Environment
Novell Modular Authentication Service version 2.3
Novell ZENworks with DLU enabled
Universal Password enabled
Novell ZENworks with DLU enabled
Universal Password enabled
Situation
Per the NICI Administration Guide page 13:
The registry setting to "EnableUserProfileDirectory" is not created by the NICI install, so it is disabled. If set, existing NICI user files may need to be copied or moved to the new location. If the user profile directory is enabled, NICI does not set the ACLs on this directory. It relies on existing security properties (ACLs, inheritance, and ownership) of the user’s profile directory.Use this option very carefully as you may disclose all users’ NICI keys.
The way we look at this is, we rely on the filesystem of the native platform for security (in this case - Windows filesystem security). By enabling the "EnableUserProfileDirectory" registry settings, we are moving the NICI keys to a place on the file system that anyone can browse and view, which in turn means the users keys are not secured by the filesytem anymore.
Unable to change Universal Password from workstation with ZENworks/DLU installed
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled
Error -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)
The registry setting to "EnableUserProfileDirectory" is not created by the NICI install, so it is disabled. If set, existing NICI user files may need to be copied or moved to the new location. If the user profile directory is enabled, NICI does not set the ACLs on this directory. It relies on existing security properties (ACLs, inheritance, and ownership) of the user’s profile directory.Use this option very carefully as you may disclose all users’ NICI keys.
The way we look at this is, we rely on the filesystem of the native platform for security (in this case - Windows filesystem security). By enabling the "EnableUserProfileDirectory" registry settings, we are moving the NICI keys to a place on the file system that anyone can browse and view, which in turn means the users keys are not secured by the filesytem anymore.
Unable to change Universal Password from workstation with ZENworks/DLU installed
Internal error 0xFFFFFA27 reported when logging into NDS with NMAS enabled
Error -1497: CCS_E_AUTHENTICATION_FAILURE (0xFFFFFA27)
Resolution
Set the EnableUserProfileDirectory in the correct location in the
registry, which is (HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI ). Be
sure not to set it in (HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NICI
(Shared) U.S/WorldWide (128 bit)\2.6.4
Additional Information
See KB 10091539 for additional information
Formerly known as TID 10091539
Formerly known as TID NOVL95769
Formerly known as TID 10091539
Formerly known as TID NOVL95769