Environment
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 3
Login
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 4 Login
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 4 Login
Situation
KB 3048278, "LDAP Contextless Login in Terminal Services
Environments" describes a new feature for the Novell Client where
the LDAP Contextless Login feature of the Novell Client for Windows
will now trigger the necessary events for causing a contextless
login lookup during an otherwise non-interactive
TSClientAutoAdminLogon scenario.
However, the way this was implemented can cause a login failure in some scenarios. Specifically, when using the local credentials pass through Citrix feature to connect to the Citrix server users may be prompted with the following message:
LGNCXW32
LDAP Contextless Login: User not found after searching the Trees on the following LDAP server(s):
(followed by the DNS name or IP address of the server)
Selecting "OK" allows the login to proceed successfully.
However, the way this was implemented can cause a login failure in some scenarios. Specifically, when using the local credentials pass through Citrix feature to connect to the Citrix server users may be prompted with the following message:
LGNCXW32
LDAP Contextless Login: User not found after searching the Trees on the following LDAP server(s):
(followed by the DNS name or IP address of the server)
Selecting "OK" allows the login to proceed successfully.
Resolution
Apply an updated LgnCxW32.dll dated 08Sep2007 or later.
With this version, LDAP Contextless Login will ignore any"Username:" field change when the string begins with a leading period. (e.g. ".User.Context".) Since the leading period denotes that the object specification within the "Username:" field is to be used regardless of the "Context:" field contents, there is no point in running LDAP Contextless Login to try and determine new content for the "Context:" field.
ALSO - make sure DSCAT contextless login has NOT been enabled.
With this version, LDAP Contextless Login will ignore any"Username:" field change when the string begins with a leading period. (e.g. ".User.Context".) Since the leading period denotes that the object specification within the "Username:" field is to be used regardless of the "Context:" field contents, there is no point in running LDAP Contextless Login to try and determine new content for the "Context:" field.
ALSO - make sure DSCAT contextless login has NOT been enabled.
Additional Information
This problem is caused by the LDAP Contextless Login looking up via
LDAP literally whatever is in the "Username:" field.
In the case of Citrix terminal services on XP/2003, the ICA client's SSO feature picks up and passes the entire eDirectory logon name by default. Entering an Fully Distingushed Name in the"Username:" field triggers a contextless logon lookup. LGNCXW32 should ignore the username if it starts with a dot, or contains a dot when 'Allow dots in username' isn't enabled.
Workarounds:
1. If all of the ICA client workstations are configured to pass the eDirectory identity (e.g. ".User.Context", instead of "User"), then one option is to just turn off the LDAP Contextless Login feature. The ability to trigger LDAP Contextless Login during TSClientAutoAdminLogon processing only occurs when LDAP Contextless Login is enabled.
2. If only some of the ICA client workstations are configured to pass the eDirectory identity, another possible workaround would be to configure those workstation with the Citrix "SSOnCredentialType" configuration policy to elect to pass the Windows credentials ("User") from the terminal client workstation instead of the eDirectory credentials (".User.Context").
In the case of Citrix terminal services on XP/2003, the ICA client's SSO feature picks up and passes the entire eDirectory logon name by default. Entering an Fully Distingushed Name in the"Username:" field triggers a contextless logon lookup. LGNCXW32 should ignore the username if it starts with a dot, or contains a dot when 'Allow dots in username' isn't enabled.
Workarounds:
1. If all of the ICA client workstations are configured to pass the eDirectory identity (e.g. ".User.Context", instead of "User"), then one option is to just turn off the LDAP Contextless Login feature. The ability to trigger LDAP Contextless Login during TSClientAutoAdminLogon processing only occurs when LDAP Contextless Login is enabled.
2. If only some of the ICA client workstations are configured to pass the eDirectory identity, another possible workaround would be to configure those workstation with the Citrix "SSOnCredentialType" configuration policy to elect to pass the Windows credentials ("User") from the terminal client workstation instead of the eDirectory credentials (".User.Context").