Unable to login as local user with CLE installed

  • 7022935
  • 08-May-2018
  • 10-May-2018

Environment

Client Login Extension
CLE 4.x
SSPR Client (CLE) installed on workstation 

Situation

Error when trying to login as a local User on a workstation with the SSPR client (CLE) installed  
LogonUser returned error - [1385] "Logon failure: the user has not been granted the requested logon type at this computer.” 
Problem occurs for members of a particular group (in this case the "administrators" group).
Users who are not part of the group authenticate without error. 
Group policy (GPO) prohibits network logons for members of the affected group.


Resolution

Install CLE without SSPR integration.  To do this, open the CLE configuration utility, deselect the option for "SSPR Configurations," then install the resulting msi.  If SSPR integration is required, it can be enabled by pushing out the registry settings shown in the "Additional Information" section below.

Note that the basic forgotten password functionality of CLE does not require SSPR integration.  Integrating CLE with SSPR by enabling "SSPR Configurations"  in the installation allows CLE to make REST calls to the SSPR server that can do the following:
1. Force User for C/R responses
2. Password expiration warning
3. CTRL+ALT+DEL change password
4. Emergency Access


 

Cause

When configured for CLE integration, CLE provides the option to change the password in the CLE restricted browser for the "Expired Password" or "Must Change Password" scenarios.  In order to know whether the entered password needs to be changed, CLE uses the LogonUser function with LOGON32_LOGON_NETWORK flag.  This allows CLE to login to the directory and check the status of the password for the logged on user.  In this case a GPO was in place preventing a network logon for administrative users.

Note that customer had selected the option to "Enable SSPR Configurations" in the CLE configuration utility, but was not using any of the SSPR integration optoins. 

Status

Reported to Engineering

Additional Information

To enable SSPR integration features directly through the registry, push out the following settings:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\MsPssGina\EnableIntegration = 1  --> [Enables SSPR integration]
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\MsPssGina\EmergencyAccess = 1  --> [Enables Emergency Access]
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\RestrictedBrowser\ForceUserEnrollment = 1  -->  [Enables Force Enrollment]
HKEY_LOCAL_MACHINE\SOFTWARE\Novell\MsPssGina\SASChangePassword = 0  --> [Enables Change password through SSPR when Ctrl+Alt+Del is pressed]

Feedback service temporarily unavailable. For content questions or problems, please contact Support.