Smart Card Interface; Novell Client Single Sign-On; Novell Client Passive Mode Login - Novell ENHANCED SMART CARD METHOD 3.0.1 - INSTALLATION 17-07-2007 Installation Manual

3.4 Smart Card Interface

The method can communicate with the smart card using PC/SC interfaces or PKCS#11 interfaces.
When using PC/SC interfaces, the smart card middleware vendor provides an MS CAPI provider.
The method can automatically detect and use the proper MS CAPI provider. PC/SC mode is the
recommended setting and should work with most smart card middleware on Windows.
If PC/SC communication is failing, you might want to try PKCS#11. When using PKCS#11, you
must specify the correct vendor PKCS#11 DLL. The library must be in the system path so it can be
loaded by the method. You might need to contact the middleware vendor for the specific PKCS#11
library name. Below is a table of common PKCS#11 libraries.
Table 3-1
Vendor
Active Card
Netsign
GemPlus
eToken
CryptoVision
Rainbow iKey

3.5 Novell Client Single Sign-On

When using the smart card method, users enter the card's PIN for eDirectory login and are then
prompted to enter a password for the workstation login. Novell Client's Single Sign-On feature can
be used to automatically log into the workstation after the eDirectory login. This is accomplished by
securely storing the workstation credentials in eDirectory and using them for future logins.
When using Single Sign-On, Novell Client prompts for the workstation password the first time and
stores it in eDirectory. On subsequent logins, the user is not prompted for the workstation password.
This improves the user's login experience and is recommended for all advanced eDirectory
authentication methods.

3.6 Novell Client Passive Mode Login

Passive Mode Login is new functionality added to Novell Client 4.91 SP3. In passive mode, Novell
Client defers to the default MS GINA for the initial Windows login. After authentication to the
workstation, Novell Client attempts to authenticate to the Novell environment. The functionality
was added to Novell Client to allow environments that use Windows AD smart card authentication
to function correctly. It allows the smart card to be used to authenticate to AD and eDirectory.
In passive mode, the Windows user name used for workstation authentication is also used for
eDirectory authentication. In order to successfully authenticate, the user name must exist in
eDirectory, and the client's default location profile must be properly configured with the Tree and
Context information.
22 Novell Enhanced Smart Card Method Installation Guide
Common Vendors and PKCS#11 Libraries
PKCS#11 Library Name
acpkcs211.dll
core32.dll
gclib.dll
eTpkcs11.dll
cvP11.dll
ckdk201.dll (Only PCKS#11 mode is functional
for iKey devices)