Environment
Novell ZENworks 10 Configuration Management
Situation
Passive mode login fails for first login of any Active Directory Domain user when more than one user source is configured.
A second login screen for ZCM is displayed.
After successful login via the ZENworks login UI, subsequent logins by the same user will login passively to ZENworks agent as well.
In a multiple User Source configuration, moving from one User Source to another doesn't happen when DefaultRealm registry is changed.
Resolution
When more than one user source is enabled, by default the passive mode login does not search for multiple realms on first login attempt. On subsequent attempts, the cached user is used so the login succeeds.
In 10.0.3 or later version, you can force the first login attempt to search through the realms by setting the following in the registry:
Create DWORD HKLM/Software/Novell/ZENworks/ZenLgn/EnableSeamlessLogin
Note: in 10.3 and later, use HKLM\Software\Novell\ZCM\ZenLgn/EnableSeamlessLogin
If the value for EnableSeamlessLogin is 1, then seamless login will be enabled. Otherwise it is disabled.
Note: Setting this value can increase the login times since multiple realms will be searched. If a default realm is known (for example per site) it can be set to speed up the login.
In 10.2.2 and later only, you can create a String Value as 'DefaultRealm' and Value data as the default realm name under the following registry key:
HKLM\Software\Novell\Zenworks\ZenLgn
Example:
Value: DefaultRealm
Value Data: POLICY-TREE
Note: in 10.3 and later, use HKLM\Software\Novell\ZCM\ZenLgn\DefaultRealm
Note: For this situation, 'In a multiple User Source configuration, moving from one User Source to another doesn't happen when DefaultRealm registry is changed.', see ZENworks 11 SP2 User Source and Authentication Reference, 7.0 User Source Authentication, section 'Reducing Device Login Time by Specifying the Default User Source' (https://www.novell.com/documentation/zenworks11/zen11_sys_user_sources/data/bbtsocd.html ):
'For successive logins, the cached user source takes precedence over the DefaultRealm setting. If you want to change the DefaultRealm setting and want it to take precedence over other user sources:
1. Open the Registry Editor
2. Go to HKLM/Software/Novell/ZCM/ZenLgn/History
3. Delete CachedUserZenNames and RealmName registry keys.'
This is a per device action that is required.
Additional Information
ERROR (from zenlgn.log):
ZENLGN [254-258] [14:58:20] bTryLoginWithoutPrompt is FALSE
ZENLGN [254-258] [14:58:20] Passive Login Failed: 0x0000001F
ZENLGN [254-258] [14:58:20] Passive Login Failed: 0x0000001F
After the first login, the registry setting HKLM/Software/Novell/Zenworks/Zenlgn/History/CachedUserZenNames contains the user which has the cached username for subsequent logins to succeed passively.
Note In 10.2.2 and later:
If default realm is not configured, but the EnableSeamlessLogin is set, then 'Seamless login' will take place as usual by iterating through all the configured realms.
If both are set, but the login fails with Default Realm for a user who is part of another Realm then an attempt will be made to login to all other realms except the Default Realm.