SecureLogin returns PIN instead of Universal Password

  • 7011524
  • 17-Dec-2012
  • 17-Dec-2012

Environment

NetIQ SecureLogin
NSL7.0.3
Novell Enhanced Smart Card Method
NESCM
 

Situation

SecureLogin does not provide the network password for NESCM users.
When a user log in with a smart card ?Syspassword shows the PIN instead of the Universal Password.
Log files shows the API NMAS_C32PwdStatus fail and return "NMAS_E_ACCESS_NOT_ALLOWED"
Problem only occurs if  "Allow user to initiate password change" is disabled in password policy settings.

Resolution

1. Verify that universal password has been enabled for the users, and
2. In the password policy settings, set "Allow user to initiate password change" to "enabled".

Additional Information

If the user has logged in with a smart card and SecureLogin is configured to use network credentials when logging in to an application, SecureLogin uses the NMAS_C32PwdStatus API to read the universal password.  The API NMAS­_C32PwdStatus is used both to read and to change the universal password.   Novell does not have separtate APIs for read password vs change password.  If users are not allowed to change their password, they are also not allowed to read it.  This is working as designed.