Environment
Novell SecureLogin 7.0 SP2 SmartCard
Situation
If the certificate revocation list for the certificate used to log into
Desktop Automation Services (DAS) expires, NSL will default to the
general user account used to log into the workstation.
Shouldn't the login fail, and return an error about the expired certificate revocation list?
Shouldn't the login fail, and return an error about the expired certificate revocation list?
Resolution
NSL supports Smart Card with AD in two modes
1) Normal Mode (or non-Kiosk Mode), where the workstation user and the NSL user are the same [RegKey NSLADAuth = 0]
2) Kiosk Mode, where the workstation user and the NSL user are different [RegKey NSLADAuth = 1]
If the certificate has been revoked, irrespective of the modes (Kiosk or non-Kiosk), the user won't be able to authenticate to the workstation using a smart card. The user will have to depend on username/password authentication.
In the scenario where a user certificate is added to the certificate revocation list, the behavior is as follows
1) Normal Mode - If the user tries to authenticate to the workstation using a smart card, it will fail, since the certificate is no longer valid for authentication. The user can authenticate to the workstation by entering the username/password. Once logged into the workstation, the user inserts the smart card and launches NSL. NSL logs in as the workstation user.
Why does SecureLogin launch in this scenario with an expired certificate? Because, in Normal Mode, NSL uses the already logged-in session (the workstation log in) and authentication succeeds. In Kiosk Mode, on the other hand, NSL tries to authenticate as a different user (not the workstation user), and since the certificate is revoked, the authentication fails.
2) Kiosk Mode - If the user tries to authenticate to the workstation using a smart card, it will fail, since the certificate is no longer valid for authentication. The user tries to authenticate to the workstation using their username/password. This succeeds. The user now inserts the required smart card (for which the certificate has been revoked) and launches NSL. The NSL PinPrompt dialog is displayed by NSL, and the user enters the PIN. The smart card authentication fails (since the user certificate is part of revocation list) and NSL will try to load in offline mode if the cache is present; if not, it simply exits.
1) Normal Mode (or non-Kiosk Mode), where the workstation user and the NSL user are the same [RegKey NSLADAuth = 0]
2) Kiosk Mode, where the workstation user and the NSL user are different [RegKey NSLADAuth = 1]
If the certificate has been revoked, irrespective of the modes (Kiosk or non-Kiosk), the user won't be able to authenticate to the workstation using a smart card. The user will have to depend on username/password authentication.
In the scenario where a user certificate is added to the certificate revocation list, the behavior is as follows
1) Normal Mode - If the user tries to authenticate to the workstation using a smart card, it will fail, since the certificate is no longer valid for authentication. The user can authenticate to the workstation by entering the username/password. Once logged into the workstation, the user inserts the smart card and launches NSL. NSL logs in as the workstation user.
Why does SecureLogin launch in this scenario with an expired certificate? Because, in Normal Mode, NSL uses the already logged-in session (the workstation log in) and authentication succeeds. In Kiosk Mode, on the other hand, NSL tries to authenticate as a different user (not the workstation user), and since the certificate is revoked, the authentication fails.
2) Kiosk Mode - If the user tries to authenticate to the workstation using a smart card, it will fail, since the certificate is no longer valid for authentication. The user tries to authenticate to the workstation using their username/password. This succeeds. The user now inserts the required smart card (for which the certificate has been revoked) and launches NSL. The NSL PinPrompt dialog is displayed by NSL, and the user enters the PIN. The smart card authentication fails (since the user certificate is part of revocation list) and NSL will try to load in offline mode if the cache is present; if not, it simply exits.