Unable to change Universal Password from workstation with ZENworks/DLU installed

  • 3530122
  • 05-Feb-2007
  • 16-Mar-2012

Environment

Novell Modular Authentication Service version 2.3
Novell ZENworks with DLU enabled
Universal Password enabled

Situation

Per the NICI Administration Guide page 13:

The registry setting to "EnableUserProfileDirectory" is not created by the NICI install, so it is disabled. If set, existing NICI user files may need to be copied or moved to the new location. If the user profile directory is enabled, NICI does not set the ACLs on this directory. It relies on existing security properties (ACLs, inheritance, and ownership) of the user’s profile directory.Use this option very carefully as you may disclose all users’ NICI keys.

The way we look at this is, we rely on the filesystem of the native platform for security (in this case - Windows filesystem security). By enabling the "EnableUserProfileDirectory" registry settings, we are moving the NICI keys to a place on the file system that anyone can browse and view, which in turn means the users keys are not secured by the filesytem anymore.
Unable to change Universal Password from workstation with ZENworks/DLU installed
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled
Error -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)

Resolution

Set the EnableUserProfileDirectory in the correct location in the registry, which is (HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI ). Be sure not to set it in (HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI (Shared) U.S/WorldWide (128 bit)\2.6.4

Additional Information

See KB 10091539 for additional information

Formerly known as TID 10091539
Formerly known as TID NOVL95769

Feedback service temporarily unavailable. For content questions or problems, please contact Support.