Security

Managing passwords with Novell's Single Sign-on v2.0

One of the biggest headaches for network administrators comes from passwords. It seems like every application has its own user ID and password combination. Ron Nutter shows how you can eliminate some password headaches using Single Sign-on 2.0.


How many different systems do your users access during the day? How many different passwords do they use on these various systems, and how many calls do you get when they forget their passwords? Wouldn’t it be nice not to have to manage or enter passwords over and over again? Fortunately, Novell created Single Sign-on to solve this problem. In this Daily Drill Down, I’ll introduce you to Novell’s Single Sign-on 2.0.

What’s Single Sign-on?
Showing how versatile NDS is, Novell recently released a new version of their Single Sign-on password-management software product. In this release, they’ve added the ability to handle the sign-on tasks required by some Web sites or browser-based products. The strong point with Single Sign-on is that it allows passwords to follow users around instead of requiring them to access restricted Web sites from only their own workstations.

The installation of Single Sign-on involves installing the SecretStore service on either a NetWare 5 server or a Windows NT/2000 server running NDS eDirectory or NDS Corporate Edition. You install both client and administrative components on the network administrator's workstation. Next, you install v-GO for Novell Single Sign-on, which you must purchase and license separately. V-GO allows you to provide Single Sign-on capability for most Web sites and Web-based applications. Depending on the terminal-emulation program you use to access host systems, such as AS/400 or 3270-based systems, you may be able to incorporate the sign-on processes for those applications as well. Once you have verified that everything is working, you can start installing the Single Sign-on software on the Windows-based client workstations. For the purposes of this Daily Drill Down, we will be installing Single Sign-on on a NetWare 5.1 server with Service Pack v1a.

Before starting to install Single Sign-on, you should copy the documentation file kept in \DOCS\<LANGUAGE>\NSSO.PDF to the local drive of the workstation where you’ll be setting up and administering SSO. When you browse the Single Sign-On CD, you’ll see various language directories. Change directories to the one for your native language and you’ll see the correct file for your installation. If you have the time and a laser printer, consider printing out the documentation. You’ll be referring to this document quite a bit.

Installing the SecretStore service
Insert the Single Sign-on CD into the server’s CD-ROM drive. At the server’s console prompt, type CD-ROM and press [Enter]. This loads CD-ROM support onto your server. You will see a message about the media being detected in the drive and then a mounting message.

Next, at the console prompt, type volumes and press [Enter]. Write down the volume name for the Single Sign-on CD. It will probably be NSSO_201. You will need this later to start the installation process.

Type load NWCONFIG.NLM at the console prompt and press [Enter] to load the NetWare configuration utility. Highlight the Product Options menu option and press [Enter]. Next, highlight the Install A Product Not Listed menu option and press [Enter]. If the next screen that appears is one titled Previously Specified Paths, press [Esc] to proceed past that screen. The next screen to appear should allow you to press [F3] to specify a different installation path. Press [F3] and enter the following path: NSSO_201:SERVER\NICI_1.5\NWSERVER.

After a moment or two, you will see a licensing screen. Review the license agreement and press [Esc]. On the Do You Accept The License Agreement screen, highlight the Accept License Agreement option and press [Enter].

The next screen will ask whether you want to review the README file. Unless you have previously installed this version of Single Sign-on, take a few minutes to review the README file. Under Prerequisites, you’ll notice a reference to NetWare 5. This reference means NetWare 5.0 and is not a generic reference to the NetWare 5 product family.

When you’ve finished reviewing the README file, press [Esc]. At the Proceed With Installation prompt, highlight Yes and press [Enter]. You will then see several screens appear and disappear. Don’t panic. This occurs as one or more NLMs load and unload during the installation of NICI 1.5.4. Once this particular part of the installation process has completed, you’ll need to shut down and then restart the server.

When the server restarts, you’ll install the Novell SecretStore software. As you did when installing NICI 1.5.4, load the CD-ROM.NLM (if it isn’t already loaded) and make sure that the Single Sign-on CD shows as a mounted NetWare volume. Then go back into NWCONFIG.NLM. Highlight the Product Options menu item. Choose Install A Product Not Listed and press [Enter]. If the next screen that appears is one titled Previously Specified Paths, press [Esc] to proceed past that screen. The next screen to appear should allow you to press [F3] to specify a different installation path. Press [F3] and enter the following path: NSSO_201:SERVER\NETWARE. This contradicts the manual, which is incorrect. The manual on the NSSO CD says to enter only SERVER\NETWARE for the path name.

A screen will then appear that lists the groups to be installed. The only thing that should show in the box is Novell SecretStore v2.0. Press [F10] to start the installation of the SecretStore software. When the Single Sign-on software license screen appears, review the information and press [Esc] to continue. On the Do You Accept The License Agreement screen, highlight the Accept License Agreement option and press [Enter].

The next screen asks if you want to review the README file. You might be tempted to skip this step, but don’t do it. This is a different README file than the one you read before. Once you’ve finished reviewing the file, press [Esc] to continue.

At the Proceed With Installation prompt, highlight Yes and press [Enter]. The SecretStore installation process will now begin.

On the SecretStore Install screen, press [Enter]. You will need to enter a fully qualified NDS login name of an account that has sufficient rights to extend the NDS schema. By default, you will see the Admin account already filled in for you. Unless you need to use a different account, enter the password for the Admin account and press [Enter].

The schema may not need to be extended, depending on other programs you have already installed on this server. Another screen may appear indicating that the schema extensions and NICI setup operations are complete. Press [Enter] to continue. Once the remaining files are copied, you will be instructed to restart the server. When the server restarts, you’ll proceed with the client portion of the admin setup.

Installing the workstation components of Single Sign-on
You can install the Single Sign-on workstation components on workstations running Windows 95, Windows 98, Windows NT Workstation, or Windows 2000 Professional. If you’ll be installing the SSO components from either a Windows NT or Windows 2000 Professional workstation, you’ll need to be logged in as either Administrator or a login ID with similar rights so that NICI (Novell’s encryption software) will be installed correctly.

Take the Single Sign-on CD from the server’s CD-ROM drive and put it into the CD-ROM drive of the workstation that you plan to use to administer Single Sign-on. Unless you’ve disabled Autoplay at the workstation, you will see a splash screen that mentions the Single Sign-on workstation install and then the Choose Setup Language window. Unless you intend to install a language other than English, click OK. You’ll see the Novell Single Sign-on Administrator Install screen shown in Figure A.

Figure A
Begin installing the Novell Single Sign-on Administrator.


Verify that the version of the Novell client software meets the minimum requirements for proper SSO operation, as shown in the Client System Requirements box on the SSO Administrator install screen. Make sure you have the latest client version installed. Although our workstation has NICI 1.5.3 installed, past experience with Novell security products has shown that you need the latest version, even though the manual may indicate that it will work with earlier versions.

You should also make sure that the Novell SSO client and v-GO client software packages are selected. By default, neither of the ConsoleOne options is checked. Be sure to check these before you click Install. Once you’ve selected the appropriate options for the workstation you’re working with, click Install.

The next screen is the Novell License screen. After reviewing the license language, click Accept. A workstation install progress screen will appear.

Before Install starts copying files, you’ll see a Choose Destination Location dialog box. The default location will be C:\NOVELL\SSO. Unless your Novell client software resides on another drive or you’re running short of space on drive C:, accept the default directory and click Next.

A Select Components screen will list two components that can be installed. Make sure that you select the SecretStore Manager option. The NDS Screen Saver option will allow your users’ workstations to be automatically locked after a defined period of time and unlocked only by the user who logged in to that workstation. Unless you decide that you don’t want the NDS Screen Saver, leave the option checked and click Next.

After the client portions of the software have been installed, you’ll move on to the ConsoleOne install portions for Single Sign-on. The first prompt will be for the language version to install. Accept the default of English and click OK. When the ConsoleOne Setup screen appears, click Next.

The License agreement for the JREPORT runtime software will be displayed. After reviewing the license agreement, click Yes. You’ll then have yet another License Agreement to agree to—this time for ConsoleOne itself. Click Yes to continue.

When the ConsoleOne Setup screen appears, it will default to a path of C:\NOVELL\CONSOLEONE\1.2. If you’ve previously installed ConsoleOne, you will be asked if you want to overwrite the currently installed version of ConsoleOne. Click Yes.

Another screen will ask if you want to create a desktop shortcut. Click Yes if you want to or No if you don’t. Assuming that you clicked Yes, the next screen will ask you to select the default Program Folder where you want ConsoleOne to appear. Accept the defaults of ConsoleOne for the Program Folder name and click Next.

Finally, a summary screen will display the settings that will be used for this part of the SSO installation process. After verifying that everything is correct, click Next to continue. A gas gauge will show you the progress of files being copied to the server.

After ConsoleOne installs, you’ll go through another series of screens to install the Single Sign-on components for ConsoleOne. You’ll see Language Selection and Destination Folder screens similar to those for the installation of ConsoleOne. After you make the same choices as for the ConsoleOne portion of the install, the SSO snap-ins will be installed.

Configuring the nssoSingleSignon object
Before you can start using the Single Sign-on service, you need to create the nssoSingleSignon NDS object. You can place the nssoSingleSignon object anywhere in the tree except for the [Root] object. If you have an Organization object and Organizational Unit objects below that, you can place the nssoSingleSignon object in the Organization object.

The first step in creating the nssoSingleSignon object is to get into ConsoleOne. Right-click the container where you want to create the SingleSignon NDS object, and choose New | Object. When the New Object screen appears, as shown in Figure B, scroll down the list of objects and look for one named nssoSingleSignon.

Figure B
You can create the nssoSingleSignon object using ConsoleOne.


Before selecting the NDS object, verify that the icon to the left of the nssoSingleSignon object contains the letters SSO. If instead you see a square box at an angle with a black question mark just to the right of it, then you have either a ConsoleOne problem or a ConsoleOne snap-in problem. You must resolve this problem before you can continue.

To do so, the first thing you should do is reinstall ConsoleOne and check for the correct icon for the SSO NDS object. If you still don’t see the correct one, reinstall the SSO ConsoleOne snap-ins. If you still don’t see the right icon for the SSO object and you’re running ConsoleOne from a network drive instead of using a local install, you may need to consider installing ConsoleOne on the local drive and following up with the installation of the SSO snap-ins.

If you do see the correct icon for the SSO object, highlight that object in the New Object window and click OK. You’ll then see the New nssoSingleSignon screen.

Enter a name for the Single Sign-on object, check the Define Additional Properties check box, and click OK. A Properties Of Single Signon screen should appear, as shown in Figure C.

Figure C
You should define additional properties for the nssoSingleSignon object when you create it.


The first thing you need to do is define which servers in the network will be the repositories for SecretStore. Click Add, browse the NDS tree on the next screen, and double-click the servers you want to hold the SecretStore database. As you double-click each server’s name, it will appear in the Selected Objects window.

When you’ve finished selecting servers, click OK. Select the v-GO tab and check the check box in the License section to enable v-GO for all users in the container where you’re creating the nssoSingleSignon object. Click OK to continue. At this point, you’ve configured the basic SSO object. The next step will be to configure the workstation to use the Single Sign-on service.

Configuring the workstation to use Single Sign-on
You’ll need to install several software components on the workstation to be able to use the Single Sign-on service. The steps are the same as for setting up the Single Sign-on service on the workstation for administering Single Sign-on, except that you won’t need to install any of the ConsoleOne components. Instead, you’ll need to install the Client NICI, Novell Single Sign-on, and the v-GO software.

Once you’ve completed the software-installation process and rebooted the workstation, you should see a SSO Setup Wizard screen. Click Next to start the client configuration process. You’ll see the Setup Wizard - Settings screen shown in Figure D.

Figure D
You’ll use the SSO Setup Wizard to configure your workstation to use Single Sign-on.


The selections on this screen are the default settings. Unless you want to restrict what the users are able to do, leave these settings checked and click Next. The following screen has no settings to change, so click Finish to complete the Single Sign-on setup process. Shortly after the Single Sign-on Setup Wizard process finishes, an SSO icon should appear on the system tray.

Using SSO
Your first indication that everything is working correctly will be when you go to a Web site that requires a login. When you do, you’ll see the Single Sign-on screen shown in Figure E. Click Yes to start the process of setting up the Web site with Single Sign-on.

Figure E
The first time you log on to a Web site, Single Sign-on asks if you want to support it.


A v-GO graphic screen will appear briefly while the background process starts to “learn” the Web site you’re trying to access. When the Logon Wizard screen appears, enter the name of the Web site in the Name input field and any description you want to associate with it. Click Next.

The next screen will ask you to enter the URL of the Web site for which you want Single Sign-on to handle the passwords. Don’t include the http:// portion of the URL. Click Next.

You will need to enter the Login ID to be used with this Web site. Click Next, enter the password for this site, and confirm it.

If you have a problem with this screen accepting the password that you enter, you can click Reveal to see exactly what you’re typing. Then click Next to continue. The last screen you’ll see will indicate that the login process has been learned by the Single Sign-on process. Click Finish.

That’s all there is to setting up access to a password-restricted Web site. Depending on what steps the Web site goes through for authentication, you may get a General Failure message the first time you go through the auto-login process. This happened to me on one site, and the next time I went in, it was fine. I simply needed to select an additional field from a drop-down box on the login screen. Single Sign-on seemed to learn this particular Web site feature, and I haven’t had to make that selection again.

When you’re comfortable with how things are working, you can take a look at the v-GO client on your workstation. Double-click the SSO icon on the system tray. You’ll see the Single Sign-on 2.0 screen with three choices: My Logons, Settings, and Help.

If you choose the My Logons option, you’ll see a screen that shows all of the logons that the Single Sign-on client has learned since you installed the software. If you double-click one of the logon entries, you’ll get a properties screen similar to the one shown in Figure F.

Figure F
You can view the settings for a sign-on by double-clicking its entry.


Conclusion
In this Daily Drill Down, I’ve shown you how Single Sign-on can help you avoid continually resetting your users’ passwords. Depending on your password standards, you can even configure Single Sign-on to automatically generate a password that your users have no control over or won’t know. In the future, Novell will add support for more applications. If you’re willing to put in the time, your efforts will be well rewarded by the solutions that Single Sign-on offers.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks