Environment
Novell SecureLogin 6.1 installed in an AD environment
Situation
Users that change their password through a Citrix session are
prompted to enter their passphrase on the subsequent login.
Users are prompted for their passphrase when they reset their own password with SecureLogin installed in LDAP mode connecting to Active Directory
Resolution
Working as designed.
The entire process is dependent on slcredman. This component is a credential manager which is registered with the Operating System during Secure Login installation. When a user logs in, is is notified via a call to NPLogonNotify and is passed that users' username and password. If the users' password has changed during the login process (forced change due to password expiration) the users' old password is also passed.
If a user changes their password once they are logged in (Ctrl + Alt + Del and clicks "Change Password") slcredman will be notified via a call to the NPPasswordChangeNotify method and the users' old and new passwords are passed in.
When a user has just logged in, slcredman writes the username and password to the registry. When the users' password has changed, it also writes the old password to the registry and explicitly notifies the Broker (slbroker.exe) If the Broker is running at this time, it will have created the event and will be ready to handle it. If the Broker is not running, the event will not exist and slcredman will not set it. In this case, when the Broker starts and reads the registry; it will notice that a password change has occurred and handle it at that time.
Since slcredman does not apply in a published desktop scenario; the above process does not detect the password change and bypass authentication via the passphrase.
The entire process is dependent on slcredman. This component is a credential manager which is registered with the Operating System during Secure Login installation. When a user logs in, is is notified via a call to NPLogonNotify and is passed that users' username and password. If the users' password has changed during the login process (forced change due to password expiration) the users' old password is also passed.
If a user changes their password once they are logged in (Ctrl + Alt + Del and clicks "Change Password") slcredman will be notified via a call to the NPPasswordChangeNotify method and the users' old and new passwords are passed in.
When a user has just logged in, slcredman writes the username and password to the registry. When the users' password has changed, it also writes the old password to the registry and explicitly notifies the Broker (slbroker.exe) If the Broker is running at this time, it will have created the event and will be ready to handle it. If the Broker is not running, the event will not exist and slcredman will not set it. In this case, when the Broker starts and reads the registry; it will notice that a password change has occurred and handle it at that time.
Since slcredman does not apply in a published desktop scenario; the above process does not detect the password change and bypass authentication via the passphrase.
Additional Information
This can also occur if the password is changed externally via a password change portal, or some type of other password management software.