Novell's NDS Client - Citrix MetaFrame XP

Instead of using Microsoft's Client Services for NetWare, you can choose to use Novell's version of the NetWare client software.

Instead of using Microsoft's Client Services for NetWare, you can choose to use Novell's version of the NetWare client software. When you install Novell's NDS Client software, available as a free download from, the Microsoft GINA will be replaced with Novell's Client GINA.

In Windows, a "GINA" is the Graphical Identification and Authentication component. This is the part of the operating system responsible for logging users on. In Windows NT and Windows 2000, you use the GINA every day when you press CTRL+ALT+DEL and type in your username and password. With Novell's NDS Client installed, the Microsoft GINA is replaced by the Novell GINA, which is why the "Press CTRL+ALT+DEL" screen changes from the gray and blue Microsoft box to the red and white Novell box.

The fact that Novell's Client replaces the Microsoft GINA is really not that big of a deal. In fact, in environments where NetWare and NDS are heavily used, it is actually a good thing, because Novell's GINA is much more compatible with Novell's features then the Microsoft GINA. However, in order for the Novell GINA to work in a Terminal Server environment, it must know that multiple users will be simultaneously logged on to a server, each with his own credentials. Novell made their client software "Terminal Server aware" several years ago with Service Pack 2 for the Novell NDS Client version 4.6.

Even though the Novell NDS client software is smart enough to know how Terminal Server works, there is still a fundamental challenge in MetaFrame XP environments. In MetaFrame XP environments that use NDS, users need several parameters to log on, including their Windows username, password, and domain, as well as their NDS tree and context, and possibly a separate NDS username and password. However, the ICA client software only has the capability to pass three parameters on to the MetaFrame XP server: the username, password, and domain.

Because of this, the Novell NDS client must work with only these three parameters and make assumptions about the rest. A majority of your configuration planning for Novell's NDS client involves choosing which user logon parameters are statically assumed and which parameters are passed by the user.

Advantages of using Novell's NDS Client

  • Fast access to NetWare resources.
  • Many of the "advanced" Novell features can be supported, such as NDS printing, ZEN works, and Novell Application Launcher.

Disadvantages of Novell's NDS Client

  • Because the ICA software is not NDS-aware, you must make some trade-offs between user flexibility and NDS access.
  • In order for users to have unique desktop environments, they must have domain accounts and NDS accounts (unless ZENworks is used).
  • All Novell NDS Client configuration options apply globally for all users on a server.

Configuration of Novell's NDS Client

As was mentioned previously, to use Novell's NDS client with MetaFrame XP, you need to install a minimum version of Novell Client 4.6 with Service Pack 2. In the real world, version 4.8 or newer is recommended. Remember that these are the only versions of the Novell NDS Client that are Terminal Services-aware. With these versions, you can control how the Novell Client software deals with the limited logon parameters available via ICA and what assumptions are made. All of these parameters and features are enabled and configured via the registry. They mostly control the behavior of the logon components that the users see and the behind-the-scenes authentication behavior. All of the options that we will look at for Novell NDS Client apply globally to all users at the server.

In order for these options and configurations to work, you obviously need to have the Novell-branded client software installed. Also, it needs to be configured to use the NetWare GINA, not the Microsoft GINA. Let's take a look at each of these steps.

First, in a perfect world, you would install the Novell NDS Client software before you install MetaFrame XP. This has to do with our new friend GINA. When the Novell NDS Client software is installed, it replaces the Microsoft GINA with the Novell GINA. However, when MetaFrame XP is installed, it replaces the Microsoft GINA with a Citrix GINA. Ultimately, everything will work together-it's just that you need to make sure everything is configured in the proper order.

If you have a brand-new server, install the Novell NDS Client software before you install MetaFrame XP. If you already have MetaFrame XP installed you can still install the Novell Client-you just have to add steps to change some GINA settings in the registry. In order to install Novell's NDS Client after MetaFrame XP is installed, follow these steps:

1. Change the GINA from the Citrix GINA to the Microsoft GINA. You need to do this because the Novell NDS Client software will not install properly unless it finds the Microsoft GINA in the registry. This GINA change is done through the registry.

Key: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon
Value: GinaDLL
Type: REG_SZ
Old Data you Should Change: Ctxgina.dll
New Data you Type over the Old Data: Msgina.dll

2. Do not reboot the server. Instead, install the Novell NDS Client software as normal.

3. After the Novell NDS Client software is installed, change the GinaDLL value outlined in Step 1 from Msgina.dll back to Ctxgina.dll.

4. Again under the same registry key, add a new REG_SZ value called ctxGinaDLL. Set its value to "nwgina.dll." This new value will be the GINA that is used by the user sessions connecting via MetaFrame XP. In this case, the nwgina.dll is Novell's GINA.

5. Reboot the MetaFrame XP server.

Once these steps are complete, you will have the Novell NDS Client software installed. At this point, there are four different ways that it can be used:

  • Use a generic "common" Windows login.
  • Use a generic "common" NetWare login.
  • Prompt the user for their NetWare credentials.
  • Logon to Windows only without logging into NetWare.

Before we look at the specifics of each of these methods of configuring the Novell NDS Client software, we should look at some basic concepts for what you will be configuring.

Since the ICA client can only pass Windows credentials to the server, you need to make the decision as to whether you would like to automatically log in all users with the same generic NDS credentials, or whether you want to present a Novell login box to the user and let them enter their own NDS credentials. However, before you make this decision, you should decide if your users are going to have unique Microsoft credentials, or if they will logon generically with common user credentials.

Option 1. Use Common Windows Credentials

There are many advantages and disadvantages to deciding to have your users all connect to the MetaFrame XP servers using a common Windows account. These details are discussed in Chapter 15. If you do decide to use this option, there are several different areas in which it can be configured, including the server registry, the ICA connection, the published application, or an ICA file. For the purposes of NetWare integration, configuring the common Windows credentials via the MetaFrame XP server's registry works the best. In this case, this is called "auto-logon," because the users will not be presented with a logon box since they are all connecting with the same user account.

You can enable the Windows auto-logon account with the following registry value:

Key: HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon
Value: AutoAdminLogon
Type: REG_SZ
Data: 1 = enable

Even though the registry value is called "AutoAdminLogon," it does apply to all users and all user sessions, not just to people who connect from the server console. Once you enable auto-logon, you need to specify the user, password, and domain that will be used for the auto-logon. All three of these values are found in the same registry location as the AutoAdminLogon value, and they all are type REG_SZ. The three registry values are as follows:

  • DefaultUserName
  • DefaultPassword
  • DefaultDomainName

Once these values are configured, any user that connects to the server will be automatically logged onto Windows as this user. Remember that these values affect the Microsoft Windows logon only (either workgroup or domain), and that they have nothing to do with NetWare logon that you will configure later.

Option 2. Use Common NetWare Credentials

Novell's NDS client also allows you to specify an "AutoAdminLogon" value to enable users to logon to the NetWare environment with automatic credentials in the registry. However, in the Terminal Server environment, that NetWare "AutoAdminLogon" value only affects users that logon to the server console. Users that connect from client ICA sessions are affected by a different registry value, as show below:

Key: HKLM\Software\Novell\Login
Value: TSClientAutoAdminLogon
Type: REG_SZ
Data: 1 = enable

Once you enable this value, you will need to tell the software what settings you want to use to log in. With the Novell Client software, these settings are called "Location Profiles." A location profile is similar to a user profile for Windows, except that a location profile only exists within the Novell Client software. Each location profile includes things like the username, context, and NDS tree. The most commonly used Location Profile is called "default." However, you can specify the name of any Location Profile to be used for the auto-login. If you are not sure of the names of your Location Profiles, you can view a list in the registry at HKLM\Software\Novell\Location Profiles\Services\{1E6CEEA1-FB73-11CF-BD76-00001B2 7DA23}.

Once you decide which Location Profile you want to use for auto-login, specify it in the following location:

Key: HKLM\Software\Novell\Login\
Value: DefaultLocationProfile
Type: REG_SZ
Data: The name of the Location Profile to use for the automatic login.

For security reasons, a user's password is not stored in the Location Profile. In order for auto-login to work, it must be specified separately in the following registry key:

Key: HKLM\Software\Novell\Login\DefaultPassword
Value: DefaultPassword
Type: REG_SZ
Data: Password for the autologin NDS user.

There are some situations in which you might want to provide users with the default auto-login settings for NDS while also giving them the option of overriding them and selecting their own credentials. If this is the case, you can set a registry value that enables the Novell Login box to appear. When this is used with the NDS auto-login settings, the Novell Client login box appears pre-populated with the auto-login parameters. Users can click "Login" to login with those credentials, or they can enter their own unique credentials. This is enabled with this registry key.

Key: HKLM\Software\Novell\Login\
Value: AutoAdminQueryNDS
Type: REG_DWORD (Be careful here. Some of the Novell documentation incorrectly states that this should be a REG_SZ value, instead of a REG_DWORD.)
Data: 1 = enabled 0 = disabled

Option 3. Prompt for NDS Credentials

As you saw in Option 2, when the TSClientAutoAdminLogon registry value is enabled (with a value or "1"), users connecting via remote sessions are automatically logged into the NDS tree. If you want to prompt users for their NDS credentials, then all you have to do is set that value to "0."

Previously, we also mentioned the AutoAdminQueryNDSvalue. In case you're wondering what the name "AutoAdminQueryNDS" stands for, it means when the Windows Auto Admin logon is used, Query the user for his NDS credentials. If you enable the AutoAdminQueryNDSvalue (by setting it to "1"), the NDS login box will appear for every user at logon time. Because you do not have any Location Profiles specified, no information will be pre-populated in the box, forcing users to type in their own credentials.

If you use this option in combination with the Windows AutoAdminLogon settings, then the Novell NDS Client login box will still appear, but the Windows logon settings will be grayed out, preventing users from changing them.

Option 4. Do Not Logon to NDS (Workstation Only)

If you have the Novell NDS Client 4.8 or newer installed and you decide that you do not want your users to log into the NDS tree when their session begins, you can configure the following registry value:

Key: HKLM\Software\Novell\Login
Value: Default WS Only
Data: "1" causes the "Workstation Only" checkbox to default to "On." "0" causes the "Workstation Only" checkbox to default to "Off."

If you choose this option, your users will be able to login to the NDS tree manually from within their user session. This method is used a lot when only some users need access to NDS resources and they only have access to the full Windows desktop instead of specific published applications.

Summary of Novell NDS Client Registry Keys and Values

Because multiple registry keys, values, and data were mentioned in this section of the chapter, it's worth listing them all together, along with their different uses.

The following settings apply only to the Novell NDS Client software. Each listed item is a value in the HKLM\Software\Novell\Login registry key. In order for these settings to be valid, the MetaFrame XP server must use the NetWare GINA:

  • AutoAdminLogon. Enabling this causes users to be automatically logged into the NDS tree when using the server console.
  • DefaultLocationProfile. Specifies the Location Profile to be used for auto-login.
  • DefaultPassword. Specifies the password to be used for auto-login.
  • TSClientAutoAdminLogon. Enabling this causes users to be automatically logged into the NDS tree when connecting via user sessions.
  • AutoAdminQueryNDS. Enabling this forces the Novell Login box to be displayed, even if Windows auto-logon or NDS auto-login is enabled.
  • Default WS Only. When enabled, the "Workstation Only" login option is selected by default.

The next group of registry settings apply only to the Windows logon. They are set in the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key. These settings are valid for MetaFrame XP servers using the NetWare, Microsoft, or Citrix GINA:

  • AutoAdminLogon. Enabling this causes users to be automatically logged onto the server, both from the console and from remote sessions.
  • DefaultUserName. Specifies the user name when auto-logon is used.
  • DefaultPassword. Specifies the password when auto-logon is used.
  • DefaultDomainName. Specifies the domain when auto-logon is used. If the MetaFrame XP server is not part of a domain environment, then this value should be set to the local server name.


Start the conversation

Send me notifications when other members comment.

Please create a username to comment.