UltraVNC

DarkSide · Guest

I'm using the new vnc (test19_12/13) and have a strange authetication problem.
I'm adding users/groups to the MS Logon ACL but I'm unable to connect the server using them (get an authentication failure). The only account that IS able to connect is the builtin Administrator account (on the server).
I should mention that the MS Logon ACL seems to work in general since I can connect with Administrator account only when the account appears in the ACL.
I've tried different combinations of username like domainname\username, \username or just plain username, which should be enough since that's what I enter when I'm successefuly connecting with Administrator. However, I have failed to make a connection in all cases (except when using the Administrator account). I even created a username with a simple letters-only password because I read in a previous post there's an issue with certain passwords, but it failed authenticating as well.
I'm running the ultravnc server on a windows 2003 server and the viewer on a XP Pro with SP2.
Does anyone have an idea what am I missing here?
Thanks for any help

Marscha · 2004-05-14 06:48

Please take a look in the Event Viewer's application log.
For each connection there is an entry.

See also C:\Windows\system32\WinVNC-authSSP.log. Here is more detailed info:
You can see if the user is
a) authenticated, i.e. username-password combination is OK and
b) authorized, i.e. is a member of an access group.
("access granted is 0x0" means NOT authorized, i.e. you need a non-null value like 0x1 or 0x3 for authorization.)

DarkSide · Guest

Thanks for the reply.

However, the WinVNC-authSSP.log (which by the way is located in the ultravnc directory, not in \windows\system32) confirms the errors I've encountered.
For Administrator, the entries are

CUPSD2: Access is 0, user administrator is authenticated, access granted is 0x60000
SetSD: Updating pACL
Passed GetSecurityDescriptorDacl: 183
CUPSD2: Access is 1, user administrator is authenticated, access granted is 0x60003

And for the other users, the entries are

CUPSD2: Access is 0, user a is not authenticated, access granted is 0x0
CUPSD2: Access is 0, user testvnc is not authenticated, access granted is 0x0

These users exist. I can login with them to the domain and they have very simple passwords.
Is there anything else I'm suppose to do other than adding these users to the ACL and giving them permission before I try to connect with the viewer? What is the format of the username when I enter it in the viewer box? Are there any special AD/Domain issues/permissions that need to be address specifically?
I guess these all are rhetorical questions since I CAN connect with Administrator account but I ask them nevertheless.

Thanks for your time
DarkSide

Marscha · 2004-05-14 06:48

I assume that VNC is not started as a service since the log file is in the ultravnc dir.
Access with the administrator account looks OK.
The first time the administrator is not in the ACL, then you change the ACL, next time administrator gets access.

User a and user testvnc are not authenticated.
Could you try to enter the fully qualified names.
I.e. something like mydomain\a or mydomain\testvnc (assuming the users are domainusers in mydomain) or
mycomp\a or mycomp\testvnc (assuming the users are users on the local computer mycomp).

Another option is to use UPNs for domain users.
They look like a@mydomain or testvnc@mydomain.

Could you please also try to run Ultravnc as a service, there is a new privilege (SeImpersonatePrivilege) which could stop the authentication part.

DarkSide · Guest

Hi Marscha.

First of all, thanks for your help.
Secondly, I'm happy to tell the problem has been solved. Strangely enough, I didn't do anything! The only thing I can think of is that the server has been rebooted since I had installed ultravnc on it. I don't recall rebooting the server after installing ultravnc so maybe that was the problem. Does it sound right to you?

Anyway, I've done some testing of ultravnc and found the following problems:

1. You can open multiple windows of ultrance security editor by pressing the configure ms logon button.

2. There is a authentication problem (wrong password) when the user has a password which contains extended ASCII characters (for example �,�).

3. When using fully qualified names the domain name in domainname\username seems to mean nothing since I was able to connect using whatever\username as long as username exists in the domain.

By the way, using UPNs works fine as well as using just the username itself.
One last thing which I think can be very usefull (especially for IT's and HelpDesk support team) is the option to use the credentials of the currently logged on user to connect, instead of retyping username and password every time. A good place for that is a checkbox in the ultravnc authentication window.

Best regards.

Marscha · 2004-05-14 06:48

DarkSide,

great that you did some testing. I'll look into the problems you mentioned.

Regarding the re-use of the current credentials: I agree that this would be a very helpful feature.
But this implies a massive change in the protocol (making it incompatible with the current implementation, both on the viewer and server side).
See http://forum.ultravnc.net/viewtopic.php?t=805 for more info.
So I consider this a separate, new project.

Marscha · 2004-05-14 06:48

Did some tests, too.
No 1 should be easy to fix (I'm just not a GUI expert Sad

).

No 3 is not as bad as it sounds in the first place:
It's exactly the same things you can do with e.g. 'net use'.
You can use 'whatever\username' if either
- there is an account 'username' in domain (or computer) 'whatever' OR
- there is an account 'username' somewhere and there is no domain or computer named 'whatever'.
I was able to reproduce this with a local account on the same machine the vnc server runs.
With a domain account, I got an error.
'Net use' with user and password specified shows exactly the same behavior, so I would like to call this a "Microsoft feature".
It's seems slightly more restrictive than using an unqualified name, so I don't see a security problem here.

No 2 could be a real showstopper.
I tested german umlauts (�/�/�) in the password and got 'wrong password' messages.
I traced the code but could not find the error up to now.
Could be some ASCII-Unicode problem.

Marscha · 2004-05-14 06:48

Tracked down the bug, need Unicode versions of some functions.
Test app does correct authentication with special chars Smile

.
Now have to implement this in authSSP.dll.

Marscha · 2004-05-14 06:48

Changed authSSP.dll implementation, is now compiled as Unicode app.
My tests with extended chars are OK.
Is available in cvs, will be available in next RC. Smile

Marscha · 2004-05-14 06:48

Fixed problem with security editor dialog:

alkos333 · Joined: 2007-12-30 04:21 Posts: 6

I'm trying to set up a MSLogon-II authentication. The server is running Windows XP Home. I have both the admin and a normal user added to the list in winvnc with full privileges, the guest account is disabled, and the ForceGuest in regedit is set to 0.

I tried both "user" and "machine\user", but no luck.

Also, how do you modify the settings when running as a service? I tried running "winvnc.exe -servicehelp" from the command line, but that didn't bring up the GUI, nothing happened, not even an error.

redge · 2004-07-03 17:05

mslogon II not work on XP Home !!!
only MSLogon I or VNC password work on XP Home
_________________
UltraVNC 1.0.8.2 release (built 20091207)
OS Win: xp pro sp3 + vista business sp2 + 7 home
only experienced user, not developer

alkos333 · Joined: 2007-12-30 04:21 Posts: 6

Alright, I'll try that, but I'm having trouble brining up the settings when running as a service. Do I have to uninstall the service, modify settings, and then re-install the service again?

alkos333 · Joined: 2007-12-30 04:21 Posts: 6

Ok, I set the Administrators group to have full access and the Users group to have read-only rights like so: http://tinyurl.com/2valtx

I'm able to login with both, but when I login with the regular user account that belongs to the Users group, I'm still able to control the remote desktop. Isn't the third group supposed to have read-only access?

redge · 2004-07-03 17:05

you are right.
_________________
UltraVNC 1.0.8.2 release (built 20091207)
OS Win: xp pro sp3 + vista business sp2 + 7 home
only experienced user, not developer

alkos333 · Joined: 2007-12-30 04:21 Posts: 6

If so, then how come the regular user has control privileges?

Nagaraju · Joined: 2008-05-23 04:48 Posts: 5 Topics: 2

Hi ,

Any body help me .

I want to avoid the authentication process . it is possiable or not.

if possiable how can i do .

Please let me know the solution.

regards,
Nagaraj

sijiafin · Joined: 2009-05-21 20:28 Posts: 1

Nagaraj:

It is definitely possible to circumvent the authentication process, but it's pretty difficult. I recommend that you visit this web security authentication website to find out more about the workings behind authentication. Good luck.