Excluding Citrix users and published applications from SecureLogin

  • Document ID:7000437
  • Creation Date:20-May-2008
  • Modified Date:15-May-2012
    • Micro Focus Products:
      SecureLogin

Environment

NSL6.1
NSL7.x
NSL installed on the Citrix server

Situation

Single sign on (sso) is automatically enabled for all published applications when NSL is installed on Citrix
All users accessing a Citrix server where SecureLogin has been installed receive a "Setup" 
Users who are not in the SecureLogin group are prompted to establish a SecureLogin passphrase when launching a published application from a Citrix server where NSL is running

Resolution

Configure SecureLogin to interact with only certain published applications
Create duplicate published apps that include “Sllauncher.exe” in the command line (details below)
Assign users in the SecureLogin group to launch the sso enabled published applications

After installing the current version of NSL on the Citrix server, do the following:

1. On the Citrix server start regedit and go to
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon”.

2. Double click on AppSetup entry and remove “, sllauncher.exe slwts.exe” (without quotes) from the value.

3. For each published application that requires single sign on service, create a separate published application as per normal but this time add “sllauncher.exe” before the name of the application.  SecureLogin will now work similar to the behavior seen in pre NSL6.1 releases.  Note: If “sllauncher.exe” is not in the Windows path add the complete path to sllauncher before the name of the application (e.g. “C:\Program Files\Novell\SecureLogin\SLLauncher.exe”).

(Also note that in this solution, no switches are required to be specified after the the application name, as they were in the previous versions).

Additional Information

Some background:
In NSL versions prior to 6.1 it was possible to pick and choose which applications were sso enabled.  Prior to NSL6.1, SLLauncher was placed in the run line of Citrix published applications.  With SLLauncher in the run line, in addition to launching the application, SLBroker was launched to provide single sign on capability.

With NSL6.1, it is no longer necessary to put SLLauncher in the run line of Citrix published applications,
Instead, with NSL 6.1 slnrmonitorserver.exe and slwts.exe, watch for the launch of published applications and provide sso funtionality when a published app is detected.    One instance of slnrmonitorserver.exe will be launched per server, and one instance of slwts.exe will run for each attached user.  These processes run for all published apps, and with these processes running SecureLogin will activate when ANY published app is launched.

Implication:  With the default installation of 6.1 it is not possible to have some published apps that are SSO enabled and others that are not. 
 
However with NSL6.1 HotFix4 or later it is possible to configure published applications “the old way” and thus pick and choose which published applications are SSO enabled.
NOTE:  We have seen problems with sllauncher.exe and slwts.exe being added back to the registry when a hot fix is installed.  This problem has been resolved with NSL6.1 Fix 12.