Keeping track of multiple passwords for different systems is a pain. In fact, it ranks near the top of the list for most help-desk-related calls. Add to the mix myriad Web sites and applications requiring another set of credentials, and you're just compounding the misery. Novell has updated its Single Sign-on (NSSO) product and partnered with Passlogix to help ease the pain of application access for end users and administrators.
For users, NSSO eliminates the hassles of remembering multiple passwords and reduces the security risks associated with writing them down. For network administrators and help desk personnel, NSSO will reduce the number of calls from users who have forgotten their passwords.
NSSO sits on the client workstation watching for applications or specific Web sites requiring authentication. It then fills in the required information by retrieving the correct password from the user's Novell Directory Services (NDS) account. This version does a much better job of handling the whole password modification process than previous versions and provides additional controls for the administrator to govern how and when to make the appropriate changes. It also provides access to your password information even when you' re not connected to the central server.
NSSO Version 2.0 ships with a product called v-GO from Passlogix, which provides all the necessary features for managing Web and application passwords. NSSO Version 1.0 had a limited number of applications that it supported natively, including Lotus Notes, Entrust security applications and PeopleSoft applications. Support for any other application required additional user programming. The basic version of v-GO adds support for up to five Web logons and an unlimited number of Windows applications.
A new NDS-aware screen saver eliminates one more user name/password pair for the end user to remember and will make many security managers happy. While Windows NT server and workstation employ a user's logon credentials for the screen saver utility, Windows 95 and 98 use a separate pair. NSSO modifies the display properties dialog box for screen saver password configuration to reflect this change.
Installation and configuration
For this review we ranked installation and configuration at a higher level than normal because these processes are key to the overall operation of the product. Installing NSSO requires that you load software on the server and the client. The server installation process installs the password SecretStore repository for keeping track of all user passwords and makes a required extension to the NDS schema. Both the server and client rely on Novell International Cryptographic Infrastructure (NICI) components for passing secrets between the server and client. Be aware that you will have to shut down and restart the server twice to complete the installation process. The server components also work on an NT or Windows 2000 server running Novell's NDS eDirecttory for Windows.
The client software comprises NICI, the NSSO client and v-GO for NSSO. A full version of v-GO is available for an additional cost, adding unlimited sign-on to most Web sites and Web-based applications, unlimited Windows applications, full terminal emulator support, disconnected access to stored logon data, and additional administrative functions. Licensing the full v-GO version consists of adding an object to the NDS tree using ConsoleOne and modifying the properties to enable full v-GO support.
When testing the installation process we found one hitch that you' ll want to be aware of. If your network includes older workstations that do not have true Pentium processors, the NICI components may not function properly. We tested the software on an older system with an IBM/Cyrix 6X86 processor, and the NICI VxD driver crashed. Other workstations based on Intel Pentium chips or newer AMD processors worked fine with NSSO.
For sites with ZENWorks for desktops, Novell includes a sample ZENWorks .AOT file for distributed installation of the client software. Otherwise you' ll have to do the installation manually or use some other software distribution tool. Overall the process was relatively painless with the exception of troubleshooting the failure on the older workstation.
NSSO has several features for the administrator to implement specific password policies. If you want to use most of the advanced administration features, such as establishing password policies, allowing disconnected logons and enabling terminal emulator support, you' ll have to license the full version of v-GO. All administration takes place using Novell's ConsoleOne utility. ConsoleOne can be installed on a single workstation or to the server for easy access. An NSSO snap-in for ConsoleOne provides the added functionality needed to manage the different settings.
In order to define a new application you must be able to run v-GO for NSSO and the application you want to define from the administrative workstation. The process for defining a new application consists of running that application and then adding the information to the master application list.
Novell provides an .ADM file for implementing specific policies related to the screen saver. The .ADM file is compatible with ZENWorks extensible policies or Microsoft's policy management. Configurable parameters let you enable/disable whether users can select a screen saver, access the screen saver's Settings and Preview buttons, and set or modify the screen saver's Wait timeout value.
Other administrative features include the ability to enable or disable v-GO for all users in a container, force the removal of local logon data at system shutdown and control the basic appearance of the different v-GO dialog screens. All these administrative features worked as advertised.
Ease of use
From the end user's perspective, NSSO is exceptionally easy to use. Accessing a new application or Web site requiring logon for the first time forces v-GO to remember those credentials and store them in the SecretStore. The next time the user goes back to the same Web site or application, v-GO takes care of the logon. The software even keeps track when a password change is requested, changes the password in the SecretStore and responds to the change dialog from the application. One note of interest Ñ v-GO requires either Internet Explorer Version 4.X or 5.1. It does not work with Internet Explorer 5.0.
V-GO uses a cache on the local workstation to store an encrypted version of the SecretStore information. This lets v-GO work in a disconnected scenario for mobile users with laptops not directly connected to the network. Synchronization takes place when the machine is started while connected to the NDS network, when logon data is updated in the local store and when v-GO is shut down. Local access is granted whhen the user logs on to Windows.
For the administrator, the ConsoleOne program provides a clean interface for changing the various settings and performing common tasks such as defining new applications to be automatically recognized by NSSO. While the standard v-GO interface will detect and add a new application on the fly, an administrator-defined process will streamline the experience requiring that only the user name and password be entered.
Novell's Single Sign-on product answers the cry for a user password management utility. While you' re not required to have a Novell NetWare server, the software relies on NDS and the client software to log on to an NDS tree. For non-Novell shops it might be tough to justify the time and expense of adding an NDS server just for the Single Sign-on benefits. Novell customers should see a definite improvement for their users and a reduction in the number of password-related help desk calls.
This story, "Novell upgrades Single Sign-on" was originally published by Network World.