Computer access control – Intelligent Systems Monitoring

7009517: How to configure “Computer Only Logon If Not Connected” functionality

September 12, 2018September 12, 2018 Novell Leave a comment

The functionality needed is documented in the Novell Client 2 SP3 for Windows Administration Guide, Section 8.4, “Setting Up the Computer Only Logon If Not Connected Feature.”

To enable the “Computer Only Logon If Not Connected” feature:

1. Log on to the Windows machine with administrative privileges.

2. Edit the registry and navigate to the existing

HKEY_LOCAL_MACHINESOFTWARENovellLogin key.

3. Create a subkey named Computer Only Logon If Not Connected, such that a key path of HKEY_LOCAL_MACHINESoftwareNovellLoginComputer Only Logon IfNot Connected now exists.

4. Under the Computer Only Logon If Not Connected key, create the following entries:

A DWORD (32-bit) value named Enable. If the value of this entry is set to 1, the Computer Only Logon If Not Connected feature is enabled. If this value does not exist or is set to 0 (zero), the feature is disabled.
Optionally, create a Multi-String (not String) value named Network Category List. This Multi-String can be set to one or more of the following values, which correspond to the names Windows uses to describe network categories: Home, Work and Public.
Optionally, create a Multi-String named Network Name List. This Multi-String can contain a list of one or more names that have been assigned to networks identified by Windows. For example, Network 1, Network 2, My-Residence, My-Office and so on.
Optionally, create a DWORD(32 bit) value named Use Lists for Novell Logon. If the value of this entry is set to 1, the Network Catrgory List and Network Name List values will be interpreted as criteria for networks which CAN access Novell eDirectory servers, and when networks matching these criteria are present the Novell Client should attempt a normal Novell Logon. If the Use Lists for Novell Logon value does not exist or is set to 0 (zero), the Network Category List and Network Name List values will be interpreted as criteria for networks which CAN NOT access Novell eDirectory servers, and if all connected networks match this criteria the Novell Client should skip the eDirectory login attempt and proceed immediately with a Computer Only Logon instead. Continue reading the description below of the Network Category List and Network Name List values for additional explanation.

Windows Multi-String values intend to have each item entered on its own separate line. Meaning you will not comma-separate or use other delimiters when entering multiple values. To enter multiple network category names or multiple network names, when using Windows REGEDIT on a Multi-String value simply press the ENTER key after each value to input each value on its own separate line of the REGEDIT Multi-String editor.

The Computer Only Logon If Not Connected feature takes effect when the Enable value is set to 1, even without the Network Category List or Network Name List values being defined. When the Computer Only Logon If Not Connected feature is enabled, at minimum the Novell Client will automatically perform a Computer Only Logon instead of a Novell Logon if Windows reports there are not any active network interfaces when the logon attempt is initiated.

If the Network Category List is defined, the Novell Client will query Windows to determine what category each identified network belongs to. (Work, Home, or Public.) The Network Category List names which Windows network categories the Computer Only Logon If Not Connected feature should assume CAN NOT access Novell eDirectory servers.

Note this means if any one of the currently active networks detected by Windows is assigned to a category which does NOT appear in the configured Network Category List, the Computer Only Logon If Not Connected functionality will

not engage. For example, assume the Network Category List has been configured with Home and Public. During the next logon attempt, Windows reports there are two Public networks detected and one Work network detected. In this case the Novell Client will perform a normal Novell logon, because there one network present (the Work network) which isn’t in the Network Category List.

If the Network Name List is defined, the Novell Client first performs the Network Category List processing described above if the Network Category List is defined. After matching the active network categories against the Network Category List, if there is still one or more active Windows networks which hasn’t been excluded based on category, the Novell Client will match those network names against the Network Name List. The Network Name List names individual Windows network names the Computer Only Logon If Not Connected feature should assume CAN NOT access Novell eDirectory servers, regardless of what Windows network category the named networks belong to.

For example, assume the Network Category List has been configured with Home and Public, and the Network Name List has been configured with RemoteOffice. During the next logon attempt, Windows reports a Public

network and also a Work network named RemoteOffice. Even though based on the Network Category List alone a Novell Logon would have been attempted due to presence of the Work category network, because the Work network is named RemoteOffice and this network name appears in the Network Name List, the Novell Client will actually consider that none of the active networks detected by Windows qualify for attempting a Novell Logon. A Computer Only Logon will be initiated instead.

To use the Computer Only Logon If Not Connected feature:

1. Logout of Windows, or reboot the machine.

2. Select the Novell Logon link on the Windows logon page, if the Novell Client login is not already in Novell Logon mode. If Computer Only Logon mode is explicitly selected, the Computer Only Logon If Not Connected feature

does not need to engage.

Note by default, the Novell Client remembers whether Novell Logon or Computer Only Logon was last used, and will default to that mode during the next logon. If you want the Novell Client to always come up in Novell Logon mode and then just let the Computer Only Logon If Not Connected automatically decide whether a Novell Logon attempt is actually appropriate, change the Computer Only Logon Default setting from Automatic to Never in the Advanced Login tab of the Novell Client Properties.

3. Now attempt to logon in Novell Logon mode. Once you enter your password and press the submit button, the Novell Client will begin the Computer Only Logon If Not Connected process of querying Windows for connected network names and categories, and matching those names and categories against any configured Network Category List and Network Name List values.

4. If the Novell Client determines there are one or more active Windows networks present over which a Novell Logon attempt will be appropriate, the Novell Client will simply proceed with normal Novell Logon processing of attempting to login to both eDirectory and the Windows account.

5. If the Novell Client determines that all of the active Windows networks match either the configured Network Category List or Network Name List, or if Windows reports there simply are not any active Windows networks, even though the Novell Client was in Novell Logon mode when the logon attempt was initiated, the eDirectory login will be transparently skipped, and only the Windows account logon attempt will be made.

6. Note in cases where the Windows account password is not the same as the eDirectory account password – for example, because the Windows account password was normally supplied from a Novell ZENworks Dynamic Local User (DLU) policy, or the password was expected to be retrieved by NMAS-based Single Sign-On – the Windows-only account logon attempted by Computer Only Logon If Not Connected will not be able to succeed using the eDirectory password.

The Novell Client will still skip the eDirectory logon attempt and will perform just a Computer Only Logon, but the user will have to manually enter their Windows account password. This is only an issue in cases which otherwise would have retrieved their Windows account passed from Novell eDirectory-based sources.

No Related Posts

Authentication bypass cheat sheet

September 9, 2018September 9, 2018 PCIS Support Team Leave a comment

SQL Injection Login. on StudyBlue. 2 Ensure that MongoDB does not bypass authentication via the localhost //www. . For more information see the …

No Related Posts

How to send domainSamAccountname to Radius Client with domain drop down

September 6, 2018September 6, 2018 Citrix Leave a comment

Unbind the rewrite policy created for domaindrop down on Gateway Vserver.

Unbind the radius authentication policy from Gateway Vserver

Create a AAA Vserver.

Create Login schema Policy with expression TRUE and with domaindrop.xml schema file.

User-added image

In the profile , select domaindrop.xml .

In the default file we only have options to add 2 domains.

In case you want to add dropdown for more domains

Download the domaindropdown.xml file.

Edit the file and added the line </DisplayValue><DisplayValue><Display>divya.com</Display><Value>divya.com</Value>

<?xml version="1.0" encoding="UTF-8"?><AuthenticateResponse xmlns="http://citrix.com/authentication/response/1"><Status>success</Status><Result>more-info</Result><StateContext/><AuthenticationRequirements><PostBack>/nf/auth/doAuthentication.do</PostBack><CancelPostBack>/nf/auth/doLogoff.do</CancelPostBack><CancelButtonText>Cancel</CancelButtonText><Requirements><Requirement><Credential><ID>login</ID><SaveID>ExplicitForms-Username</SaveID><Type>username</Type></Credential><Label><Text>domaindropdown_new_user_name</Text><Type>nsg-login-label</Type></Label><Input><AssistiveText>domaindropdown_new_please_supply_either_domainusername_or_user@fully.qualified.domain</AssistiveText><Text><Secret>false</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>passwd</ID><SaveID>ExplicitForms-Password</SaveID><Type>password</Type></Credential><Label><Text>domaindropdown_new_password</Text><Type>nsg-login-label</Type></Label><Input><Text><Secret>true</Secret><ReadOnly>false</ReadOnly><InitialValue/><Constraint>.+</Constraint></Text></Input></Requirement><Requirement><Credential><ID>domain</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><ComboBox><InitialSelection>unspecified</InitialSelection><DisplayValues><DisplayValue><Display>select a domain</Display><Value>unspecified</Value></DisplayValue><DisplayValue><Display>divya.com</Display><Value>divya.com</Value></DisplayValue><DisplayValue><Display>abc.com</Display><Value>abc.com</Value></DisplayValue><DisplayValue><Display>TEST.com</Display><Value>TEST.COM</Value></DisplayValue></DisplayValues></ComboBox></Input></Requirement><Requirement><Credential><Type>none</Type></Credential><Label><Text>domaindropdown_new_please_select_domain_to_continue_login_...</Text><Type>nsg_confirmation</Type></Label><Input/></Requirement><Requirement><Credential><ID>loginBtn</ID><Type>none</Type></Credential><Label><Type>none</Type></Label><Input><Button>domaindropdown_new_log_on</Button></Input></Requirement></Requirements></AuthenticationRequirements></AuthenticateResponse>

Save the File with different name.

Now go login schema profile we created

User-added image
Select the upload option and upload the xmlfile we created.

Bind this login schema to AAAVserver.

Create one more login schema with the name no schema

User-added image
Click on ADD

Give the name for the profile

Leave the default option as no Schema

Under the user Expression , Add AAA.LOGIN.DOMAIN+”\”+AAA.LOGIN.USERNAME

Click on create

User-added image
We will create 2 Authentication policies under AAA Vserver -> Authentication- > Advanced Authentication->

Create No Auth policy with the Expression http.req.url.contains(“/nf/auth/doAuthentication.do”) and the action as No_AUTHN

User-added image

Create one more policy for Radius Authentication

User-added image

Now go to AAA Vserver -> Edit-> Advanced Authenication Policy ->

Bind the Authentication Policy

First Select No Auth Policy

In the Next Factor select the Radius Policy with the login schema as “Noschema” created earlier.

User-added image

Create Authentication profile and select target AAAServer.

Bind it to Gateway VPN Vserver

Save the Config.

No Related Posts

AAA TM Error: “SAML Assertion seems to have been resent. Please contact your administrator”

August 20, 2018August 20, 2018 Citrix Leave a comment

Issue: When Load balancers are on different hosts/domain but on same NetScaler use the same SAML IDP from the same browser, then the second Load Balancer gets SAML assertion automatically.

At that point, when it tries to check for replay detection, it throws an error that session ID exists. But from IDP, these are two different assertions.

Flow:

1. User accesses LB1.citrix.com, and uses AUTH.citrix.com as SAMLIDP

2. Login completes as expected

3. On the same browser, open a new tab and access LB2.citrix.com. Due to FQDN cookies, it sends the SAML request again to authentication virtual server.

4. Authentication virtual server automatically sends an assertion.

5. Load Balancer 2 gets assertion, but throws a replay detection issue.

Error in ns.log:

<local0.debug> <IP> GMT 0-PPE-0 : default AAATM Message 1809153 0 : “SAMLSP: Trying to detect Assertion replay for sessionID _48390b50-722b-0136-8a39-02b6d105a4b6 assertionID pfx2da16921-ad8f-208e-437d-141481443830”

<local0.debug> <IP> GMT 0-PPE-0 : default AAATM Message 1809154 0 : “SAMLSP DHT entry for _48390b50-722b-0136-8a39-02b6d105a4b6 found in local cache”

<local0.warn> <IP> GMT 0-PPE-0 : default AAATM Message 1809155 0 : “SAMLSP: Assertion replay detected, sessionID _48390b50-722b-0136-8a39-02b6d105a4b6″

<local0.debug> <IP> GMT 0-PPE-0 : default AAATM Message 1809156 0 : “Verification of SAML assertion resulted in failure 917517 “

<local0.info> <IP> GMT 0-PPE-0 : default AAATM Message 1809157 0 : “AAATM Error Handler: Found extended error code 917517, ReqType 16388 request /cgi/samlauth, cookie hdr ”

Note: Session Index and Session ID are the same terms in SAML assertion.

Session Index and Assertion-ID have to be same for such replay issues.

Usually session Index will be same but assertion-ID should be different for each SAML response to NetScaler.

No Related Posts

OpenEMR flaws left millions of health records exposed

August 7, 2018August 7, 2018 PCIS Support Team Leave a comment

… authentication bypass, instances of SQL injection, as well as remote code execution – left the records of more than 90 million patients vulnerable.

No Related Posts

Can’t change Admin Passphrase after moving drive to new machine

July 20, 2018July 20, 2018 Symantec Community Leave a comment

I need a solution

I’ve got a 4 TB SSD that is encrypted with 10.4.2 (under Windows 10 as a secondary drive) with an Admin Passphrase of Password1 (which is also the passphrase of drive 0 too). I’ve pulled the SSD from the original machine and put it in a 2nd machine (also under Windows 10 as a secondary drive). The 2nd machine’s drive 0 Admin Passphrase is Password2. The first machine no longer exists. When Windows 10 boots on the 2nd machine, PGPTray prompts the password for drive 1, which I have to enter (Password1). If it go into PGP Desktop, I can update the User password to Password2, but the Admin Passphrase remains at Password1. If I add a new windows SSO user to both drive 0 and drive 1, I still get prompted for the Admin Passphrase on drive 1 (even though there is a SSO user present).

So how to I change the Admin Passphrase for drive 1 from Password1 to Password2, and get SSO to function with drive 1? I know if I decrypt drive 1 (using Password1 as the Admin Passphrase), I can re-encrypt the drive with the new Admin Passphrase (Password2) and add the SSO user, but I don’t want to spend hours decrypting, then re-encrypting.

I’ve played around various switches on pgpwde.exe –change-passphrase, but I just don’t seem to be able to get the Admin Passphrase to change from Password1 to Password2.

Anyone have any ideas?

No Related Posts

Unable to join second StoreFront server after upgrade, with error “Error getting replication keys”

July 18, 2018July 18, 2018 Citrix Leave a comment

Follow are the symptoms:

1) StoreFront join operation fails with following error:

User-added image

2) If we enable Audit for logon failure and success, you will observer following event on the Joiner:

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: XXXXXXXXXXXXXXXXXXX

Event ID: 4625

Task Category: Logon

Level: Information

Keywords: Audit Failure

User: XXXXXXXXXXXXXXXXXXX

Computer: XXXXXXXXXXXXXXXXXXX

Description:

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: –

Account Domain: –

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: XXXXXXXXXXXXXXXXXXX

Account Domain: XXXXXXXXXXXXXXXXXXX

Failure Information:

Failure Reason: The user has not been granted the requested logon type at this machine.

Status: 0xc000015b

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: –

Network Information:

Workstation Name: –

Source Network Address: –

Source Port: –

Detailed Authentication Information:

Logon Process: Kerberos

Authentication Package: Kerberos

Transited Services: –

Package Name (NTLM only): –

Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

– Transited services indicate which intermediate services have participated in this logon request.

– Package name indicates which sub-protocol was used among the NTLM protocols.

– Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Configuring Audit Policy: https://technet.microsoft.com/en-us/library/dd277403.aspx

4625(F): An account failed to log on: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

3) Store creation may also fail with the above error.

4) If we enable StoreFront verbose logs and check the Debug view logs, we will find error “Error getting replication keys” on the Authorizer.

How to Enable StoreFront Verbose Logging: https://support.citrix.com/article/CTX139592

No Related Posts

CVE-2018-10997

June 17, 2018June 17, 2018 PCIS Support Team Leave a comment

CVE-2018-10997 : Etere EtereWeb before 28.1.20 has a pre-authentication blind SQL injection in the POST parameters txUserName and txPassword.

No Related Posts

Attempt to login to NMC 9.0.x fails with error: “An error occurred while validating user credentials. Verify that NetWoker Authentication Service is running”

June 14, 2018June 14, 2018 Dell Community Leave a comment

Article Number: 476759

Article Version: 3

Article Type: Break Fix

NetWorker 9.0

Attempt to login to Networker 9.0.x Management Console fails with error:

An error occurred while validating user credentials. Verify that NetWoker Authentication Service is running.

[Failed to connect to NW_SERVER; No error Server Message: Make sure that server is running.]

Java was updated to a newer version, and the new java path has not been updated in the Java Firewall rule in Windows Firewall.

Java has been updated to a newer version.

1. Edit the inbound Windows Firewall rule that allows the connection for java executables and update the path to reflect the new java path.

or

2. Add a new rule to allow java.exe in Windows Firewall using the following command:

netsh advfirewall firewall add rule name=”Java – Allow with Networker 9″ dir=in action=allow program=”%PATHjava.exe” enable=yes

Where %PATHjava.exe is the path where java.exe is located, for example: C:Program FilesJavajre1.8.0_73binjava.exe

No Related Posts

Discover What Happened After a Security Incident — Without Losing Your Cool

May 31, 2018May 31, 2018 PCIS Support Team Leave a comment

It might be a known weakness, such as a password or SQL injection, or it could be something obscure that requires in-depth analysis. You need to …

No Related Posts

Tag: Computer access control

Authentication bypass cheat sheet

Related:

OpenEMR flaws left millions of health records exposed

Related:

Can’t change Admin Passphrase after moving drive to new machine

Related:

CVE-2018-10997

Related:

Attempt to login to NMC 9.0.x fails with error: “An error occurred while validating user credentials. Verify that NetWoker Authentication Service is running”

Related:

Discover What Happened After a Security Incident — Without Losing Your Cool

Related:

Links