When CA AuthID(previously known as ArcotID) activex client or ANC(Arcot Native Client) is installed as domain administrator and registered the arcot user, the administrator is able to authenticate with the ArcotID on internet explorer. After that, when the login user is changed to a non domain administrator, the user is still able to authenticate using the ArcotID. However, when the user is added to the "Microsoft Roaming profile" in the domain definition, the user is no more able to authenticate with the ArcotID. The authentication fails even if the ArcotID is still present and reachable by the user. The ArcotID is stored in the %PUBLIC% folder so that it is visible by all the users accessing the workstation.
If the user is promoted to domain administrator, the ArcotID authentication is again successful.
The root cause of this issue is _popen(“vol c:\”) call not returning a valid handle when executed by Arot Native Client (ANC) from a windows login of a user for which windows roaming profile is enabled. This works fine from other logins (without roaming profile enabled).
As a result of this discrepancy, machineID being generated from user login having roaming profile enabled is different than the one being generated from other windows logins and this is causing authentication getting failed from windows login with roaming profile enabled.
There is a parameter named "VSNFormat" in WebClient.ini file. Its default value of ‘0’. If we set its value as ‘1’, authentication will work fine for all the users.
# VSNFormat controls how the ANC device locking logic uses the volume serial
# number for the purpose of deriving MachineID.
# VSNFormat=1 means VSN is being used as a DWORD. This value should be set to remain
# backward compatible with ArcotIDs that have been device locked using previous versions
# of ANC
# VSNFormat=0 means VSN is used as a hex-string. This format is compatible with Java Applet
# client's use of VSN for device locking.