Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
New MS-Logon v3 - No longer new!
New MS-Logon v3 - No longer new!
New MS-Logon for UltraVNC
Edit: This is no longer new. MS-Logon II is integrated in RC19.x.
Contents
This is version 3 of the new MS-Logon for UltraVNC.
It's part of TEST19_12 ([topic=1044]Announcement[/topic], Download).
Description
AuthSSP.dll does a new MS-Logon.
The main difference compared to the "old" ms-logon is the ability to
authenticate cross-domain, i.e. the user account can be in another domain
than the computer account.
Should work with Windows NT 4, Windows 2000, Windows XP and Windows 2003.
For W2K SP4 and W2K3 only as ultravnc service because of new restrictions
(SeImpersonatePrivilege, see Knowlegdebase article 821546).
Should recognize any nesting of groups.
Should support domain\user and user@domain.com (UPN) naming.
Requirements
For the SecurityEditor page on Windows NT 4, you need at least SP4 and the security configuration manager installed,
see http://www.microsoft.com/ntserver/nts/d ... allSP6.asp
and http://www.microsoft.com/NTServer/nts/d ... efault.asp
Configuration
In the AdminProperty page check "Require MS-Logon" and "New MS-Logon".
Then edit the MS Logon groups.
You can use the MSLogonACL tool to export the ACL from one machine and import it
to another.
To be tested
OS: WinNT, W2K, wXP, W2K3
Infrastructure: With/without Active Directory
Accounts: Local and/or domain users/groups
Naming styles: user, machine\user, domain\user, user@domain.com (UPN), group, domain\group
Domains: (implies trusts/AD) user and/or group in other domains than computer,
nested groups over multiple domains
Known bugs (not fixed yet)
* Certain passwords (e.g. Abc0DefG) lead to authentication failure (see [topic=803][/topic])
* No detection of SeImpersonatePrivilege yet. Authentication might fail when running winvnc in app mode.
* Error reporting / debugging to be improved
History
07. 10. 2004: Changed list of groups to a real ACL.
Changed UI to SecurityPage.
Added import/export tool for ACL.
20. 08. 2004: Fix: Change in platform detection to call security.dll instead of secur32.dll on NT 4.
04. 08. 2004: Authorization now uses AccessCheck with SecurityDescriptor and Access Token.
Only one Windows logon attempt is required to test authentication and authorization.
25. 06. 2004: First try.
Martin
Edit: This is no longer new. MS-Logon II is integrated in RC19.x.
Contents
This is version 3 of the new MS-Logon for UltraVNC.
It's part of TEST19_12 ([topic=1044]Announcement[/topic], Download).
Description
AuthSSP.dll does a new MS-Logon.
The main difference compared to the "old" ms-logon is the ability to
authenticate cross-domain, i.e. the user account can be in another domain
than the computer account.
Should work with Windows NT 4, Windows 2000, Windows XP and Windows 2003.
For W2K SP4 and W2K3 only as ultravnc service because of new restrictions
(SeImpersonatePrivilege, see Knowlegdebase article 821546).
Should recognize any nesting of groups.
Should support domain\user and user@domain.com (UPN) naming.
Requirements
For the SecurityEditor page on Windows NT 4, you need at least SP4 and the security configuration manager installed,
see http://www.microsoft.com/ntserver/nts/d ... allSP6.asp
and http://www.microsoft.com/NTServer/nts/d ... efault.asp
Configuration
In the AdminProperty page check "Require MS-Logon" and "New MS-Logon".
Then edit the MS Logon groups.
You can use the MSLogonACL tool to export the ACL from one machine and import it
to another.
To be tested
OS: WinNT, W2K, wXP, W2K3
Infrastructure: With/without Active Directory
Accounts: Local and/or domain users/groups
Naming styles: user, machine\user, domain\user, user@domain.com (UPN), group, domain\group
Domains: (implies trusts/AD) user and/or group in other domains than computer,
nested groups over multiple domains
Known bugs (not fixed yet)
* Certain passwords (e.g. Abc0DefG) lead to authentication failure (see [topic=803][/topic])
* No detection of SeImpersonatePrivilege yet. Authentication might fail when running winvnc in app mode.
* Error reporting / debugging to be improved
History
07. 10. 2004: Changed list of groups to a real ACL.
Changed UI to SecurityPage.
Added import/export tool for ACL.
20. 08. 2004: Fix: Change in platform detection to call security.dll instead of secur32.dll on NT 4.
04. 08. 2004: Authorization now uses AccessCheck with SecurityDescriptor and Access Token.
Only one Windows logon attempt is required to test authentication and authorization.
25. 06. 2004: First try.
Martin
Last edited by Marscha on 2005-01-31 12:59, edited 2 times in total.
Feedback on MSLOGON-3
Hi Marscha,
First of all I'd like to congratulate you for putting up this new authentication method for UltraVNC as it is overall more clean and faster than the old method.
So far I found one minor bug in the ACL importation procedure. I can export the ACL with the MSLogonACL.exe /e command and get a nice txt file like this :
deny 0x00000003 ..\Domain Admins
allow 0x00000003 BUILTIN\Administrators
allow 0x00000003 ..\VNCACCESS
allow 0x00000003 .\VNCACCESS
But when I try to import it back with the /i /o options, I'm getting an error on the Domain Admins line because there is a 'space' character in the group name:
C:\>MSLogonACL.exe /i /o uvncacl.txt
Detected domain = FRANCE
FRANCE\Domain: SID not valid.
domainaccount is BUILTIN\Administrators, mask is 3
Detected domain = FRANCE
domainaccount is FRANCE\VNCACCESS, mask is 3
Before GetComputerName
domainaccount is VORFRAPC3\VNCACCESS, mask is 3
RegSetValueEx passed
deleting ACE_DATA linked lists
I think it'll be very easy for you to fix this.
Thanks again for the nice work.
Marc
First of all I'd like to congratulate you for putting up this new authentication method for UltraVNC as it is overall more clean and faster than the old method.
So far I found one minor bug in the ACL importation procedure. I can export the ACL with the MSLogonACL.exe /e command and get a nice txt file like this :
deny 0x00000003 ..\Domain Admins
allow 0x00000003 BUILTIN\Administrators
allow 0x00000003 ..\VNCACCESS
allow 0x00000003 .\VNCACCESS
But when I try to import it back with the /i /o options, I'm getting an error on the Domain Admins line because there is a 'space' character in the group name:
C:\>MSLogonACL.exe /i /o uvncacl.txt
Detected domain = FRANCE
FRANCE\Domain: SID not valid.
domainaccount is BUILTIN\Administrators, mask is 3
Detected domain = FRANCE
domainaccount is FRANCE\VNCACCESS, mask is 3
Before GetComputerName
domainaccount is VORFRAPC3\VNCACCESS, mask is 3
RegSetValueEx passed
deleting ACE_DATA linked lists
I think it'll be very easy for you to fix this.
Thanks again for the nice work.
Marc
Feedback
Marscha,
Quickly some feedback on what I tested:
login with user@dom : ok
login with dom\user : ok
login with user in local workstation group : ok
login with user in domain group nested in a local workstation group ok
Didn't have a chance to test cross domain authentication but I'll do it.
Regards,
Marc
Quickly some feedback on what I tested:
login with user@dom : ok
login with dom\user : ok
login with user in local workstation group : ok
login with user in domain group nested in a local workstation group ok
Didn't have a chance to test cross domain authentication but I'll do it.
Regards,
Marc
Changed the input/output format: If username contains whitespace (blanks or tabs), then the name is quoted.
E. g. "Mydomain\Domain Admins".
Uploaded the change to the cvs, binary will be available in http://dl.ultravnc.net/TEST19_13/.
E. g. "Mydomain\Domain Admins".
Uploaded the change to the cvs, binary will be available in http://dl.ultravnc.net/TEST19_13/.
Just did the test, it works !
Connected to UltraVNC with a forest root domain account with the user@rootdom syntax. This user is in a global group in the root domain, I put this global group in a local VNCACCESS group on my workstation which is in a different AD domain from this user.
The OS on the client computer is W2K Pro SP4.
The servers are W2K3, both domains and forest functionnal level are Windows 2003 Server.
Keep up the good work.
Marc
Connected to UltraVNC with a forest root domain account with the user@rootdom syntax. This user is in a global group in the root domain, I put this global group in a local VNCACCESS group on my workstation which is in a different AD domain from this user.
The OS on the client computer is W2K Pro SP4.
The servers are W2K3, both domains and forest functionnal level are Windows 2003 Server.
Keep up the good work.
Marc
Re: New MS-Logon v3
Marsha,
I am a little confused about so many links for the new MS-Logon location. Could you please send me the right URL? I tried many of them but all brought me error pages. Thanks!
Stephen
I am a little confused about so many links for the new MS-Logon location. Could you please send me the right URL? I tried many of them but all brought me error pages. Thanks!
Stephen
What about MSLogon v3? http://dl.ultravnc.net/TEST19_13/ doesn't exist.
I have never seen a "TESTXX_XX" folder at this location...ever.
Why does everyone reference this location when it doesn't exist? Could it be because I get redirected to "http://ftp.erm.tu-cottbus.de/ultravnc/" when I go to "http://dl.ultravnc.net"???
Thanks.
I have never seen a "TESTXX_XX" folder at this location...ever.
Why does everyone reference this location when it doesn't exist? Could it be because I get redirected to "http://ftp.erm.tu-cottbus.de/ultravnc/" when I go to "http://dl.ultravnc.net"???
Thanks.
No it's because your reading old messages.
The XX_XX versions were test-versions and are already deleted.
The last version is the one you can find on: http://www.sf.net/projects/ultravnc/
It's 19.6 if i'm not mistaking.
The XX_XX versions were test-versions and are already deleted.
The last version is the one you can find on: http://www.sf.net/projects/ultravnc/
It's 19.6 if i'm not mistaking.
- Rudi De Vos
- Admin & Developer
- Posts: 6860
- Joined: 2004-04-23 10:21
- Contact:
Thank you. I just assumed you would see all of the different directories. Didn't even think about them just being test directories that would disappear.cobratbq wrote:No it's because your reading old messages.
The XX_XX versions were test-versions and are already deleted.
The last version is the one you can find on: http://www.sf.net/projects/ultravnc/
It's 19.6 if i'm not mistaking.
19.6 rocks! I love that they put MSLogon into the build (and finally changed those ugly icons). I love this add-in!
Thanks Marscha!