Understanding the GroupWise Login Process

Understanding the login process is helpful when you're configuring your GroupWise system to support the GroupWise client login process. It's also helpful to understand the login process when you're troubleshooting login difficulties.

When you double-click the GroupWise application, the client must successfully connect you to your mailbox. To do this, it consults several sources of information for "clues" to connecting:

• Is GroupWise code in memory?

• Command-line options on the shortcut

• The registered network provider

• Novell eDirectory

• The Windows Registry

• Domain name service

• User data entered in a login dialog box

The preceding list includes the order in which the client consults them. The following section walks through the login process.

Is GroupWise Code in Memory?

If a GroupWise component, such as Notify or the address book, is currently running, that component has already connected with your mailbox. The GroupWise client will use that same connection. Sometimes you might quit GroupWise and then try specifying a command-line option, only to get connected the same way you connected last time. This occurs because GroupWise was still unloading when you launched it again. Some code portions were still in memory, so it used the old connection.

Command-Line Options on The Shortcut

There are several command-line options you can enter on the GroupWise shortcut. These should be used as troubleshooting tools rather than administrative purposes, because they are not easy to globally administer. Figure 12.16 shows a command-line parameter that will force the GroupWise client to bring up the Login dialog box.

Here are the other command-line switches that concern logging into GroupWise:

• /@U-GroupWise user ID

• /IPA-IP address for GroupWise POA

• /IPP-IP port for GroupWise POA

• /PR-Path to GroupWise remote data on local drive

• /PC-Path to GroupWise cache data on local drive

• /PH-Drive letter path to post office (this switch works only if the post office supports Direct mode; most do not)

During the GroupWise login process, two critical pieces of information are required. The GroupWise client needs answers to the following two questions:

• Whose mailbox do I connect to?

• How do I get to it?

This information can be provided via command-line options. Consider the following string:

C:\NOVELL\GroupWise\Grpwise.exe /@u-tkratzer /ipa-10.0.0.1 /ipp-1677

This string tells the GroupWise client to log in as user tkratzer, and indicates that the POA can be found on port 1677, at address 10.0.0.1.

If the /@U- switch has been set to a question mark, the client will prompt the user with the Login dialog box. This can be a useful tool for an administrator who routinely checks multiple mailboxes and wants to be prompted each time. The command-line switch to use this option is /@U-?.

The Registered Network Provider

The GroupWise client is going to make a call to the network provider. This call will return the login name that this individual used to gain access to the network.

When the GroupWise client finally connects to the POA, it will check the security level of the post office. If the PO is set to high security, the client will compare the network ID obtained with the network ID associated with the GroupWise mailbox (usually the eDirectory user ID). If these values do not match, the user will be prompted for a password.

If the security is set to high-eDirectory authentication or high-LDAP authentication, the client will allow matches only with values it knows it obtained through Novell eDirectory or LDAP. This prevents users from setting up a private network to spoof the security and hack into a GroupWise mailbox.

Novell eDirectory

The GroupWise client already consulted with Windows to see who the user was logged in as. With the login information in hand, the GroupWise client knows what kind of a network the user logged in to. If it detects eDirectory, the GroupWise client will attempt to discover GroupWise post office information from the eDirectory user object for this user.

This is the power of eDirectory at work. The eDirectory user object is associated with a post office object (from the GroupWise Account property page of the user object). That post office object has two attributes for the GroupWise client to check:

• Access mode

• Location

If the access mode is set to direct access, the client will connect directly to the location (UNC path) specified.

If the access mode is set to client/server only or client/server and direct, the GroupWise client will browse to the POA object, which is a child object of the PO object. That object will have one attribute for the GroupWise client to check, the network address, which will provide the GroupWise client with the IP address and port of the POA so that a client/server connection can be established.

This might seem very involved, but it is extremely fast. The Novell client for the Windows 32-bit platforms will have already pulled down most of the required information regarding the user object. If the PO object exists in the same physical partition as the user, or if the partition it is in is on the same server the user authenticated to, the discovery will take place in a fraction of a second.

The Windows Registry

Suppose that nothing is on the command line, and the NetWare client either is not logged in or is not even installed on the Windows machine. The client will now check the Windows Registry at the following key:

[HKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters]

There are several possible parameters to be found under this key. If you were to export the entire key for a particular user, you would see something like the following:

[HKEY_CURRENT_USER\Software\Novell\GroupWise \Login Parameters\Account Name] @="tkratzer" [HKEY_CURRENT_USER\Software\Novell\GroupWise\Login Parameters\Mode] @="Master" [HKEY_CURRENT_USER\Software\Novell\GroupWise \Login Parameters\Path To Remote Database] @="c:\\gwremote" [HKEY_CURRENT_USER\Software\Novell\GroupWise \Login Parameters\PostOfficePath] @="" [HKEY_CURRENT_USER\Software\Novell\GroupWise \Login Parameters\TCP/IP Address] @="10.0.0.1" [HKEY_CURRENT_USER\Software\Novell\GroupWise \Login Parameters\TCP/IP Port] @="1677"

In each of these lines, the value in quotation marks after the @ sign is the parameter value. In the preceding example, user tkratzer will be connected to the POA at 10.0.0.1:1677. If this address and port are not accessible, the GroupWise client will look for an IP address and port defined at this location in the Windows Registry:

[HKEY_LOCAL_MACHINE\Software\Novell\GroupWise \Client\5.0\DefaultIPAddress] @=151.155.1.2 [HKEY_LOCAL_MACHINE\Software\Novell\GroupWise \Client\5.0\DefaultIPPort] @=1677

These two keys are created if the following has been defined in the SETUP.CFG file:

DefaultIPAddress=<x.x.x.x> DefaultIPPort=<xxxx>

So, using the previous example, if the GroupWise client is not able to connect to 10.0.0.1:1677, because the DefaultIPAddress and DefaultIPPort are defined in the Registry, the client will go to 151.155.1.1:1677 and try to connect. This allows you to specify where you would like the GroupWise client to go in order to connect. Also remember that the 151.155.1.2 class address does not necessarily have to be this user's particular POA. When a POA gets a login request for a user, if this user is not owned by the POA, it will redirect the client to the user's owning post office.

Tip

The DefaultIPAddress can be a DNS entry as well; the client will read either an IP address or a DNS entered here.

If neither of these network connections is available, tkratzer will be connected to his remote database at c:\gwremote. The PostOfficePath parameter is blank because tkratzer's post office allows only client/server connections. A UNC path or drive mapping here is impossible.

These Registry entries were written the last time the GroupWise client connected to a mailbox. The implication here should be obvious: If you can get the client to connect once, it will "remember" how it did it when the time comes to connect again.

As previously mentioned, you can use the SETUP.CFG file to define two IP addresses in the Windows Registry that the GroupWise client will also read. These keys are listed here:

IPAddress=<x.x.x.x> IPPort=<xxxx> DefaultIPAddress=<x.x.x.x> DefaultIPPort=<xxx>

Tip

If the Windows Registry already contains the IPAddress and IPPort values, the values in the SETUP.CFG file will not overwrite these settings.

Domain Name Service

Now suppose that there are no command-line switches, network information, or Windows Registry information for the GroupWise client to use. In this case, the client will still not have discovered which post office to connect to.

At this point, the client falls back on DNS. The GroupWise client will perform a DNS lookup for a server named NGWNAMESERVER first, and then if that fails, it looks for a server named NGWNAMESERVER2. If the administrator has assigned that DNS name to a valid GroupWise POA (any POA on the system), the GroupWise client will connect to that POA at the port 1677.

Tip

The POA that the DNS server points to as NGWNAMESERVER must be configured to listen at port 1677.

Note

The GroupWise client will not try to resolve NGWNAMESERVER if the DefaultIPAddress and DefaultIPPort Registry keys are present and contain an IP or DNS address and port. As stated, NGWNAMESERVER is queried only if there is no information in the Registry about where the client should go to connect.

NGWNAMESERVER Redirection

Now, suppose that this POA is not the right one for this user. On a large system, the odds are good that it will not be. In this case, the POA will ask the client who it is logging in as and then will look in the address book. The POA will then check the redirection table to find the IP address for the user's correct POA.

The user will be automatically redirected to the correct POA. Assuming reasonable network performance, this will happen in just a few seconds.

Tip

The same redirection concept is true for the DefaultIPAddress and DefaultIPPort values that you can specify in the Registry. In reality, the purpose of using the DefaultIPAddress and DefaultIPPort Registry settings is so that an administrator can tell the GroupWise client where to go to find one POA object in the GroupWise system. This, in essence, replaces the need for NGWNAMESERVER. This is why NGWNAMESERVER is not queried when the DefaultIPAddress and DefaultIPPort values are present.

Prompting the User

Suppose, though, that the administrator has been lax in his responsibilities. Not only are eDirectory and LDAP authentication not available, but the domain name service has not been configured either. The NGWNAMESERVER lookup will timeout (after a minute or so, which will be very long and painful for an impatient user), and then the user will see the screen shown in Figure 12.17.

This is a disaster. Take a look at the number of fields the lucky user gets to populate. Do you suppose this user will populate these correctly? Not likely. The user will pick up the phone and call you.

You can provide the user with this information automatically in at least four ways before it comes to this point, and this chapter covered each of those ways. The next section walks you through the process of covering all of your bases, ensuring that users with new machines or toasted Registries do not need to make that phone call.