+ Post New Thread
Results 1 to 12 of 12
MIS Systems Thread, SIMS Trusted Logins - how does SIMS store passwords for these in Technical; Hi all, We're currently trialling using SIMS with trusted logins, but we have a third-party tool that staff also use, ...
  1. #1

    Join Date
    Jun 2007
    Location
    Newcastle-upon-Tyne
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    SIMS Trusted Logins - how does SIMS store passwords for these

    Hi all,

    We're currently trialling using SIMS with trusted logins, but we have a third-party tool that staff also use, which requires them to enter their SIMS username/password to log in. Once we move to Trusted logins, there is no password for them to enter, so this third-party tool fails to log in. Is there any way to get this to work (i.e. how does SIMS handle passwords for trusted logins)?

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,877
    Thank Post
    518
    Thanked 2,486 Times in 1,928 Posts
    Blog Entries
    24
    Rep Power
    838
    SIMS Trusted logins utilise the username and password from the logged in Windows account. So, if you are logged in to a computer, you've already passed authentication and therefore SIMS uses the login for that account logged in. Therefore, SIMS doesn't actually handle passwords at all for trusted logins. At least, that's my understanding!

  3. #3

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,823
    Thank Post
    146
    Thanked 572 Times in 516 Posts
    Rep Power
    154
    That's how we've taken it to be - it doesn't check the password, just that the username from the logged on account exists within SIMS (in the format domain\username). It assumes that as you're logged on to Windows, you're authenticated already. That security weakness is why we created our own SIMS launcher, which asks for the logged on user's password again before loading Pulsar.

  4. #4

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,433
    Thank Post
    368
    Thanked 646 Times in 528 Posts
    Rep Power
    159
    @theeggmaster what's the third-party tool?

    Quote Originally Posted by 3s-gtech View Post
    That security weakness is why we created our own SIMS launcher
    That's why you created a security weakness - You've basically created a man-in-the-middle vulnerability!!

  5. #5
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    642
    Thank Post
    70
    Thanked 145 Times in 111 Posts
    Rep Power
    47
    The SIMS Launcher platform:

    1. Joe Bloggs comes along and logs into the computer using their AD Credentials
    2. Joe Bloggs is a teacher, so he has SIMS installed. (Little Johnny is also in Joe Blogg's class and is a pain)

    Just trustedauto
    3. Little Johnny loads up SIMS on Joe Blogg's PC and has access to everything while Mr Bloggs is outside talking to a student.

    SIMS Launcher
    3. Joe Bloggs must type in their AD Password to launch SIMS.net

    Security
    How on earth can it be a man in the middle attack, if you are adding security layers... The launcher program:

    - Authenticates password using built in .NET libraries where the password is not exposed to anyone
    If correct - launch the Pulsar process ; if incorrect, display error.

  6. #6

    LosOjos's Avatar
    Join Date
    Dec 2009
    Location
    West Midlands
    Posts
    5,498
    Thank Post
    1,456
    Thanked 1,201 Times in 814 Posts
    Rep Power
    712
    Back to OP - you need to check with the supplier of your third party product if AD Auth is available, if not then I'm afraid you have to choose between:
    - continuing to use a SIMS password (recommended from a security POV) and your third-party software
    - moving to SIMS 'Trusted' login (i.e. AD Auth) and finding an alternative to the third-party software

    To be totally honest, if the system wants your SIMS credentials, it's probably extracting data using CommandReporter, which has a command line argument "/TRUSTED" when you're using AD Auth with SIMS, so they should be able to get their system to continue working, assuming they're connected to the network. If it's an online system, I'm sure it'd be possible still but more work from their POV if they haven't already got a system to handle this in place.
    Last edited by LosOjos; 20th June 2014 at 01:06 PM.

  7. #7

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,433
    Thank Post
    368
    Thanked 646 Times in 528 Posts
    Rep Power
    159
    If a pupil is on the machine, logged on as the teacher, they already have access to enough information that would be a breach of data protection which would make you fail an OfSTED inspection. Quite frankly thats the end of it.

    Teaching Windows + L should be the key lesson, not writing an application that re-prompts the user for they Windows Network logon. If you put the launcher in the sims folder where you have given the teacher full rights to do upgrades then whats stopping them with replacing it with a less secure version? When talking about such things its often a case of should-er, would-er, could-er, didn't bother making it fully secure as it was too difficult.

    As for SQL authentication, I'm not a fan of having passwords, "encrypted" or not, in a SQL table.

    Anyway, thats just my 2p, back to OP, like @LosOjos get the third party to add support.

  8. #8

    Join Date
    Jun 2007
    Location
    Newcastle-upon-Tyne
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    My understanding is that it doesn't actually have a password at all, and won't accept one. It just uses the username from SIMS that you've matched against an AD account. If that matches, then you get in. I don't believe any passwords are exchanged from PC to SIMS.

  9. #9

    Join Date
    Jun 2007
    Location
    Newcastle-upon-Tyne
    Posts
    21
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    The supplier is working on this right now, as they haven't come across this before. Their solution extracts data from SIMS into their own tables, then writes back into SIMS when changes are made. The authentication is with SIMS, so without a password, I can't see how it is going to authenticate as I don't see SIMS getting a password from anywhere before Trusted or TrustedAuto logs in.

  10. #10

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,653
    Thank Post
    1,258
    Thanked 781 Times in 678 Posts
    Rep Power
    236
    Quote Originally Posted by theeggmaster View Post
    We're currently trialling using SIMS with trusted logins, but we have a third-party tool that staff also use, which requires them to enter their SIMS username/password to log in.
    We don't use SIMS, but the system we do use has much the same issue - strange authentication methods seem to be common with MIS systems. I plan to run our MIS how I've run SIMS in the past - on a Remote Desktop server, so you have to open up a Remote Desktop session (and authenticate) before you can run SIMS. You can then set the screensaver timeout on the remote session to 3 minutes or something, so if a teacher leaves SIMS running unattanded then at least it locks pupils out.

  11. #11

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,433
    Thank Post
    368
    Thanked 646 Times in 528 Posts
    Rep Power
    159
    Windows Trusted uses your Windows security token, which expires and auto-renews. It's safer then passing passwords as if someone gets the token, it's only valid for a few mins (15-45mins) before it expires and they have to start again. Passwords last for days.

    If they are a Capita partner, which I hope they are if they write back to SIMS, it shouldn't be too hard for them to do. You normally create a service account, give it access in SIMS then run the extract job as that user (via either windows service or scheduled task)

  12. #12

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    6,009
    Thank Post
    680
    Thanked 1,398 Times in 1,158 Posts
    Rep Power
    353
    @Schoolcomms a trusted third party partner (and sponsor of this forum ) use sims authentication to access SIMS. It works fine with trusted as well. In fact i think it just uses the same sort of login prompt, as i have trusted set up, i just hit ok.
    Your third party should know what they do with your sims credentials and be able to adapt in a way to use trusted which is a viable way to access SIMS. I worry what exactly their system is doing with your username and password when it asks for it.

  13. Thanks to vikpaw from:

    Schoolcomms (23rd June 2014)

SHARE:
+ Post New Thread

Similar Threads

  1. [SIMS] sims and trusted logins
    By kevin_lane in forum MIS Systems
    Replies: 2
    Last Post: 19th January 2012, 07:58 PM
  2. [SIMS] How I do a setup a trusted login on sims?
    By nomis23uk in forum MIS Systems
    Replies: 8
    Last Post: 10th July 2011, 08:32 PM
  3. [ACS] Preventing IE From Storing Passwords for ePortal
    By sonofsanta in forum MIS Systems
    Replies: 2
    Last Post: 22nd March 2011, 10:45 PM
  4. Do you use SIMS Trusted Logins
    By dyoung5 in forum MIS Systems
    Replies: 21
    Last Post: 20th May 2009, 12:20 PM
  5. Sims September Upgrade - How long does it take?
    By AnnDroyd in forum MIS Systems
    Replies: 4
    Last Post: 22nd November 2007, 12:26 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •