-1680 Error returned to client using an NMAS Login Method

  • 3218625
  • 06-Sep-2007
  • 26-Apr-2012


Novell Modular Authentication Service (NMAS)
Novell Client for Windows 2000/XP/2003 4.91


Workstation Clients using a locally installed NMAS Login Client Method, e.g. the PCProx method, get a -1680 error when attempting to login.


If any login sequence authorization values are present on the user object, the user's container object, or the user's partition root container, and the desired login method is not listed at the first location that contains any of the login sequence authorization attributes, then the login attempt will fail with a -1680 error.

If all login methods are desired to be authorized, which is the default scenario, then any existing sasAuthorizedLoginSequences attribute values in the tree, particularly in the search path of user, container, partition root, then Login Policy object should be deleted.

In one case after newly installing the PCProx functionality in a tree, all users were failing with the -1680 error. They found that there were old sasAuthorizedLoginSequence attribute values for no longer used methods on the Users Container. After removing the sasAuthorizedLoginSequences attribute from the Users container, users could successfully log in with the PCProx method.

Additional Information

In iManager, from the NMAS role using the NMAS Login Sequences task, you can see all the available login sequences. By default, all login sequences are Authorized, and you should see a green check mark listed in the last column of the display there. Individual login sequences can be disabled or enabled here, and this then applies to the entire tree, as this modifies the attribute sasAuthorizedLoginSequences on the Login Policy object in the Security container. Finer grained control than just applying this authorization to the whole tree is also available, in a hierarchal method, just like looking for a password policy. From the User object modification screen, there is an NMAS tab with a Login Sequences function that shows the exact same information. Modifying the information on the user, sets the authorized login sequences only for a specific user. This same screen is available for container objects too, and if modified there will apply to all objects in the container where the change is made. If the container is a partition root, then it applies to all user objects in the whole partition.

The full search path NMAS will scan when looking for the sasAuthorizedLoginSequences attribute is first the User object, then the User Object Container, then the Partition Root container for the user, and finally, the Login Policy object in the security container. If NMAS doesn't find the attribute at the lower levels, it will continue searching to the Login Policy object. If it doesn't find one there, the default is that all Login Sequences are authorized.