Connecting the world…

novell

Juniper SA & Terminal Server with Novell Client SSO

Normally configuring SSO on a Terminal Server in conjunction with a Juniper SA isn’t that hard. On the Juniper you pass the user credentials to the Terminal Server. On a normal Terminal Server you have to check the following:

Disable Always prompt for password under:

Terminal Services Configuration –> Connections –> Properties of RDP-tcp –> Tabblad Logon Settings

On a Terminal Server, which is member of a Windows Domain, you have to check the following Group policy:

Disable Always prompt client for password upon connection under:

Computer Configuration –> Administrative Templates –> Windows Components –> Terminal Services –> Encryption and Security –> Policy “Always prompt client for password upon connection”

Now I had to configure Single Sign On to a Terminal Server where the Novell Client is installed. As soon as I pushed the user credentials to the Terminal Server, I noticed that the RDP session tries to logon as Workstation only. I found a nice thread on the Novell website to Enable TSClientAutoAdminLogon.

I added the following two registry keys to the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login 
Value Type=REG_SZ, Name=TSClientAutoAdminLogon, Data=1 
Value Type=REG_SZ, Name=DefaultLoginProfile, Data=Default 

I am able to logon to the Terminal Server using SSO after adding both registry keys to the registry. All registry entries under HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login are displayed in the picture below.

SSO_TS_novell_client

Juniper SA & GroupWise WebAcc SSO

While configuring a Juniper SA2500 in conjunction with Novell GroupWise WebAccess, the customers wanted single sign on (SSO) configured. The default Novell GroupWise WebAccess login page uses FBA (Forms Based Authentication). So it should be possible to push the correct POST parameters to enable SSO for GroupWise WebAccess.

I started with looking at the page source of the login page and found the POST configuration. You can find them by searching the string:

<form method=”post” action=”/gw/webacc” name=”loginForm” target=”_top”>

I configured a Web Resource Profile in the Juniper SA. This Resource Profile has a bookmark which displays the Novell GroupWise WebAccess page. Next I configured a Form POST Resource Policy. The picture below shows the configuration.

JuniperSA-gwwebacc-sso

The table displays the POST detail settings:

User label Name Value
error error login
User.displayDraftItems User.displayDraftItems 1
merge merge webacc
action action User.Login
Url.hasJavaScript Url.hasJavaScript 1
Low.bandwidth Low.bandwidth 0
User.interface User.interface css
User.Theme.index User.Theme.index 1
Username User.id <USER>
Password User.password <PASSWORD>
User.lang User.lang nl
User.settings.speed User.settings.speed high

The above configuration works in my situation. The user is automatically logged in to their corresponding Novell GroupWise WebAccess page.

Secure LDAP between Softerra and Novell NDS

Softerra LDAP Browser is a powerful tool for browsing servers, which support LDAP. Using Softerra LDAP Browser against a Novell NDS with secure LDAP is a different story. A secure LDAP connection is a connection which uses SSL certificates to encrypt the data stream.

I had to use my LDAP Browser to query a Novell NDS over a secure LDAP connection. After some searching, troubleshooting and cursing, I finally had a working situation. Here are the steps to perform this task:

  1. Download and install NetScape Communicator 4.8: I hear you think, but you have to install this specific version to retrieve the SSL certificate from the NDS server;
  2. Browse with NetScape to the NDS server: if the NDS server has the IP address 10.10.10.10 and secure LDAP is running on TCP port 636, you should browse to the following URL https://10.10.10.10:636 and accept the certificate;
  3. Retrieve the cert7.db and key3.db files from NetScape and copy to Softerra: after accepting the certificate, two new files are generated in the install directory from NetScape. These files are cert7.db and key3.db. The specific folder, in my situation, is: %install directory%\Users\default\. These files should be copied to the install directory from the Softerra LDAP Browser;
  4. Configure Softerra LDAP Browser: the last step is configuring Softerra LDAP Browser to connect to the NDS server over a secure LDAP connection. When using the correct parameters, the secure LDAP connection should be accessible and you are ready to browse;