SSPI Authentication

Should you have problems with the MS logon plugin, here's the place to look for help or report issues.

SSPI Authentication

Postby JohnPeacock » 2004-09-02 14:08

Any chance that the MSLogin methods could be extended to use SSPI, i.e. reuse the existing local credentials to authenticate to a remote machine. Example code exists (cvsnt in particular) that should make this a straightforward change (I just don't have the time to do it myself). Ideally the server should have an option to forbid fallback to manual login, but the normal behavior should be:

1) attempt to log in with local credentials
2) popup requester for manual login

We are using VNC in a corporate environment and the HelpDesk staff are all in a known Group, so their existing credentials should be enough to connect to any machine, but if they are at a user machine and need to connect to another machine, they should have the option to key in a password. At the same time, we would like to restrict connection to servers to users in a known group only.

If anyone would like to accept a contract to add this feature, I can probably get some money out of my boss. Make me a proposal...

Thanks

John
JohnPeacock
 
Posts: 2
Joined: 2004-09-02 13:59

Postby Marscha » 2004-09-22 09:24

Yes, I agree that this would be a great feature.
Thanks for the cvsnt hint, do you know of any other code examples
(the cvsnt SSPI code is in C, I think a C++ example would be much easier... :wink: ).
I suspect that this would require fundamental changes to the ultravnc mslogon code.
In fact SSPI is used but only on the server, not over the wire :( .
Once mslogon2 is more stable and reliable I'll again try to address this issue because I think that this is the most interesting feature that's missing.
Marscha
Former moderator
Former moderator
 
Posts: 471
Joined: 2004-05-14 06:48

Postby JohnPeacock » 2004-09-29 15:54

Marscha wrote:In fact SSPI is used but only on the server, not over the wire :( .


Umm, no, what would be the point if you couldn't send the auth token over the wire. I can use CVSNT over the Internet through a firewall (with appropriate shaped holes) by logging into the domain in question (e.g. by mounting a drive) and then connecting with the CVSNT client to the server.

I'll see if the CVSNT author knows of any C++ source code to do the SSPI authentication... Here's something I found with a quick Google:

http://www.winterdom.com/dev/security/sspi.html

John
JohnPeacock
 
Posts: 2
Joined: 2004-09-02 13:59

Postby Marscha » 2004-09-30 07:29

OK, here's a short story about the history of the mslogon feature in ultravnc as far as I am involved:
I became aware of the "old" mslogon in ultravnc because my company currently uses vnc.
But due to a growing number of vnc users we need a better authentication scheme.
The "old" mslogon limits the users/groups to be in the same domain as the remote computer.
Because we have a multi-domain environment I tried to find somebody who could extend/adapt the mslogon feature.
You guess it, in the end I started to look into the code because I thought "this should be relatively easy".
My goal is to have an authentication for a multi-domain (AD) environment but to keep it compatible with the "old" mslogon.
The code is based on one of the auth methods of the "old" mslogon.
To use SSPI as originally intended would require to change the vnc protocol.
Once the new mslogon is stable and reliable I'll consider to start with this new project.
Marscha
Former moderator
Former moderator
 
Posts: 471
Joined: 2004-05-14 06:48


Return to MS logon plugin

Who is online

Users browsing this forum: No registered users and 1 guest