Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

NT Authentication

Should you have problems with the MS logon plugin, here's the place to look for help or report issues
Post Reply
LHuisingh
Posts: 6
Joined: 2004-08-20 22:05

NT Authentication

Post by LHuisingh »

I have added a domain group to the MS logon part of server setup. When I attempt to connect using an account that is a member of the group everything works fine. When I try to connect using a different account that is NOT part of the group I am still allowed access. It does not appear to be rejecting access. I am using 1.0.0 RC18.

Larry Huisingh
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

Are you sure the second user is not local admin.....
A local admin have always access, even when he is not member of the group.
Last edited by Rudi De Vos on 2004-08-23 10:44, edited 1 time in total.
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

is this with the new ms-logon (see [topic=637][/topic]) or the ms-logon that comes with RC18?
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

RC18 grant permission for every user that is able to use
the service manager (local admin check)

If you can use the service manager, you can remote install/uninstall vnc, this users HAVE ALWAYS ACCESS.
No need to block them, because they always can grant themself access.
LHuisingh
Posts: 6
Joined: 2004-08-20 22:05

Post by LHuisingh »

Yes, it turned out that the second user was in the administrators group. I removed that user account from the admin group and rebooted both machines. When I tried with the second one again it crashed the server. I get the following error message

"0x100011f2 referenced memory at 0x00000002. The memory could not be "read"."

I have not tried the new ms-logon yet. This is with RC18. I will try out the new ms-logon next.

Thank you.
Schra
Posts: 2
Joined: 2004-07-05 10:15

Post by Schra »

Rudi De Vos wrote:If you can use the service manager, you can remote install/uninstall vnc, this users HAVE ALWAYS ACCESS.
No need to block them, because they always can grant themself access.
Hi,

nevertheless I would like to have an option to disallow the local admins to connect to VNC.

Why? Because we have PCs wich are used by many users - every day another. These users need to be in the local admin group and so we added the "domain users"-group to the local admin group and this is (unfortunately) not arguable.

So every user can connect to each PC - that's a big no for our VNC-project. Even with a query window it's not ok, because the "normal user" clicks on every popup-window :?
Only our "helpdesk" should be able to connect to these PCs.

By the way - is it possible two switch the order of the confirmations? I think it's better to check first the client-->server permission to establish a connection and then query the server-user.

Greetings
Schra
LHuisingh
Posts: 6
Joined: 2004-08-20 22:05

Post by LHuisingh »

I just tried the new ms-logon. I put in the registry key with a DWORD value of 1 as well. I modified the group name to use the full domain\group specification and it worked fine. The first user that was part of an authorized group was granted access as desired and the second user (not an authorized group member, non-admin user) was denied access and this time the server didn't crash.

I noticed that if you make changes to the authorized user list you have to stop and start the server for the changes to take effect. It would be nice if it would take place right away.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

Code: Select all

we added the "domain users"-group to the local admin group
Everybody has full controle on every machine...
They can remote install vnc
They can change the local and remote registry of every PC
They are allowed to reset,shutdown every PC you controle.
They can stop the virus checkers beause they use to much cpu....

How do you gonna block the user for changing the "disallow the local admins", they are allowed to change the value from any remote pc.

What local admin rights does the users need, does they need to install there own services ?
You better create your own "power user group" with needed permissions and add the "domain users" in that group
Schra
Posts: 2
Joined: 2004-07-05 10:15

Post by Schra »

Thanks for your answer!

Code: Select all

They can change the local and remote registry of every PC
No, because of various policies and the disabled "file- and printersharing" a user can't edit the registry remotly.

Code: Select all

What local admin rights does the users need, does they need to install there own services ?
They need full control over installation of drivers + programs, changing the network settings and so on (required because of technicans outside the office at the customers).


Because of data privacy a normal "domain user" shouldn't connect remotly to another PC with VNC - and no, he can't go to this PC and change the stettings from the PC directly (half way around the world/another department with security doors).

As said before - the domain users thing inside the local admin group isn't changeable and a default user with local admin rights on such a remote PC shouldn't be allowed to log on. Yes, I know, that a user with experience can circumvent such blocking, but we have to follow the rules of our works council.

I hope you understand the problem now a little bit better (my first post wasn't very clear).
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

An easy solution for it...
authlogonuser.dll does the check for local admin.

If you don't install this dll, no local admin check.
yaddyaddayadda
Posts: 3
Joined: 2004-08-26 15:23

Post by yaddyaddayadda »

i removed the dll to see if i could skip the local authentication and the program complained looking for auth.dll. how can i "uninstall" this particular dll.
User avatar
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6863
Joined: 2004-04-23 10:21
Contact:

Post by Rudi De Vos »

auth.dll is needed...authlogonuser.dll is not

It contain the logging for vnc connections.
yaddyaddayadda
Posts: 3
Joined: 2004-08-26 15:23

Post by yaddyaddayadda »

i tried removing the authlogonuser.dll , the auth.dll is already in the directory, and restarting the machien to make sure the service isn't using the authlogonuser.dll somehow and i get an error "you selected ms-logon but the auth.dll was not found, and it hangs up the ultravnc client as well.

I'm guessing that because the "server" pc is in a workgroup (not authenticated into the domain) and the client pc is authenticated in the domain that i'm going to have problems using the domain to provide authentication for the server. But i'll keep testing it regardless and hope that i'll work it out. maybe there can be some extra settings aloow a work around
Post Reply