11.0 Troubleshooting User Authentication

This section contains explanation on some of the user authentication related problems. To troubleshoot other problems you might encounter during authentication, see TID 3273870 in the Novell Support Knowledgebase.

ZCC Login Failure Events are not Audited

Explanation: From ZENworks Update 2 onwards, the ZCC login failure events are not audited.
Action: None

The login failure events are logged in:

  • on Windows: %ZENWORKS_HOME%\logs\osp-zenworks-${date}.log

  • On Linux: /var/opt/microfocus/log/zenworks/osp-zenworks-${date}.log

Incorrect username displayed in the ZENworks Login screen

Explanation: The Username option in the ZENworks Login screen displays the Windows local username by default.
Possible Cause: If you changed only the full name of the user (My Computer > Manage > System Tools > Local Users and Groups > Full Name), the ZENworks login screen displays the old username and not the new full name.
Action: To change the local user account details, you must change both the username and the full name of the user:
  1. Click the desktop Start menu > Run.

  2. In the Run window, specify control userpasswords2, then click OK.

  3. Double-click the username and edit both the User Name and Full Name of the user.

  4. Click OK.

Unable to log in to the ZENworks Server

Possible Cause: A user with an account in the eDirectory that is installed on an OES 2.0 server tries to log into a non-OES 2.0 ZENworks Server.
Action: To log in to a non-OES 2.0 ZENworks Server, the user must be a Linux User Management (LUM) user. For more information on LUM users, see the Novell Linux User Management Technology Guide

Large number of concurrent client logins might result in login failures

Explanation: The maximum number of concurrent client connections that a server can support depends on the configured Connector acceptCount. If the number of concurrent client requests exceeds the value of Connector acceptCount, the client connect requests might fail because the server is not able to accept these connections.
Action: Increase the number of client connect requests that the server can support.

On a Windows server:  

  1. Log in as an administrator.

  2. Open theZENworks_Install_path\share\ats\catalinabase\conf\server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. On the desktop, click Start > Run.

    2. In the Run window, specify services.msc, then click OK.

    3. Restart CasaAuthTokenSvc.

On a Linux server:  

  1. Log in as root.

  2. Open the /srv/www/casaats/conf/server.xml file.

  3. In the Define a SSL Coyote HTTP/1.1 Connector on port 2645 section, change the value of the Connector acceptCount to the desired value. A value of 300 is optimal.

  4. Restart the Authentication Token Service:

    1. At the server prompt, go to /etc/init.d/.

    2. Run the casa_atsd restart command.

How do I enable debug logs on Windows 2003, Windows XP, and Windows Vista devices ?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

How do I enable the CASA debug logs ?

Action: To enable the logs, see TID 3418069 in the Novell Support Knowledgebase.

Unable to log into the ZENworks Server when logging in to a Windows Vista device

Explanation: If you log into a Windows Vista device that has Novell SecureLogin installed and Active Directory configured as the user source, you are not automatically logged in to the ZENworks server.
Action: Do the following:
  1. Open the Registry Editor.

  2. Go to HKLM\Software\Protocom\SecureLogin\.

  3. Create a DWORD called ForceHKLMandNoDPAPI, and set the value to 1.

  4. Restart the device.

The settings assigned to an eDirectory user are not applied on the device where the user has logged in

Possible Cause: Two or more eDirectory users with the same username and password might exist in different contexts of the eDirectory tree.
Explanation: When an eDirectory user specifies the username and password to log in to a device, a user with the same username and password but located in a different context of the eDirectory tree might be logged in to the device and the settings of this user are applied on the device. This is because the login GINA is contextless.

For example: Assume that user1 and user2 have the same username and password:

User1: CN = bob, OU = org1, O = Company1 (bob.org1.company1)

User2: CN = bob, OU = org2, O = Company1 (bob.org2.company1)

When user2 specifies the username and password to log in to a device, user1 is logged in to the device instead of user2 because user1 appears first in the search performed by Novell CASA. The settings assigned to user1 are applied on the device.

Action: No two eDirectory users should have the same username and password. Even if the usernames are same, ensure that the passwords are different.

The ZENworks login screen is not displayed on a device if Novell Client has been uninstalled from the device

Explanation: If you uninstall the Novell Client 2 for Windows Vista/2008 (IR1a) from a device, the ZENworks login screen is not displayed on the device when you log in to the device.
Action: To log in to ZENworks Configuration Management, right-click the ZENworks icon on the device, then click Login.

A DSfW user is unable to use Kerberos authentication to log into a device

Explanation: If an iManager or ConsoleOne created DSfW user chooses to use Kerberos authentication to log in to a device, the authentication fails.
Action: Modify the user to set the value of the UserPrincipalName attribute in the standard domain username format (for example, user@domain.com) and then log in to the device again.

or

Use Microsoft Management Console (MMC) for creating DSfW users because the value of the user’s UserPrincipalName attribute is set by default.

Unable to create a keytab file for a DSfW server

Explanation: During the creation of a keytab file for DSfW server, you might encounter the following error:

Unable to find the user in the specified domain

Action: Do the following:
  1. Run the following command to ensure that the DSfW services are running properly:

    xadcntrl status

  2. (Conditional) If the DSfW services are not running properly, run the following command to restart the DSfW services:

    xadcntrl reload

  3. Run the following command to create the keytab file again:

    ktpass /princ host/atsserver.myserver.com@MYSERVER.COM -pass atsserver_password -mapuser domain\atsserver -out atsserver.keytab -mapOp set -ptype KRB5_NT_PRINCIPAL

Seamless Authentication fails on a Windows XP virtual device

Explanation: If you install the ZENworks Agent on a Windows XP virtual device that is provisioned in a VMWare View Persona Management (VDI environment), then seamless login to ZENworks fails on the device.
Action: Use the ZENworks icon to log in to ZENworks.

Unable to seamlessly log in to Novell SecureLogin on a device that has Novell ZENworks installed

Explanation: Novell SecureLogin starts seamlessly after a device desktop opens only if you have used the LDAP Credential Manager mode during the installation of Novell SecureLogin on the device. For more information about the LDAP Server options available during the installation of Novell Secure Login, see the Novell SecureLogin Installation Guide at the Novell Documentation site.

On a device that has ZENworks installed, if Novell SecureLogin does not start seamlessly after the device desktop opens, the authentication registry keys might not be properly set on the device.

Action: Do the following to set the authentication registry keys on the device:
  1. Open the Registry Editor.

  2. Go to HKLM\SOFTWARE\Novell\NWGINA\.

  3. Create a DWORD called PassiveMode and set its value to 1.

  4. Ensure that HKLM\Software\Novell\Login\LDAP\GinaLoginDone is set to 0.

  5. Log in to the device again.

ZENworks login fails for eDirectory users having simple passwords

Explanation: If there are two passwords, an NDS and a Simple password for an eDirectory user, on changing the password, only the NDS password changes, and the login fails.
Action: Do not configure simple passwords while creating users.

Disabling the ZENworks Credential Provider on a Device

Explanation: The ZENworks Credential Provider filters the Windows Password Credential Provider. When you install the ZENworks Agent on the Windows Vista or later versions and Windows 2008 Server or later versions device that has third-party products with Credential Providers installed, multiple user tiles are displayed.
Action: To suppress multiple user tiles, create the following registry key on the agent:
  1. Open the Registry Editor.

  2. Go to HKLM\SOFTWARE\Novell\ZCM\ZenLgn.

  3. Create a DWORD called DisableZENCredentialProvider and set its value to 1.

  4. Restart the device and log in.

IMPORTANT:If you enable the HKLM\SOFTWARE\Novell\ZCM\ZenLgn registry key, you can not manage Dynamic Local User, Roaming Profile and Windows Group policies through ZENworks.

Unable to login to ZENworks

Explanation: Commands from the Network Credential Manager are handled by the Windows Multiple Provider Notification application. If this application is replaced with a Third-Party Notification application that cannot process these commands, the Networks Credential Manager fails to function and you will be unable to login to ZENworks.

DLU with smart card uses PIN for Windows user account

Source: ZENworks Configuration Management; Policy Management; Windows Configuration Policy.
Explanation: The DLU policy with user source credentials and ZENworks smart card login uses the smart card PIN for the Windows Local user account. In this case password complexity may not meet for the Windows password.
Action: Configure Universal Password policy for the eDir user and create universal password for the user. This universal password will be used for the DLU account.

Passive login not working on Windows 10 1803 or later with ZENworks Credential Manager

Explanation: When any third-party credential provider has been installed along with ZENworks Agent on Windows 10 version 1803 or later devices, the ZENworks passive login does not work.This issue occurs even for scenarios in which the ZENworks Credential provider is disabled using the registry key and the ZENworks user login is enabled through ZENworks Credential Manager. Microsoft has confirmed that this issue exists on Windows 10 version 1803 or later devices.
Action: Until you apply the Microsoft fix you can use the EnableCredManForceLogin For more information on this registry key, refer to EnableCredManForceLogin in the ZENworks Registry Keys Reference.

The following links include the fixes provided by Microsoft:

NOTE:After the devices are updated with the Microsoft fix, it is recommended to delete the EnableCredManForceLogin registry key or set the value to False to prevent duplicate user login attempts into ZENworks.

User Authentication fails when LDAP is not configured with SSL

Explanation: When Active Directory servers have the LDAP channel bind fixes from Microsoft, then ZENworks user authentication will fail for all LDAP Servers that are not configured with SSL within ZENworks. For more information, see 2020 LDAP channel binding and LDAP signing requirements for Windows.
Action: You need to enable SSL for LDAP, within ZENworks. For information on how to enable SSL, see Section 2.1, Adding User Sources.