Environment
Novell Client for Windows 2000/XP/2003 4.91 Support Pack 5 Login
Microsoft Windows 2008 Terminal Server
Citrix Presentation Server 4
Microsoft Windows 2008 Terminal Server
Citrix Presentation Server 4
Situation
This TID documents how to configure a Terminal Server such that when a remote user logs in, MSGINA will be the primary GINA, and after the user completes her Windows account logon, the Novell Client will auto-login as a pre-defined user regardless of the user interactively logging on to Windows.
Resolution
Use the following registry configuration:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"="CTXGINA.DLL"
"CtxGinaDLL"="NWGINA.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA]
"PassiveMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"PassiveModeNDSLogin"=dword:00000001
Next, set the pre-defined, LSA-encrypted (secure) user credentials by running PassiveModeAlternateCredentials.exe as described in the "Novell Client 4.91 Post-SP5 Login Files 5" readme.
Alternatively, clear-text (insecure) user credentials can be set by setting "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSLoginDefautPassword" as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"PassiveModeNDSLogin"=dword:00000001
"PassiveModeNDSLoginDefaultUsername"="<username>"
"PassiveModeNDSLoginDefautPassword"="<password>"
This configuration (specifically, support for a pre-defined username and password set via PassiveModeAlternateCredentials.exe or "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSDefaultPassword") requires an updated NWGINA.dll dated 10Sept2009 or later. This was first introduced in the "Novell Client 4.91 Post-SP5 Login Files 5" patch file, 491psp5_login_5.zip.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"GinaDLL"="CTXGINA.DLL"
"CtxGinaDLL"="NWGINA.DLL"
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\NWGINA]
"PassiveMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"PassiveModeNDSLogin"=dword:00000001
Next, set the pre-defined, LSA-encrypted (secure) user credentials by running PassiveModeAlternateCredentials.exe as described in the "Novell Client 4.91 Post-SP5 Login Files 5" readme.
Alternatively, clear-text (insecure) user credentials can be set by setting "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSLoginDefautPassword" as follows:
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login]
"PassiveModeNDSLogin"=dword:00000001
"PassiveModeNDSLoginDefaultUsername"="<username>"
"PassiveModeNDSLoginDefautPassword"="<password>"
This configuration (specifically, support for a pre-defined username and password set via PassiveModeAlternateCredentials.exe or "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSDefaultPassword") requires an updated NWGINA.dll dated 10Sept2009 or later. This was first introduced in the "Novell Client 4.91 Post-SP5 Login Files 5" patch file, 491psp5_login_5.zip.
Additional Information
"GinaDLL" is set to "CTXGINA.DLL", so that Citrix's GINA wrapper runs
before anything else. "CTXGinaDLL" is set to "NWGINA.DLL", so that Citrix
is calling through to Novell's GINA, giving NWGINA the opportunity to
run. "PassiveMode" is enabled so that instead of presenting
the Novell Client logon UI, NWGINA.DLL will instead chain through to
MSGINA.DLL, and MSGINA's logon UI will be the primary logon UI
presented.
Enabling "PassiveModeNDSLogin" will cause Novell's NWGINA, upon return from a successful MSGINA-based logon, to attempt logging into eDirectory.
Finally, running PassiveModeAlternateCredentials.exe (or, alternatively, setting "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSLoginDefautPassword") will allow you to "hard-code" a specific username and password for "PassiveModeNDSLogin" to always use /instead/ of the Windows username and password. So users may login with unique Windows usernames, but will have the "PassiveModeNDSLogin" eDirectory login use whatever credentials were hard-coded.
Note: If not using pre-defined credentials, NWGINA will perform the login using the Windows username and password, combined with the information from the default location profile. (eDirectory tree name, context, etc.)
Note: TSClientAutoAdminLogon is not involved in this configuration, because "PassiveMode" is being used. TSClientAutoAdminLogon is what would take the Windows username and password pre-supplied by a terminal connection and use it to perform an eDirectory login in addition to the Windows logon /when/ the Novell Client login UI is being used. But because the Microsoft MSGINA logon UI is what's being used, no one is attempting to read or honor the TSClientAutoAdminLogon policy, nor does it apply to the situation. The elements of TSClientAutoAdminLogon behavior are achieved by PassiveModeNDSLogin when PassiveMode is enabled. For more information on TSClientAutoAdminLogon, see KB 7002540, "How to pass user credentials from RDP client to NWGINA.DLL in a terminal server environment."
Enabling "PassiveModeNDSLogin" will cause Novell's NWGINA, upon return from a successful MSGINA-based logon, to attempt logging into eDirectory.
Finally, running PassiveModeAlternateCredentials.exe (or, alternatively, setting "PassiveModeNDSLoginDefaultUsername" and "PassiveModeNDSLoginDefautPassword") will allow you to "hard-code" a specific username and password for "PassiveModeNDSLogin" to always use /instead/ of the Windows username and password. So users may login with unique Windows usernames, but will have the "PassiveModeNDSLogin" eDirectory login use whatever credentials were hard-coded.
Note: If not using pre-defined credentials, NWGINA will perform the login using the Windows username and password, combined with the information from the default location profile. (eDirectory tree name, context, etc.)
Note: TSClientAutoAdminLogon is not involved in this configuration, because "PassiveMode" is being used. TSClientAutoAdminLogon is what would take the Windows username and password pre-supplied by a terminal connection and use it to perform an eDirectory login in addition to the Windows logon /when/ the Novell Client login UI is being used. But because the Microsoft MSGINA logon UI is what's being used, no one is attempting to read or honor the TSClientAutoAdminLogon policy, nor does it apply to the situation. The elements of TSClientAutoAdminLogon behavior are achieved by PassiveModeNDSLogin when PassiveMode is enabled. For more information on TSClientAutoAdminLogon, see KB 7002540, "How to pass user credentials from RDP client to NWGINA.DLL in a terminal server environment."