Desktop Authentication known issues and recommendations

Desktop Authentication known issues and recommendations

Problem:  What are the known issues of using Desktop Authentication feature to automatically log users into the portal?



Cause:  Desktop Authentication feature uses Windows Integrated Authentication (NTLMv1).  Most browsers do not support auto-login by default and this functionality must be turned on.  Some devices also have difficulty connecting and using NTLM authentication.  It is recommended that you use standard authentication for client devices you do not control.


Known Issues:  
  1. It is highly recommended you have a separate relay(s) for external users as this setting is configured on a relay because not all client devices will be compatible with NTLM authentication method.  If the device is not compatible, the user may not be able to login at all. See #7 and #8 also.
  2. You may have problems with logins if the client device is not compatible with NTLMv1.  Desktop Authentication is based on NTLM authentication and is a feature of both Windows and IE, but it may need to be enabled through local policy and browser settings.  Typically Chrome will use IE settings.  There are ways to enable this feature in Firefox, but we can not guarantee that this method will always work.
  3. Users that do not have machines that can properly send the desktop authentication (NTLM) will be prompted with a small pop up box and will have to type in their credentials.  This box is not as friendly as the standard login page and thus users might be confused if they are not educated on how-to login.
  4. You will want to make sure you have workstation security as high as possible because users will now be automatically authenticated into webNetwork just by bringing up the portal URL. 
  5. The logout button will automatically log users back in if you are using Desktop Authentication.  This may confuse users if they are not educated.
  6. Initial login will add extra step of asking for password to be stored in @@password@@ variable, which will then be usable in other features, like file nodes, RDS apps, or webapps.  Users will be prompted every time their password changes in AD.
  7. Active Directory setting User must change password on next login does not function and user will not be able to login when communicating to relay with only desktop authentication enabled (should only effect users on non-domain devices)
  8. Active Directory password expiration does not function and user will not be able to login when communicating to relay with only desktop authentication enabled (should only effect users on non-domain devices)
  9. Live Edit feature will not work if you enable desktop authentication.
  10. wnSSOclient will not work if you enable desktop authentication.
  11. Cloud Agent / webAgent will not work if you enable desktop authentication.
  12. WebMenus (legacy feature) will not work if you enable desktop authentication.
  13. Desktop authentication will not work if any 2-factor authentication is enabled, such as Image Challenge.


Known Configuration Requirements:
  • You will need to create a 2nd webNetwork login policy for external relays so users can login to normal webpage
  • Windows devices will need to be configured to Send LM & NTLM use NTLMv2 session security if negotiated or LmCompatibilityLevel registry entry set
  • On the stoneware server, edit stoneware\webnetwork.lax and add -Djcifs.smb.lmCompatibility=0 -Djcifs.smb.client.useExtendedSecurity=false to the end of the line that starts with  lax.nl.java.option.additional=
  • You may also need to use a pre auth configuration line : -Djcifs.smb.client.username=username -Djcifs.smb.client.password=xxxxxxx -Djcifs.smb.client.domain=customerADdomain
  • Internet Explorer will need auto-login enabled through Internet Options -> Security -> Local Intranet/Internet zones -> Custom Level... -> User Login -> Login -> Automatic logon with current user name and password
  • You will want to add the below login script to detect desktop authentication and if the password needs to be changed.
    IF desktopAuthEnabled AND desktopAuthPasswordExpired THEN 
           executeURL( "/apps/selfService/updateDesktopAuthPassword.jsp", newWindow,title="Desktop Authentication" )
    END




Reference(s):


keywords: desktop, desktop auth, windows auth, windows integrated auth, windows authentication, win auth

    Can't find the KB

    Unable to find the KB to address your issue ?  

      • Recent Articles

      • Lenovo Unified Workspace End-of-Life Questions and Answers

        Will the shutdown of LUW servers and access to downloads affect my server licensing? No, the shutdown of the customer servers and access to the product and licensing downloads will not affect your server licensing. This license is downloaded and ...
      • How do I determine my Unified Workspace license expiration date?

        The best method for determining the licensing information including the expiration date of your Unified Workspace license: Login to your 8090 management console on each server This may take remoting into each LUW server and relay, opening a browser, ...
      • Lenovo Unified Workspace 7.0.2.13 Released

        Highlights of Unified Workspace 7.0.2.13 Before you install: Please view the installation notes here. 7.0.2.13 requires a 7.0 license file. Below is a list of enhancements and fixes released in Unified Workspace 7.0.2.13 Fixed external storage ...
      • LanSchool Documentation Guides

        LanSchool Classic Teacher Console The LanSchool Teacher Console is the interface teachers will use to manage their classroom and students. It contains all the tools necessary for a teacher to effectively interact with students and create a ...
      • Lenovo Unified Workspace 7.0.1.41 Released

        Highlights of Unified Workspace 7.0.1.41 Before you install: Please view the installation notes here. 7.0.1.41 requires a 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.1.41 Updated Log4j Updated Java Updated ...
      • Related Articles

      • Issues with NTLM Authentication

        Are there any issues with using NTLM authentication when doing SSO to a back end application ? Update 10-31-2014 : With webNetwork 6.2.1.182 and higher there have been many updates made to handle NTLM v2 applications that do not also maintain a ...
      • Troubleshooting issues with authentication

        Issue: A user is receiving a Failed Login Attempt error every-time they try to login to Unified Workspace.  How can we determine the root cause of the failed login? Solution: Enable the Authentication debug logging: Browse to the 8090 Management ...
      • Browser Extensions that cause issues with the Lenovo Unified Workspace

        Certain browser extensions cause features of the Lenovo Unified Workspace (formerly webNetwork) not to work correctly. Adblock extensions, in general, cause LUW issues, as they tend to block various Java Script files. It is recommended to uninstall, ...
      • Terminal Server (Remote Desktop Services) licensing.

        When Remote Desktop Services role is installed you will be given 3 options.  Configure Later - You can postpone your decision and simply select Configure Later. You'll have a grace period of 120 days to configure licensing and select a licensing ...
      • Remote Desktop cannot verify the identity of the computer you want to connect to.

        When connecting to older machines with RDP sometimes I get the message :  Remote Desktop cannot verify the identity of the computer you want to connect to. This problem can occur if:  1) The remote computer is running a version of Windows that is ...