+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 35
MIS Systems Thread, SIMS AD intergration - Put a password in a second time? in Technical; Hi, I am looking at going down the route of SIMS AD integration. Something that concerns the staff is the ...
  1. #1

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,817
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444

    SIMS AD intergration - Put a password in a second time?

    Hi,

    I am looking at going down the route of SIMS AD integration. Something that concerns the staff is the ability just to open sims without putting in a password again. (i know machines should be locked etc, lets not go into that here).

    Is it possible using AD auth to prompt for a password when you open sims and disable the ability to just press ok?

    Thanks

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,817
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    anyone please?

  3. #3
    Cache's Avatar
    Join Date
    Apr 2008
    Location
    Cumbria
    Posts
    1,199
    Thank Post
    447
    Thanked 173 Times in 170 Posts
    Blog Entries
    3
    Rep Power
    63
    I'd be interested if you do find out if/how to do this - it's one of the reasons I haven't done it.

  4. #4

    Join Date
    Nov 2010
    Location
    California
    Posts
    137
    Thank Post
    0
    Thanked 24 Times in 22 Posts
    Rep Power
    12
    I would avoid t his at all costs.

    Once a student or another staff member get their login password, they have the keys to the kingdom. Never a good idea to have the same password for your machine and student information systems. Especially since staff leave their passwords on sticky notes or papers under their keyboards lol.

  5. #5

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,817
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Quote Originally Posted by qcomer View Post
    I would avoid t his at all costs.

    Once a student or another staff member get their login password, they have the keys to the kingdom. Never a good idea to have the same password for your machine and student information systems. Especially since staff leave their passwords on sticky notes or papers under their keyboards lol.
    Thanks but not what i am asking, all this is already considered.
    Last edited by FN-GM; 31st August 2012 at 04:19 PM.

  6. #6
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12
    I would guess it's probably not possible, as the point of AD integration is to stop you having to do this.

    I suppose you could achieve the same effect by not using AD integration, but have some sort of service or scheduled task watching for AD password changes and synching these to SIMS, but that'd require reversible encryption and access to a SIMS developer API, and I don't think it'd be easy.

  7. #7

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    Seems like you're chasing your tail. Which password do you want them to enter? The point of the integration is that they don't need to enter a password, so it's single sign-on.
    The solution is to lock the machine when not in use, then it will prompt them to enter their AD password before gaining access again.
    Don't dismiss the 'machine should be locked and secure argument' that's just sticking your head in the sand.

    Yes, you could write your own custom app, that runs instead of SIMS and prompts for their AD password and checks against the ldap server, and if it's correct then runs the sims program. a) it's a major hassle and waste of time, and b) having the correct shortcut to SIMS would bypass it.

    I wrote an app once that just checked if SIMS needed updating, mainly for laptops to prevent it hanging on wireless, but if someone searched out and clicked on the SIMS icon they were screwed.

    I don't think it's easy to password protect programs.

    As mentioned, don't use integration, set the username to be same as on AD, and tell them to use the same password. if they change their AD password, tell them to click the change password box on SIMS and make it match. How often do you force changes anyway? once a term?

  8. #8

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,817
    Thank Post
    873
    Thanked 1,675 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    Basically i want it so sims uses the AD password but instead of pressing OK and getting right into sims they have to enter it manually.

    Password changes are more regular than once a month.

    Thanks

  9. #9

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    If the changes to password are that frequent your users are most likely so annoyed with you, it won't matter if you force them to manually update their SIMS passwords!

  10. #10

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    The only other way I can think of doing this, (but it's a bit of a bodge), As mentioned above create a custom app that checks LDAP password, but create a seperate password for each user for SIMs that they never need to know. (For simpleness, lets just say it's stored in AD decscription).

    Once LDAP app checks password, if it's valid it launches sims with the password from AD. That way when they change their password it wouldn't affect SIMs, and you'd still need to manually login.

    But seems a lot of hassle just to stop them remembering two passwords, or locking a machine

    Steve

  11. #11

    bossman's Avatar
    Join Date
    Nov 2005
    Location
    England
    Posts
    3,905
    Thank Post
    1,186
    Thanked 1,057 Times in 749 Posts
    Rep Power
    328
    @FN-GM:

    l too am looking at enforcing password change every 30 days and the length of password to be at least 10 characters (numbers and letters only) but as for the Sims I have consulted with SLT team and we are of the same mind as to not use the AD integration tool for Sims as we feel staff are comfortable setting their own password for this which could be the same as their network password but of course this will be up to them if they want to change it every 30 days.

    Keeping the Sims login seperate from the network login is in our case a much better proposal for our school, I am sure that a program developer can write a sims shortcut app which will function via the AD to check if the username and password match and then prompt for a password to be entered before access to Sims, this is probably the way I would work it.

  12. #12

    GREED's Avatar
    Join Date
    Mar 2008
    Location
    Portsmouth
    Posts
    2,967
    Thank Post
    366
    Thanked 359 Times in 293 Posts
    Blog Entries
    8
    Rep Power
    173
    This is harking back to a conversation i have been having many a time with customers and partners (professional!)... this concept that Single Sign On mean 'I sign in once and i have access to everything without needing to log in again...

    Which is a) incorrect and b) dangerous. SSO is actually about federating secure logins so that you have the same login across many apps, but for security you still need to login to each. We do that with Aspen & AD (just one of the many integration features). Having pass through authentication into a MIS via Windows logons has never sat well with me. Is convenience really a preference over security?

  13. Thanks to GREED from:

    bossman (3rd September 2012)

  14. #13

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,848
    Thank Post
    671
    Thanked 1,383 Times in 1,145 Posts
    Rep Power
    350
    Then surely it should have been called SAME Sign On. I've always understood single sign on to be just that.
    From a security point of view, i do like the SaSo idea, much like you can use login with Facebook or Google to access stuff.

  15. Thanks to vikpaw from:

    bossman (3rd September 2012)

  16. #14

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,375
    Thank Post
    368
    Thanked 635 Times in 517 Posts
    Rep Power
    157
    AD logins is waaaay more secure then sql. If the teacher has left the machine unlocked and logged in, it doesn't matter if you have trusted logins for SIMS. It's just as dangerous. The login screen is a false layer of security the n00bs cling too. Most teachers login in to SIMS in the AM and they don't close it until they leave at the end of the day. If you can get into the SIMS directory, you've most likely got the census, workforce census, assessment and all other kinds of data in spreadsheets and xml files that contain sensitive information.

    SIMS passwords are case insensitive and carry no real security requirements - if they did, can you image how much hassle this would create for staff having to maintain two secure passwords - lets face it, they'll use the same password.

    The only valid argument for trusted logins getting prompted for a login was from an LA who pointed out that you would need it to for them to support them correctly. I would hope that impersonate ability would allow this, but I'm not sure if it would actually work - ie if the schools creds would get the sql connection across the LA network. I suppose you could test this idea with the runas command - ie
    runas /user:school\administrator "c:\program files\sims\sims .net\pulsar.exe"

  17. #15

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,375
    Thank Post
    368
    Thanked 635 Times in 517 Posts
    Rep Power
    157
    Quote Originally Posted by GREED View Post
    Is convenience really a preference over security?
    Go tell Microsoft that they need to fix Microsoft Outlook

    Going by your logic, when I open Notepad, I need to re-authenticate. After all notepad could open a txt file of that data export I just did which is living in my temp folder

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. [SIMS] SIMS AD intergration
    By j17sparky in forum MIS Systems
    Replies: 6
    Last Post: 31st August 2012, 01:14 PM
  2. [SIMS] SIMS.net Invalid/user name password?
    By oxide54 in forum MIS Systems
    Replies: 6
    Last Post: 21st December 2010, 07:59 PM
  3. reset "SA" password in sims?
    By zag in forum MIS Systems
    Replies: 5
    Last Post: 14th February 2010, 07:57 PM
  4. SIMS : Adding new course in course manager.
    By Jake in forum MIS Systems
    Replies: 3
    Last Post: 29th September 2008, 02:31 PM
  5. View user password in AD
    By timbo343 in forum Windows
    Replies: 10
    Last Post: 20th March 2007, 05:04 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •