NSL login fails and prompts for credentials on initial boot up

  • 7010973
  • 19-Oct-2012
  • 23-Oct-2012

Environment

Windows XP workstations
NetIQ SecureLogin
NSL7.x
Installed in LDAP Credential Manager mode with DoNTAssoc set  (i.e. user credentials from Windows log in are passed to NSL for behind the scenes authentication)

Situation

Passthrough authentication from Windows login fails, user is prompted for SecureLogin authentication.
SecureLogin does not accept Windows credentials, fails to start seamlessly.
NSL fails to authenticate to eDir / LDAP server and prompts the user for credentials. 
Microsoft  logon notification components Winlogon.exe and MPNotify.exe do not notify  SecureLogin's NLDAPAUT.DLL (or any other credential managers) that a successful Windows logon has occurred. 
Problem only occurs on some workstations, and only occurs on the first login of the day.  Workstations were locked or otherwise left running the night before.
Rebooting before logging in prevents the problem from occurring

Resolution

This is a bug with Microsoft  XP.  There is no direct resolution from Microsoft but the following workarounds may improve the situation:

1. Reconfigure the "expensive" background task to run at a different time.  (See “cause” below.)
2. Reduce the scope of the background task so it does not monopolize system resources to a degree that it causes problems in Winlogon.
3. Exclude Winlogon from the background task activity.
4. Upgrade the computer to Windows Vista or Windows 7.  This problem has not been seen on newer operating systems.  Winlogon calls MpNotify.exe in the same way on newer operating systems, but changes in memory management prevent this problem from occurring on Windows Vista or newer.
5. Run "empty.exe winlogon.exe"  as a scheduled task shortly before the user is expected to login for the day.  This frees the memory used by winlogon and allows it to call mpnotify.

Cause

Normally Winlogon.exe would call MpNotify.exe, informing it that a successful windows logon has occured.  MpNotify.exe would then pass that notification to all registered credential managers, including SecureLogin's NLDAPAut.dll.  In this case that notification is not occuring.  A background process has taken significant system resources and monopolized system memory such that Winlogon is not able to start MpNotify.Exe.  This background process might be a full software inventory scan,  a system scan by the virus scanner, or something similar.  Since MpNotify.exe cannot be started, all components that depend on the logon notification (e.g. nldapaut.dll) encounter problems.

Additional Information

Use perfmon to see what is interfering with Winlogon.exe.  Configure perfmon logging as follows:
1. Click on Start -> Run and type ‘perfmon’
2. Expand ‘Performance logs and alerts’. Click and highlight ‘Counter Logs’.
3. Right click on ‘Counter Logs’ and choose ‘New Log Settings’
4. Type in a name for the log and click ‘OK’
5. Click on the button that reads ‘Add Objects’ in the following window
6. Choose the following ‘Objects’
Memory
Network Interface
Paging File
Physical Disk
Process
Processor
Redirector
Server
Server work queues
System
7. Click  the ‘Close’ button after adding all the objects.
8.  Choose interval as 05 seconds
9.  Click on the ‘Log Files’ tab across the top of the Window
10.  Choose ‘Binary Circular File’ in the drop down menu.  Click on the ‘Configure’ Button. Set the maximum limit of 250 MB. Also choose appropriate location to save the log file ensuring that there is enough free space
11. Click on the ‘Schedule’ tab and choose “Manually’ option under ‘Start Log’
12. Now right click on the log that you created and choose ‘Start’ to start logging information.
13. Capture perfmon log for about 30-40 minutes at the time the problem occurs so that valid information will be captured regarding the issue. 
You might need help from Microsoft to read the logs.

In this case perfmon indicated that  naPrdMgr.exe and VsTskmgr.exe were interfering
with Winlogin.  NaPrdMgr and VsTskmgr are both McAfee files.