VSys One: Volunteer Management Software

Previous Topic

Next Topic

Book Contents

Book Index

Active Directory/LDAP

How does VSys integrate with your Active Directory infrastructure?

Technical notes

Whenever someone logs into VSys, VSys will take the login credentials it's handed at that moment and authenticate them against AD using LogonUser. It does no impersonation: the user who is currently logged into Windows does not necessarily have any relationship to the user who is logging into the application. (These are usually the same people but VSys does not make that assumption and the rights of the Windows user need not have any relationship to the user who's logging into VSys.)

The call made to LogonUser includes the domain name as a parameter, so even if the user were to manage to take the machine off of the domain then the call would fail, making it impossible for them to establish a local account with the same name as the AD account and bypass the domain account.
LogonUser(UserID, Domain, Password, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, token)

LogonUser authenticates to the local machine rather than explicitly calling a remote machine. Here, since the local machine is on the domain (and VSys verifies this before calling LogonUser), the local machine passes the credentials to the domain for it to validate. Using the LOGON32_LOGON_NETWORK option rather than LOGON32_LOGON_INTERACTIVE indicates that the call is being made solely to authenticate the user rather than to log into the local machine as an active user.

"plaintext" in this context (in the MSDN documentation) does not indicate that the user's password is passed in the clear across the network. Here it means that VSys hands LogonUser an unencrypted password rather than a password hash or authentication token because that's what VSys has at the time as provided by the user. If VSys used LOGON32_LOGON_NETWORK_CLEARTEXT then the unencrypted and un-hashed password could be passed across the wire. The way it's being done with LOGON32_LOGON_NETWORK, if you ran WireShark to watch the traffic out of this machine you would not see the password traversing the network as readable text. The MSDN documentation doesn't make it clear but when the Windows machine communicates with its domain controller all of that communication is encrypted.

Required rights

In order for a VSys One user to successfully authenticate using domain authentication, that user must have network login rights to the workstation or server on which VSys is running.

See Also

VSys Security

Security Notes

Security Options

Password Self-Changing

Security Manager

User Security Rights - Advanced Mode

Insecure/Disallowed Passwords

User Security Rights - Compatibility Mode

VSys Security and GMS 5/6

Security Settings Import/Export

Security Reports

Import Users from Active Directory

Security Emergency Bypass