Environment
Novell SecureLogin
NSL3.x
NSL6.x
NSL7.x
NSL3.x
NSL6.x
NSL7.x
NSL8.x
Situation
How do I permanently exclude (or include) certain executables from SecureLogin? For example, a virus scanner that is always running in windows but we don't want to have SSO enabled?
Resolution
SecureLogin will watch the executables you publish as SSO enabled in the Directory. You publish them at the OU level (e.g. OU=Users) and all users in that OU automatically inherit them. This is how most organizations determine which applications are SSO enabled and which aren’t.
In addition, you can disable single sign on for a particular application using the exclude.ini file. This method should only be implemented if advised by experienced SecureLogin administrators/consultants.
It is possible to permanently include or exclude Windows executables using Exclude.ini. This allows you to determine which exe’s SecureLogin will NEVER watch (even if an application definition is written and published), or which it will ONLY watch for.
To permanently exclude or include specific windows applications from being watched by SSO, create an exclude.ini file in the SecureLogin directory. The exclude.ini file should contain a list of the application executables that you want to exclude. Even if a script is written for them, SSO will never watch these executables.
* An example of a simple exclude.ini file would be (these files would be appended to the hard coded list that SecureLogin never watches):
finance.exe
passwordtest.exe
sun32.exe
explorer.exe
virusscanner.exe
By default, SecureLogin will exclude the listed applications in the exclude.ini file.
If there are only a few applications that you want SSO enabled, type Include at the top of the file and then list the application executables that you want to include. Using this method, the hard coded list would still be excluded and the files listed after "Include" would be the ONLY files ever watched by SecureLogin (any other SSO enabled published applications would be ignored by SecureLogin). Esample:
Include
secrem.exe
aurion.exe
A way of resetting the hard coded list so no executables are excluded by default is to type Nodefault at the top of the file and then Exclude the files you desire. Example:
Nodefault
Exclude
msdev.exe
explorer.exe
slbroker.exe
tlaunch.exe
slproto.exe
notes.exe
nswebsso.exe
nwadmn32.exe
nwadmnnt.exe
nwadmn95.exe
loginw95.exe
setup.exe
nwtray.exe
loginw32.exe
In addition, you can disable single sign on for a particular application using the exclude.ini file. This method should only be implemented if advised by experienced SecureLogin administrators/consultants.
NOTE: If using notepad.exe to create or edit exclude.ini, make sure to save the file with encoding set to Unicode.
It is possible to permanently include or exclude Windows executables using Exclude.ini. This allows you to determine which exe’s SecureLogin will NEVER watch (even if an application definition is written and published), or which it will ONLY watch for.
To permanently exclude or include specific windows applications from being watched by SSO, create an exclude.ini file in the SecureLogin directory. The exclude.ini file should contain a list of the application executables that you want to exclude. Even if a script is written for them, SSO will never watch these executables.
* An example of a simple exclude.ini file would be (these files would be appended to the hard coded list that SecureLogin never watches):
finance.exe
passwordtest.exe
sun32.exe
explorer.exe
virusscanner.exe
By default, SecureLogin will exclude the listed applications in the exclude.ini file.
If there are only a few applications that you want SSO enabled, type Include at the top of the file and then list the application executables that you want to include. Using this method, the hard coded list would still be excluded and the files listed after "Include" would be the ONLY files ever watched by SecureLogin (any other SSO enabled published applications would be ignored by SecureLogin). Esample:
Include
secrem.exe
aurion.exe
A way of resetting the hard coded list so no executables are excluded by default is to type Nodefault at the top of the file and then Exclude the files you desire. Example:
Nodefault
Exclude
msdev.exe
explorer.exe
slbroker.exe
tlaunch.exe
slproto.exe
notes.exe
nswebsso.exe
nwadmn32.exe
nwadmnnt.exe
nwadmn95.exe
loginw95.exe
setup.exe
nwtray.exe
loginw32.exe
Additional Information
* For optimal performance, the following executables are excluded from
SSO by default. They are hard coded and can be added back in using the
methods described in this document.
msdev.exe
slbroker.exe
tlaunch.exe
slproto.exe
notes.exe
nswebsso.exe
nwadmn32.exe
nwadmnnt.exe
nwadmn95.exe
loginw95.exe
setup.exe
nwtray.exe
loginw32.exe
scrnlock.scr
wfica32.exe
mmc.exe
slwinsso.exe
slmanager.exe
sllock.scr
msdev.exe
slbroker.exe
tlaunch.exe
slproto.exe
notes.exe
nswebsso.exe
nwadmn32.exe
nwadmnnt.exe
nwadmn95.exe
loginw95.exe
setup.exe
nwtray.exe
loginw32.exe
scrnlock.scr
wfica32.exe
mmc.exe
slwinsso.exe
slmanager.exe
sllock.scr