I'm using the new vnc (test19_12/13) and have a strange authetication problem.
I'm adding users/groups to the MS Logon ACL but I'm unable to connect the server using them (get an authentication failure). The only account that IS able to connect is the builtin Administrator account (on the server).
I should mention that the MS Logon ACL seems to work in general since I can connect with Administrator account only when the account appears in the ACL.
I've tried different combinations of username like domainname\username, \username or just plain username, which should be enough since that's what I enter when I'm successefuly connecting with Administrator. However, I have failed to make a connection in all cases (except when using the Administrator account). I even created a username with a simple letters-only password because I read in a previous post there's an issue with certain passwords, but it failed authenticating as well.
I'm running the ultravnc server on a windows 2003 server and the viewer on a XP Pro with SP2.
Does anyone have an idea what am I missing here?
Thanks for any help
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Problems with authentication
Please take a look in the Event Viewer's application log.
For each connection there is an entry.
See also C:\Windows\system32\WinVNC-authSSP.log. Here is more detailed info:
You can see if the user is
a) authenticated, i.e. username-password combination is OK and
b) authorized, i.e. is a member of an access group.
("access granted is 0x0" means NOT authorized, i.e. you need a non-null value like 0x1 or 0x3 for authorization.)
For each connection there is an entry.
See also C:\Windows\system32\WinVNC-authSSP.log. Here is more detailed info:
You can see if the user is
a) authenticated, i.e. username-password combination is OK and
b) authorized, i.e. is a member of an access group.
("access granted is 0x0" means NOT authorized, i.e. you need a non-null value like 0x1 or 0x3 for authorization.)
-
DarkSide
Thanks for the reply.
However, the WinVNC-authSSP.log (which by the way is located in the ultravnc directory, not in \windows\system32) confirms the errors I've encountered.
For Administrator, the entries are
CUPSD2: Access is 0, user administrator is authenticated, access granted is 0x60000
SetSD: Updating pACL
Passed GetSecurityDescriptorDacl: 183
CUPSD2: Access is 1, user administrator is authenticated, access granted is 0x60003
And for the other users, the entries are
CUPSD2: Access is 0, user a is not authenticated, access granted is 0x0
CUPSD2: Access is 0, user testvnc is not authenticated, access granted is 0x0
These users exist. I can login with them to the domain and they have very simple passwords.
Is there anything else I'm suppose to do other than adding these users to the ACL and giving them permission before I try to connect with the viewer? What is the format of the username when I enter it in the viewer box? Are there any special AD/Domain issues/permissions that need to be address specifically?
I guess these all are rhetorical questions since I CAN connect with Administrator account but I ask them nevertheless.
Thanks for your time
DarkSide
However, the WinVNC-authSSP.log (which by the way is located in the ultravnc directory, not in \windows\system32) confirms the errors I've encountered.
For Administrator, the entries are
CUPSD2: Access is 0, user administrator is authenticated, access granted is 0x60000
SetSD: Updating pACL
Passed GetSecurityDescriptorDacl: 183
CUPSD2: Access is 1, user administrator is authenticated, access granted is 0x60003
And for the other users, the entries are
CUPSD2: Access is 0, user a is not authenticated, access granted is 0x0
CUPSD2: Access is 0, user testvnc is not authenticated, access granted is 0x0
These users exist. I can login with them to the domain and they have very simple passwords.
Is there anything else I'm suppose to do other than adding these users to the ACL and giving them permission before I try to connect with the viewer? What is the format of the username when I enter it in the viewer box? Are there any special AD/Domain issues/permissions that need to be address specifically?
I guess these all are rhetorical questions since I CAN connect with Administrator account but I ask them nevertheless.
Thanks for your time
DarkSide
I assume that VNC is not started as a service since the log file is in the ultravnc dir.
Access with the administrator account looks OK.
The first time the administrator is not in the ACL, then you change the ACL, next time administrator gets access.
User a and user testvnc are not authenticated.
Could you try to enter the fully qualified names.
I.e. something like mydomain\a or mydomain\testvnc (assuming the users are domainusers in mydomain) or
mycomp\a or mycomp\testvnc (assuming the users are users on the local computer mycomp).
Another option is to use UPNs for domain users.
They look like a@mydomain or testvnc@mydomain.
Could you please also try to run Ultravnc as a service, there is a new privilege (SeImpersonatePrivilege) which could stop the authentication part.
Access with the administrator account looks OK.
The first time the administrator is not in the ACL, then you change the ACL, next time administrator gets access.
User a and user testvnc are not authenticated.
Could you try to enter the fully qualified names.
I.e. something like mydomain\a or mydomain\testvnc (assuming the users are domainusers in mydomain) or
mycomp\a or mycomp\testvnc (assuming the users are users on the local computer mycomp).
Another option is to use UPNs for domain users.
They look like a@mydomain or testvnc@mydomain.
Could you please also try to run Ultravnc as a service, there is a new privilege (SeImpersonatePrivilege) which could stop the authentication part.
-
DarkSide
Hi Marscha.
First of all, thanks for your help.
Secondly, I'm happy to tell the problem has been solved. Strangely enough, I didn't do anything! The only thing I can think of is that the server has been rebooted since I had installed ultravnc on it. I don't recall rebooting the server after installing ultravnc so maybe that was the problem. Does it sound right to you?
Anyway, I've done some testing of ultravnc and found the following problems:
1. You can open multiple windows of ultrance security editor by pressing the configure ms logon button.
2. There is a authentication problem (wrong password) when the user has a password which contains extended ASCII characters (for example ±,Ç).
3. When using fully qualified names the domain name in domainname\username seems to mean nothing since I was able to connect using whatever\username as long as username exists in the domain.
By the way, using UPNs works fine as well as using just the username itself.
One last thing which I think can be very usefull (especially for IT's and HelpDesk support team) is the option to use the credentials of the currently logged on user to connect, instead of retyping username and password every time. A good place for that is a checkbox in the ultravnc authentication window.
Best regards.
First of all, thanks for your help.
Secondly, I'm happy to tell the problem has been solved. Strangely enough, I didn't do anything! The only thing I can think of is that the server has been rebooted since I had installed ultravnc on it. I don't recall rebooting the server after installing ultravnc so maybe that was the problem. Does it sound right to you?
Anyway, I've done some testing of ultravnc and found the following problems:
1. You can open multiple windows of ultrance security editor by pressing the configure ms logon button.
2. There is a authentication problem (wrong password) when the user has a password which contains extended ASCII characters (for example ±,Ç).
3. When using fully qualified names the domain name in domainname\username seems to mean nothing since I was able to connect using whatever\username as long as username exists in the domain.
By the way, using UPNs works fine as well as using just the username itself.
One last thing which I think can be very usefull (especially for IT's and HelpDesk support team) is the option to use the credentials of the currently logged on user to connect, instead of retyping username and password every time. A good place for that is a checkbox in the ultravnc authentication window.
Best regards.
DarkSide,
great that you did some testing. I'll look into the problems you mentioned.
Regarding the re-use of the current credentials: I agree that this would be a very helpful feature.
But this implies a massive change in the protocol (making it incompatible with the current implementation, both on the viewer and server side).
See [topic=805][/topic] for more info.
So I consider this a separate, new project.
great that you did some testing. I'll look into the problems you mentioned.
Regarding the re-use of the current credentials: I agree that this would be a very helpful feature.
But this implies a massive change in the protocol (making it incompatible with the current implementation, both on the viewer and server side).
See [topic=805][/topic] for more info.
So I consider this a separate, new project.
Did some tests, too.
No 1 should be easy to fix (I'm just not a GUI expert
).
No 3 is not as bad as it sounds in the first place:
It's exactly the same things you can do with e.g. 'net use'.
You can use 'whatever\username' if either
- there is an account 'username' in domain (or computer) 'whatever' OR
- there is an account 'username' somewhere and there is no domain or computer named 'whatever'.
I was able to reproduce this with a local account on the same machine the vnc server runs.
With a domain account, I got an error.
'Net use' with user and password specified shows exactly the same behavior, so I would like to call this a "Microsoft feature".
It's seems slightly more restrictive than using an unqualified name, so I don't see a security problem here.
No 2 could be a real showstopper.
I tested german umlauts (ä/ö/ü) in the password and got 'wrong password' messages.
I traced the code but could not find the error up to now.
Could be some ASCII-Unicode problem.
No 1 should be easy to fix (I'm just not a GUI expert
).No 3 is not as bad as it sounds in the first place:
It's exactly the same things you can do with e.g. 'net use'.
You can use 'whatever\username' if either
- there is an account 'username' in domain (or computer) 'whatever' OR
- there is an account 'username' somewhere and there is no domain or computer named 'whatever'.
I was able to reproduce this with a local account on the same machine the vnc server runs.
With a domain account, I got an error.
'Net use' with user and password specified shows exactly the same behavior, so I would like to call this a "Microsoft feature".
It's seems slightly more restrictive than using an unqualified name, so I don't see a security problem here.
No 2 could be a real showstopper.
I tested german umlauts (ä/ö/ü) in the password and got 'wrong password' messages.
I traced the code but could not find the error up to now.
Could be some ASCII-Unicode problem.
.Re: Problems with authentication
I'm trying to set up a MSLogon-II authentication. The server is running Windows XP Home. I have both the admin and a normal user added to the list in winvnc with full privileges, the guest account is disabled, and the ForceGuest in regedit is set to 0.
I tried both "user" and "machine\user", but no luck.
Also, how do you modify the settings when running as a service? I tried running "winvnc.exe -servicehelp" from the command line, but that didn't bring up the GUI, nothing happened, not even an error.
I tried both "user" and "machine\user", but no luck.
Also, how do you modify the settings when running as a service? I tried running "winvnc.exe -servicehelp" from the command line, but that didn't bring up the GUI, nothing happened, not even an error.
Re: Problems with authentication
mslogon II not work on XP Home !!!
only MSLogon I or VNC password work on XP Home
only MSLogon I or VNC password work on XP Home
UltraVNC 1.0.9.6.1 (built 20110518)
OS Win: xp home + vista business + 7 home
only experienced user, not developer
OS Win: xp home + vista business + 7 home
only experienced user, not developer
Re: Problems with authentication
Alright, I'll try that, but I'm having trouble brining up the settings when running as a service. Do I have to uninstall the service, modify settings, and then re-install the service again?
Re: Problems with authentication
Ok, I set the Administrators group to have full access and the Users group to have read-only rights like so: http://tinyurl.com/2valtx
I'm able to login with both, but when I login with the regular user account that belongs to the Users group, I'm still able to control the remote desktop. Isn't the third group supposed to have read-only access?
I'm able to login with both, but when I login with the regular user account that belongs to the Users group, I'm still able to control the remote desktop. Isn't the third group supposed to have read-only access?
Re: Problems with authentication
you are right.
UltraVNC 1.0.9.6.1 (built 20110518)
OS Win: xp home + vista business + 7 home
only experienced user, not developer
OS Win: xp home + vista business + 7 home
only experienced user, not developer
Re: Problems with authentication
If so, then how come the regular user has control privileges?
Re: Problems with authentication
Hi ,
Any body help me .
I want to avoid the authentication process . it is possiable or not.
if possiable how can i do .
Please let me know the solution.
regards,
Nagaraj
Any body help me .
I want to avoid the authentication process . it is possiable or not.
if possiable how can i do .
Please let me know the solution.
regards,
Nagaraj
Re: Problems with authentication
Nagaraj:
It is definitely possible to circumvent the authentication process, but it's pretty difficult. I recommend that you visit this web security authentication website to find out more about the workings behind authentication. Good luck.
It is definitely possible to circumvent the authentication process, but it's pretty difficult. I recommend that you visit this web security authentication website to find out more about the workings behind authentication. Good luck.
Re: Problems with authentication
hi
I assume that VNC is not started as a service since the log file is in the ultravnc dir.
Access with the administrator account looks OK.
The first time the administrator is not in the ACL, then you change the ACL, next time administrator gets access.
[ Mod Note: 7 year old thread and possible spam target; locking. ]
I assume that VNC is not started as a service since the log file is in the ultravnc dir.
Access with the administrator account looks OK.
The first time the administrator is not in the ACL, then you change the ACL, next time administrator gets access.
[ Mod Note: 7 year old thread and possible spam target; locking. ]