Re: Permit only one network logon per user

On Aug 21, 10:04 am, "Christian Thies [Ar]" <ch.th...@xxxxxxxxx>
wrote:
Roger, making my app to control acces should be te last option. Because a
matter of time, I need to find out a solution aready builded, already
tested, and rady-to-use.

Regards

"Roger Abell [MVP]" <mvpnos...@xxxxxxx> escribió en el mensajenews:ev3TzOO4HHA.4676@xxxxxxxxxxxxxxxxxxxxxxx



"Christian Thies [Ar]" <ch.th...@xxxxxxxxx> wrote in message
news:OsdLuDO4HHA.5316@xxxxxxxxxxxxxxxxxxxxxxx
Roger, you're right. I'm not preventing, I have a clue if I log trys of
multiple logins
The content is used 7*24*365. So a logged user will keep logged all the
time. Any attempt to log in with an already logged credential is a
violation (or error).

You're also right about cconnect, I'm rebuilding my DC after trying, but
I think I made a mistake and I'm going to try again

Another point is this, I need to prevent access to a mms (or http)
connection, not a shared resource in a netowrk

All three methods indicated, cconnect, limitlogon, and the share-based
of the KB provided, intend to prevent a second local login.
It sounds to me that you really want a mod in the app so that it does not
allow a second connection to it using the same creds.

"Roger Abell [MVP]" <mvpNoS...@xxxxxxx> escribió en el mensaje
news:OcxFHZN4HHA.1168@xxxxxxxxxxxxxxxxxxxxxxx
Hi Christian,

I guess I do not understand how limiting to one session is in fact
preventing unauthorized access.
Assuming it somehow does help, then how does it make sure that
the correct person is the one allowed the one available session?

Anyway, cconnect and limitlogin are fairly heavy to implement.
Take a look at the following for the select few accounts needed:
http://support.microsoft.com/kb/260364

Roger

"Christian Thies [Ar]" <ch.th...@xxxxxxxxx> wrote in message
news:OJ2kARE4HHA.4436@xxxxxxxxxxxxxxxxxxxxxxx
I'm building a product that is accessed with a username and password,
and for preventing unauthorized access to it, I need to prevent
multiple simultaneous logons with the same username and password

Sorry about my English. Let me know if the answer is clear

Christian

"Steve Riley [MSFT]" <steve.ri...@xxxxxxxxxxxxx> escribió en el mensaje
news:26CE53B9-E00D-4BB5-B2E2-17E5A305B4DE@xxxxxxxxxxxxxxxx
Why do you need to do this? What security risk do you need to
mitigate?

Steve Riley
steve.ri...@xxxxxxxxxxxxx
http://blogs.technet.com/steriley

"Christian Thies [Ar]" <ch.th...@xxxxxxxxx> wrote in message
news:u71neA13HHA.5724@xxxxxxxxxxxxxxxxxxxxxxx
Hi, I have Windows 2003 domain working. I need to allow only one
network logon per user.

The example is:

User: username

Status: Logged

If user username try to login from a different machine, and he is
logged in another, the login attempt must be denied

How can I accomplish this?

Thanks in advance- Hide quoted text -

- Show quoted text -

Christian,

One of the problems that you are going to run into is that the OS is
not very good at tracking logoffs - even in the best circumstances.
Most add-ons that limit logons use a reference count to indicate that
someone is logged on and if another logon event occurs and the ref
count is above a threshold value (1 in your case) then the logon is
denied. The problem is that there are a large number of cases where a
logoff event is not signalled and the ref count never decreases. This
effectively locks the user out of the domain.

Web-based connections are the worst because they are supposed to be
inherently stateless. Maybe this isn't true in your case and you have
a client that sends a CONNECTED message periodically. If so, then
you'll need to modify your server so that it decrements the ref count
when the CONNECTED message stops coming. And then you'll have to make
sure that the user can't cause this to happen artificially (disconnect
the network cable) but still resume the original session after a new
instance has been created. Gee, it sounds like I've been through this
before... :)

Additionally, using an Active Directory domain infrastructure for a
music sharing service sounds odd. You said you are looking for
something bundled, but a solution based on AD means that the customer
is going to have to set up external-facing AD or have one already. AD
is viewed as being hard to set up and not many people have outward
facing domains. You'd face less resistance using SQL in my experience.

Just my thoughts - hope they help!

Dave

.

Relevant Pages

  • Re: Permit only one network logon per user
    ... intend to prevent a second local login. ... allow a second connection to it using the same creds. ... network logon per user. ... logoff event is not signalled and the ref count never decreases. ...
    (microsoft.public.windows.server.security)
  • Re: Can you login after desktop comes up?
    ... I can't login at the begining ... because I don't have a network connection until AFTER login. ... BEFORE the Windows login GINA cones up. ... > As long as you logon while connected once, you will get the home drive. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Forced user password change request only by 2-nd login
    ... i ask you that because it seems at the first logon it use cached credentials ... wich is used only when the network isnt available and after the login the ... behaviour deifferences depending on connection. ... logging on the Windows 2003 server, ...
    (microsoft.public.windows.server.active_directory)
  • Domain login with Wifi
    ... I want to logon to my W2k/w2003 domain using Wifi. ... connection after I login. ... I want it to create the connection before logon, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Industry Standard Security and guest wifi access best practice
    ... usage policy and a login screen. ... Connection is simple for the end user and requires no VPN client ... Wireless subnet roaming would be really nice as well. ... implementing 802.1X as the complexity in supporting tennants would ...
    (alt.internet.wireless)