Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

New MS-Logon v3 - No longer new!

Should you have problems with the MS logon plugin, here's the place to look for help or report issues
Post Reply
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

New MS-Logon v3 - No longer new!

Post by Marscha »

New MS-Logon for UltraVNC
Edit: This is no longer new. MS-Logon II is integrated in RC19.x.

Contents
This is version 3 of the new MS-Logon for UltraVNC.
It's part of TEST19_12 ([topic=1044]Announcement[/topic], Download).

Description
AuthSSP.dll does a new MS-Logon.
The main difference compared to the "old" ms-logon is the ability to
authenticate cross-domain, i.e. the user account can be in another domain
than the computer account.

Should work with Windows NT 4, Windows 2000, Windows XP and Windows 2003.
For W2K SP4 and W2K3 only as ultravnc service because of new restrictions
(SeImpersonatePrivilege, see Knowlegdebase article 821546).
Should recognize any nesting of groups.
Should support domain\user and user@domain.com (UPN) naming.

Requirements
For the SecurityEditor page on Windows NT 4, you need at least SP4 and the security configuration manager installed,
see http://www.microsoft.com/ntserver/nts/d ... allSP6.asp
and http://www.microsoft.com/NTServer/nts/d ... efault.asp

Configuration
In the AdminProperty page check "Require MS-Logon" and "New MS-Logon".
Then edit the MS Logon groups.
You can use the MSLogonACL tool to export the ACL from one machine and import it
to another.

To be tested
OS: WinNT, W2K, wXP, W2K3
Infrastructure: With/without Active Directory
Accounts: Local and/or domain users/groups
Naming styles: user, machine\user, domain\user, user@domain.com (UPN), group, domain\group
Domains: (implies trusts/AD) user and/or group in other domains than computer,
nested groups over multiple domains

Known bugs (not fixed yet)
* Certain passwords (e.g. Abc0DefG) lead to authentication failure (see [topic=803][/topic])
* No detection of SeImpersonatePrivilege yet. Authentication might fail when running winvnc in app mode.
* Error reporting / debugging to be improved

History
07. 10. 2004: Changed list of groups to a real ACL.
Changed UI to SecurityPage.
Added import/export tool for ACL.
20. 08. 2004: Fix: Change in platform detection to call security.dll instead of secur32.dll on NT 4.
04. 08. 2004: Authorization now uses AccessCheck with SecurityDescriptor and Access Token.
Only one Windows logon attempt is required to test authentication and authorization.
25. 06. 2004: First try.

Martin
Last edited by Marscha on 2005-01-31 12:59, edited 2 times in total.
mfo2
8
8
Posts: 20
Joined: 2004-09-02 14:48

Feedback on MSLOGON-3

Post by mfo2 »

Hi Marscha,

First of all I'd like to congratulate you for putting up this new authentication method for UltraVNC as it is overall more clean and faster than the old method.

So far I found one minor bug in the ACL importation procedure. I can export the ACL with the MSLogonACL.exe /e command and get a nice txt file like this :
deny 0x00000003 ..\Domain Admins
allow 0x00000003 BUILTIN\Administrators
allow 0x00000003 ..\VNCACCESS
allow 0x00000003 .\VNCACCESS

But when I try to import it back with the /i /o options, I'm getting an error on the Domain Admins line because there is a 'space' character in the group name:

C:\>MSLogonACL.exe /i /o uvncacl.txt
Detected domain = FRANCE
FRANCE\Domain: SID not valid.
domainaccount is BUILTIN\Administrators, mask is 3
Detected domain = FRANCE
domainaccount is FRANCE\VNCACCESS, mask is 3
Before GetComputerName
domainaccount is VORFRAPC3\VNCACCESS, mask is 3
RegSetValueEx passed
deleting ACE_DATA linked lists

I think it'll be very easy for you to fix this.

Thanks again for the nice work.

Marc
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Marc,

thanks for the feedback. You are right that the current implementation does not work with spaces in user or group names.
I'll fix that.

Martin
mfo2
8
8
Posts: 20
Joined: 2004-09-02 14:48

Feedback

Post by mfo2 »

Marscha,

Quickly some feedback on what I tested:
login with user@dom : ok
login with dom\user : ok
login with user in local workstation group : ok
login with user in domain group nested in a local workstation group ok
Didn't have a chance to test cross domain authentication but I'll do it.

Regards,

Marc
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Changed the input/output format: If username contains whitespace (blanks or tabs), then the name is quoted.
E. g. "Mydomain\Domain Admins".
Uploaded the change to the cvs, binary will be available in http://dl.ultravnc.net/TEST19_13/.
mfo2
8
8
Posts: 20
Joined: 2004-09-02 14:48

Post by mfo2 »

Thanks Marscha, it works now.

Best regards,

Marc
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Great :)
Could you please let me know if your cross-domain auth test succeeded.
Please also specify your OS version and if ActiveDirectory is used.
It's not easy to have multi-domain test environments in different flavors (NT, W2K, WXP, ...) :(

TIA
Martin
mfo2
8
8
Posts: 20
Joined: 2004-09-02 14:48

Post by mfo2 »

Just did the test, it works !

Connected to UltraVNC with a forest root domain account with the user@rootdom syntax. This user is in a global group in the root domain, I put this global group in a local VNCACCESS group on my workstation which is in a different AD domain from this user.

The OS on the client computer is W2K Pro SP4.
The servers are W2K3, both domains and forest functionnal level are Windows 2003 Server.

Keep up the good work.

Marc
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Thanks a lot
Martin
Stephen

Re: New MS-Logon v3

Post by Stephen »

Marsha,

I am a little confused about so many links for the new MS-Logon location. Could you please send me the right URL? I tried many of them but all brought me error pages. Thanks!

Stephen
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Stephen,

The new MS-Logon (AKA MS-Logon II) is integrated in UltraVNC.
Just download the latest UltraVNC RC (currently 19.5 or 19.6).
Then activate "New MS-Logon" in the Admin Properties page and configure the access groups/users.

Martin
Stephen

New MS-Logon

Post by Stephen »

Marscha,

Thanks for your great help!!!

Stephen
Terriff
20
20
Posts: 51
Joined: 2005-01-28 19:28

Post by Terriff »

What about MSLogon v3? http://dl.ultravnc.net/TEST19_13/ doesn't exist.

I have never seen a "TESTXX_XX" folder at this location...ever.

Why does everyone reference this location when it doesn't exist? Could it be because I get redirected to "http://ftp.erm.tu-cottbus.de/ultravnc/" when I go to "http://dl.ultravnc.net"???

Thanks.
cobratbq
8
8
Posts: 24
Joined: 2004-08-02 22:29

Post by cobratbq »

No it's because your reading old messages.
The XX_XX versions were test-versions and are already deleted.
The last version is the one you can find on: http://www.sf.net/projects/ultravnc/
It's 19.6 if i'm not mistaking.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6832
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

The latest stable is still RC18
The latest test is RC19.6
The sticky in the bug section contain the download path.

Possible a RC19.7 will be available this weekend.
RC19.6 viewer has a bug, remember last settings keep
the repeater settings no matter what you do.
Terriff
20
20
Posts: 51
Joined: 2005-01-28 19:28

Post by Terriff »

cobratbq wrote:No it's because your reading old messages.
The XX_XX versions were test-versions and are already deleted.
The last version is the one you can find on: http://www.sf.net/projects/ultravnc/
It's 19.6 if i'm not mistaking.
Thank you. I just assumed you would see all of the different directories. Didn't even think about them just being test directories that would disappear. :)

19.6 rocks! I love that they put MSLogon into the build (and finally changed those ugly icons). I love this add-in!

Thanks Marscha!
Post Reply