MIS Systems Thread, SIMS Trusted Logins - how does SIMS store passwords for these in Technical; Hi all,
We're currently trialling using SIMS with trusted logins, but we have a third-party tool that staff also use, ...
20th June 2014, 12:00 PM #1
- Rep Power
SIMS Trusted Logins - how does SIMS store passwords for these
We're currently trialling using SIMS with trusted logins, but we have a third-party tool that staff also use, which requires them to enter their SIMS username/password to log in. Once we move to Trusted logins, there is no password for them to enter, so this third-party tool fails to log in. Is there any way to get this to work (i.e. how does SIMS handle passwords for trusted logins)?
20th June 2014, 12:06 PM #2
SIMS Trusted logins utilise the username and password from the logged in Windows account. So, if you are logged in to a computer, you've already passed authentication and therefore SIMS uses the login for that account logged in. Therefore, SIMS doesn't actually handle passwords at all for trusted logins. At least, that's my understanding!
20th June 2014, 12:20 PM #3
That's how we've taken it to be - it doesn't check the password, just that the username from the logged on account exists within SIMS (in the format domain\username). It assumes that as you're logged on to Windows, you're authenticated already. That security weakness is why we created our own SIMS launcher, which asks for the logged on user's password again before loading Pulsar.
20th June 2014, 12:51 PM #4
@theeggmaster what's the third-party tool?
That's why you created a security weakness - You've basically created a man-in-the-middle vulnerability!!
Originally Posted by 3s-gtech
20th June 2014, 12:59 PM #5
The SIMS Launcher platform:
1. Joe Bloggs comes along and logs into the computer using their AD Credentials
2. Joe Bloggs is a teacher, so he has SIMS installed. (Little Johnny is also in Joe Blogg's class and is a pain)
3. Little Johnny loads up SIMS on Joe Blogg's PC and has access to everything while Mr Bloggs is outside talking to a student.
3. Joe Bloggs must type in their AD Password to launch SIMS.net
How on earth can it be a man in the middle attack, if you are adding security layers... The launcher program:
- Authenticates password using built in .NET libraries where the password is not exposed to anyone
If correct - launch the Pulsar process ; if incorrect, display error.
20th June 2014, 01:03 PM #6
Back to OP - you need to check with the supplier of your third party product if AD Auth is available, if not then I'm afraid you have to choose between:
- continuing to use a SIMS password (recommended from a security POV) and your third-party software
- moving to SIMS 'Trusted' login (i.e. AD Auth) and finding an alternative to the third-party software
To be totally honest, if the system wants your SIMS credentials, it's probably extracting data using CommandReporter, which has a command line argument "/TRUSTED" when you're using AD Auth with SIMS, so they should be able to get their system to continue working, assuming they're connected to the network. If it's an online system, I'm sure it'd be possible still but more work from their POV if they haven't already got a system to handle this in place.
Last edited by LosOjos; 20th June 2014 at 01:06 PM.
20th June 2014, 01:16 PM #7
If a pupil is on the machine, logged on as the teacher, they already have access to enough information that would be a breach of data protection which would make you fail an OfSTED inspection. Quite frankly thats the end of it.
Teaching Windows + L should be the key lesson, not writing an application that re-prompts the user for they Windows Network logon. If you put the launcher in the sims folder where you have given the teacher full rights to do upgrades then whats stopping them with replacing it with a less secure version? When talking about such things its often a case of should-er, would-er, could-er, didn't bother making it fully secure as it was too difficult.
As for SQL authentication, I'm not a fan of having passwords, "encrypted" or not, in a SQL table.
Anyway, thats just my 2p, back to OP, like @LosOjos get the third party to add support.
20th June 2014, 01:37 PM #8
- Rep Power
My understanding is that it doesn't actually have a password at all, and won't accept one. It just uses the username from SIMS that you've matched against an AD account. If that matches, then you get in. I don't believe any passwords are exchanged from PC to SIMS.
20th June 2014, 01:40 PM #9
- Rep Power
The supplier is working on this right now, as they haven't come across this before. Their solution extracts data from SIMS into their own tables, then writes back into SIMS when changes are made. The authentication is with SIMS, so without a password, I can't see how it is going to authenticate as I don't see SIMS getting a password from anywhere before Trusted or TrustedAuto logs in.
20th June 2014, 02:09 PM #10
We don't use SIMS, but the system we do use has much the same issue - strange authentication methods seem to be common with MIS systems. I plan to run our MIS how I've run SIMS in the past - on a Remote Desktop server, so you have to open up a Remote Desktop session (and authenticate) before you can run SIMS. You can then set the screensaver timeout on the remote session to 3 minutes or something, so if a teacher leaves SIMS running unattanded then at least it locks pupils out.
Originally Posted by theeggmaster
20th June 2014, 02:11 PM #11
Windows Trusted uses your Windows security token, which expires and auto-renews. It's safer then passing passwords as if someone gets the token, it's only valid for a few mins (15-45mins) before it expires and they have to start again. Passwords last for days.
If they are a Capita partner, which I hope they are if they write back to SIMS, it shouldn't be too hard for them to do. You normally create a service account, give it access in SIMS then run the extract job as that user (via either windows service or scheduled task)
22nd June 2014, 09:32 AM #12
@Schoolcomms a trusted third party partner (and sponsor of this forum ) use sims authentication to access SIMS. It works fine with trusted as well. In fact i think it just uses the same sort of login prompt, as i have trusted set up, i just hit ok.
Your third party should know what they do with your sims credentials and be able to adapt in a way to use trusted which is a viable way to access SIMS. I worry what exactly their system is doing with your username and password when it asks for it.
Thanks to vikpaw from:
Schoolcomms (23rd June 2014)
By kevin_lane in forum MIS Systems
Last Post: 19th January 2012, 07:58 PM
By nomis23uk in forum MIS Systems
Last Post: 10th July 2011, 08:32 PM
By sonofsanta in forum MIS Systems
Last Post: 22nd March 2011, 10:45 PM
By dyoung5 in forum MIS Systems
Last Post: 20th May 2009, 12:20 PM
By AnnDroyd in forum MIS Systems
Last Post: 22nd November 2007, 12:26 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)