Terminal and set the Session short and long name.





NOTE: Reflection is different in that it requires any application connecting to it to be registered first. It also appears to have problems with multiple sessions support.

Reflection 8 is not yet supported by v-GO.

Hummingbird HostExplorer

To set up Hummingbird HostExplorer:

1111 Select Edit > Options.

The Session Profile dialog appears.

2222 Select Session > General.

3333 Enter the session long name.

NOTE: The text will consist of one letter between A and Z.

Using Single Sign-on with Mainframe Terminal Emulators 67




13 Using the Single Sign-on Connectors

This chapter describes the connector software available for use with Novell® Single Sign-on.

Connectors Download Site

All of the described Single Sign-on connectors can be downloaded from the Novell Web site (http://www.novell.com/products/sso/applications.html).

Supported Applications

The following connectors are available for download or are included on the Novell Single Sign-on CD-ROM.

Continuus

The Novell Single Sign-on for Continuus application launcher provides integration between Novell Single Sign-on and the Continuus client by providing a login window to intercept the username and password for storage in and retrieval from the NDS® SecretStoreTM.

Subsequent logins to Continuus via the application launcher will not require users to manually enter a user name and password.

Entrust

The Novell Single Sign-on login extension for Entrust* provides integration between Novell Single Sign-on and the Entrust client by storing user profiles and passwords in SecretStore during the Create/Recover Entrust Profile procedure. Multiple user profiles can be stored and later displayed at login.

Using the Single Sign-on Connectors 69




Subsequent logins to Entrust via the login extension will not require users to manually enter a user profile and password.

Lotus Notes

The Novell Single Sign-on for Lotus* Notes* login extension provides integration between Novell Single Sign-on and the Lotus Notes client (4.6 or later) by storing user IDs and passwords in SecretStore.

Subsequent logins to Lotus Notes via the login extension will not require users to manually enter a user ID and password.

Microsoft Access

The Novell Single Sign-on for Microsoft* Access* application launcher provides integration between Novell Single Sign-on and Microsoft Access by providing a login window to intercept the username and password for storage in and retrieval from the NDS SecretStore.

Subsequent logins to Microsoft Access via the application launcher will not require users to manually enter a user name and password.

PeopleSoft 7.x

Novell Single Sign-on supports PeopleSoft* 7.x. Centralized administration of PeopleSoft secrets is provided using the NetWare® Administrator utility.

SQL Integrator 1.0

Novell Single Sign-on 1.0 supports Novell SQL Integrator 1.0 by providing a replacement ODBC driver for installation on the client workstation.

Vantive

The Novell Single Sign-on for Vantive application launcher provides integration between Novell Single Sign-on and the Vantive client by emulating the Vantive System Login dialog to intercept the username and password for storage in and retrieval from the NDS SecretStore.

Subsequent logins to Vantive via the application launcher will not require users to manually enter a username and password.





GroupWise 5.5 Enhancement Pack

The Novell GroupWise® 5.5 Enhancement Pack contains improvements to the Windows Client, WebAccess, administration, and agent components of Novell�s GroupWise collaboration software. These components can be installed individually or in any combination to meet the needs of your network.

Using the Single Sign-on Connectors 71




A SecretStore Error Codes and Descriptions

This section contains a list of all error codes that can be generated by the Novell® SecretStoreTM service, along with a short description of the error.

Error Number Description

-800 Size of the distinguished name exceeds the available buffer size.

-801 NICI operations have failed.

-802 Secret ID is not in the User SecretStore.

-803 Some internal operating system services are not available.

-804 Access to the target SecretStore has been denied.

-805 Some internal NDS® services are not available.

-806 Secret has not been initialized with a write.

-807 Size of the buffer is not in a nominal range betwen minimum and maximum.

-808 Client and server component versions are not compatible.

-809 SecretStore data on the server has been corrupted.

-810 Secret ID already exists in the SecretStore.

-811 User NDS password has been changed by the administrator.

-812 Target NDS User object not found.

-813 Target NDS User object does not have a SecretStore.

SecretStore Error Codes and Descriptions 73




-814 SecretStore is not on the network.

-815 Length of the Secret ID buffer exceeds the limit.

-816 Length of the enumeration buffer is too short.

-817 User is not authenticated.

-818 Unsupported operations.

-819 Supplied NDS password is not valid.

-820 Sessions keys of the client and server NICI are out of sync.

-821 Requested services is not yet supported.

-822 NDS authentication type is not supported.

-823 Unicode* text conversion operation failed.

-824 Server connection has been lost.

-825 Cryptographic operation has failed.

-826 Attempt to open a connection to the server failed.

-827 Access to server connection failed.

-828 Size of the enumeration buffer exceeds the limit.

-829 Size of the secret buffer exceeds the limit.

-830 Length of the Secret ID should be greater than zero.

-831 Protocol data corrupted on the wire.

-832 Enhanced protection password validation failed. Access to the secret is denied.

-833 Schema is not extended tdo support SecretStore on the target tree.

-888 Feature not yet implemented.

-899 Product beta life has expired. Official release copy should be purchased.

Error Number Description





B Setting Up the Security Domain Infrastructure (SDI) Key

Novell® Single Sign-on requires a Security Domain Infrastructure (SDI) Key in order to function properly. The SDI Key enables the secure transport of keys between servers within a single NDS® tree.

Follow the sections below to properly set up the SDI key before continuing with the Single Sign-on installation.

1111 Create and populate the Security container, if necessary.

1a1a1a1a From ConsoleOneTM, verify that a Security container exists at the [Root] of your NDS tree. Verify that the Security container has a KAP container object and a W0 object inside the KAP container object.

1b1b1b1b If a Security container is not there, create one at the [Root]. The object class is SAS: Security Container. Name the container object �Security.�

1c1c1c1c If the KAP container object is not there, create one inside the Security container. The object class is NDSPKI: SD Key Access Partition. Name the object �KAP.�

1d1d1d1d If the W0 object is not there, create one inside the KAP object. The object class is NDSPKI: SD Key List. Name the object �W0� (the �0� is a zero).

Setting Up the Security Domain Infrastructure (SDI) Key 75




2222 Designate a SDI Key Reference Server.

2a2a2a2a In the W0.KAP object, select Properties > Other.

2b2b2b2b Highlight Attributes and click Add.

2c2c2c2c Select the NDSPKI:SD Key Server DN Attribute and click OK.

2d2d2d2d Enter the distinguished name of the server where the key file resides.

3333 Check for an existing SDI Key.

! On NetWare®:

SYS:\SYSTEM\NICI\NICISDI.KEY

! On Windows* NT*:

%SYSTEMROOT%\SYSTEM32\NOVELL\NICI\NICISIDI.KEY

4444 If necessary, create the SDI Key.

IMPORTANT: You should only create a new SDI key when you wish to reinitialize your tree. Creating a new SDI Key when one is already there can disable existing security services on your server.

! On NetWare:

LOAD INITSDI.NLM -NEW NICISDI.LOG NICISDI.ERR

! On Windows NT:

INITSDI -NEW NICISDI.LOG NICISDI.ERR

The NICISDI.LOG file is created if the program executed properly. If there was a problem, the NICISDI.ERR file is created and will contain an error code of the failure.

5555 After creating the key, shut down and restart NDS Services.

6666 Make a copy of the tree key on the non-tree key server.

You can copy the currently defined SDI Key to a server that doesn�t have a key with the following commands:

! On NetWare:

LOAD INITSDI.NLM -GET NICISDI.LOG NICISDI.ERR server_distinguished_name

! On Windows NT:

INITSDI -GET C:\NICISDI.LOG C:\NICISDI.ERR server_distinguished_name tree_name





INITSDI.EXE is located in the SERVER\NICI_1.5\TREEKEY4NT directory on the Novell Single Sign-on CD.

NOTE: You can obtain the NDS server name from the current SDI reference server in the W0 object property page in ConsoleOne.

The NICISDI.LOG file is created if the program executed properly. If there was a problem, the NICISDI.ERR file is created and will contain an error code of the failure.

7777 After making a copy of the tree key on the non-tree key server, shut down and restart NDS Services.

Setting Up the Security Domain Infrastructure (SDI) Key 77



July 12, 2000 Novell Confidential - ITwelzel.bizgwise.itwelzel.biz/Novellpdf/Single Sign On...

Documents

Transcript of July 12, 2000 Novell Confidential - ITwelzel.bizgwise.itwelzel.biz/Novellpdf/Single Sign On...