Failing to transparently login to Windows NT/2000 when NT username is blank and full distinguished NDS user object is specified for NDS username.
(Last modified: 31May2002)
This document (10060720) is provided subject to the disclaimer at the end of this document.
fact
Novell Client 4.8 for Windows NT/2000
Novell Client 4.71 for Windows NT/2000
Novell Client 4.6 for Windows NT
symptom
Failing to transparently login to Windows NT/2000 when NT username is blank and full distinguished NDS user object is specified for NDS username.
Failing to log users on into NT domain when full distinguished NDS user object name specified in Novell client login name field.
Users are prompted to enter domain username after logging into NDS.
cause
When the NT username field on the login dialog is blank, the contents of the primary "Username" field are mirrored into the NT username field as the user types. If the user is specifying a full distinguished NDS user object name (e.g. ".username.context.context") AND started with the NT/2000 username field blank, the ".username.context.context" gets mirrored into the NT/2000 username and will typically fail when authenticating the user to Windows NT/2000.
fix
This issue is addressed by LOGINW32.DLL build 16JUL2001 or later for the Novell Client 4.80.SP3 for Windows NT/2000. The LOGINW32.DLL 16JUL2001 build can be obtained as a beta field test file as 268144.EXE from the Novell Support Connection File Finder. This updated behavior will be included in the next release of the Novell Client for Windows NT/2000, if and when available.
With the updated LOGINW32.DLL build, by default if the NT/2000 tab "Username" field is initially blank, only the "common name" portion of any username typed into the primary "Username" field will be mirrored into the NT/2000 tab "Username" field. For example, regardless of whether "JDoe", ".JDoe.MyCompany" or ".CN=JDoe.O=MyCompany" are typed in for the NDS username, only "JDoe" will be mirrored into NT/2000 "Username" field.
Note that information typed into the NT/2000 "Username" field directly is not subject to this same rule; any username typed directly into the NT/2000 "Username" field will be accepted and will not be truncated or modified. (Unless after entering the name into the NT/2000 "Username" field the user again modifies the primary "Username" field, at which point the value will be mirrored from the primary "Username" field again.
If for any reason this default behavior is NOT desired (i.e. when "JDoe.MyCompany" is typed into the primary "Username" field, "JDoe.MyCompany" needs to be mirrored into the NT/2000 "Username" field), setting the following registry value will stop the parsing of the common name from the primary "Username" field value:
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\Tab Settings\NT Credentials]
"DisableCommonNameParse"=dword:00000001
Other recommendations for working around the issue without applying the updated LOGINW32.DLL:
To account for how the Novell login dialog handles automatically mirroring the username when one or the other of the username fields are blank, and also that a user can choose to enter a full distinguished NDS user object name when logging in, one of the following approaches or workarounds would have to be used:
- Informing users that the failure to login to NT/2000 can be prevented by selecting their context from the Advanced section of the NDS login dialog will make the username which they specify in the "Username" field work for both the NDS user login and the NT/2000 user login. (e.g. simply "username" instead of ".username.context.context".) Note this doesn't necessarily mean the user is having to browse for their context either; once a particular context has been used on the login dialog before, it can be accessed by dropping-down the list of recently used contexts.
- Do not leave the NT/2000 username section of the location profile blank if the user requires typing in a full distinguished NDS user object specification. Since the NT/2000 username will not be blank, the NDS user name entered by the user will not be mirrored into the NT/2000 username field.
- Instruct the users to correct the NT/2000 username to simply "username" when the NT/2000 login prompt re-appears because ".username.context.context" failed for the NT/2000 login.
Background:
When the NT/2000 username field on the Novell login dialog is blank, the contents of the primary "Username" field are mirrored into the NT/2000 username field as the user types. If instead of changing the NDS context on the login dialog the user types a distinguished NDS user object name (e.g. ".username.context.context") then the literal ".username.context.context" gets mirrored into the NT username field. In the case that ".username.context.context" is a valid NDS user object but ".username.context.context" is not a valid NT username (because the user really intended to login as "username" to NT), the workstation will fail to login to NT and will re-prompt the user for NT credentials, at which point the user will have to remove the context from the name manually.
Note that dots are not illegal characters for the NT username. There was nothing about the username form present on the NT/2000 username field (as a result of mirroring what was being typed into the primary "Username" field) which should have been automatically rejected or presumed to be invalid. Rejecting or stripping off what "appears" to be a context from an NT username would also result in login failures for those who have NT usernames containing dot characters..
document
| Document Title: | Failing to transparently login to Windows NT/2000 when NT username is blank and full distinguished NDS user object is specified for NDS username. |
| Document ID: | 10060720 |
| Solution ID: | NOVL40914 |
| Creation Date: | 26Feb2001 |
| Modified Date: | 31May2002 |
| Novell Product Class: | NetWare |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.