[SIMS] SIMS.Net Active Directory Integration

[robknowles]

Hello,

As anybody been able to integrate Active Directory and SIMS.Net together? We've just moved to SIMS.Net and if possible would like the ability for SIMS.Net not to bring up the prompt but instead log them straight in based on their AD Credentials.

Thanks,

Rob

[DSapseid]

Surely this is a security risk?

What if a member of staff logons onto to a machine and goes walkabouts as they always do without locking it, when a kid wals up and opens SIMS and they can get access to all the info!;-)

[rhyds]

Surely this is a security risk?

What if a member of staff logons onto to a machine and goes walkabouts as they always do without locking it, when a kid wals up and opens SIMS and they can get access to all the info!;-)

That is the exact reason that our LEA's given for not implementing this, tis VERY risky if your staff aren't absolutely spot-on with logging off.

[PRicho]

Weve done this only for specific members of staff,

You need to edit your local connect.ini from C:\Program Files\SIMS\SIMS .net and add the line below.

ConnectionType=Trusted

C:\Program Files\SIMS\SIMS .net

when you start sims you can choose login with current windows user, or sims username.

Then, in sims goto system manager, select the user and change there username format to DOMAIN\USERNAME. thats it!

[robknowles]

Hello,

Thanks PRicho that worked. I just wanted to see how it works - not sure whether we will use it yet as concerns about security (same reasons as specified in above posts). It's a shame you aren't required to type your windows username and password into the SIMS.Net logon box as an extra bit of security.

Thanks,

Rob

[djones]

How would this work in terms of an AD user changing their password? Would you have to manually go into SIMS System Manager to change it there too or would it happen automatically?

Dave.

[Geoff]

You could put in a feature request with Capita...

[notalot]

if you change your password in AD it automaticly changes in sims.net, ive just tryed it my self

[dhicks]

if you change your password in AD it automaticly changes in sims.net, ive just tryed it my self

I understood (from the consultant who came to move our SIMS installation to our new server) that SIMS doesn't check passwords, it simply trusts the username it is passed. When they said "integration with Active Directory" I thought it was going to be something a tad fancier too - I thought I'd be getting SIMS checking against our LDAP directory and so on. I figure this is still a useful feature, though - it would seem to be perfect for SIMS over Terminal Services, so a user just needs to type their normal domain username and password to start a terminal session, then SIMS trusts the TS server and logs the user in automatically. I'm planning (in my copious spare time) to turn our SIMS server into a terminal services server, I'll see if this actually works.

--
David Hicks

[msi]

Firstly, to DSapseid. I've heard this argument used a number of times now. I've heard people say that having the extra password box 'adds an extra layer of security'.

You are right, a member of staff can walk away from their laptop without locking it. But what difference does having the extra login box make?

Staff are just as likely to leave their laptop unlocked with SIMS running as they are without it running!

They may KNOW not to leave SIMS open, but actually they should KNOW not to leave ANYTHING open!

Alternatively, even if SIMS isn't left open, they may leave their email open - which in a school environment where staff email parents, could be equally damaging in terms of data security!

The key is to teach staff to ALWAYS lock Windows. And get them to sign an agreement saying they will do so.

In fact, using Windows authentication (i.e. the removal of the SIMS username and password) will increase total security as long as staff lock laptops.

The reason for this is that you can prevent people from logging on to SIMS from another person's Windows logon. Everything can then technically be tracked back to someone's Windows logon. SIMS logon is ALWAYS tied to Windows logon.

Furthermore, you can't set password policies for SIMS, but you can for a Windows domain.

Also, passwords aren't sent unencrypted :P

Other security principles are in force with Single Sign-on:

1) The more time your user enters a password, the more likely it is to be overseen by someone else

2) The more passwords your users have, the more likely they are to write them down

etc.

In conclusion, to a layman it would seem more secure to have an extra prompt to enter a password - it would seem like an extra 'level' of protection.

In actual fact, the less thoughtful your users are, the more important it is to use Single Sign-on, flowed authentication, and the reduction of number of passwords (note: the increase in password complexity).

We use Windows Authentication for SIMS, and... it works. I don't trust anyone who says it's a risk... it's a risk not to!

[zag]

Very good points MSI

[j17sparky]

I understood (from the consultant who came to move our SIMS installation to our new server) that SIMS doesn't check passwords, it simply trusts the username it is passed.

Is this true? From what i can think of it must be as adding a line to a clients ini file isnt going to make SIMS "intergrate" into anything.

If this is the case capita have dropped even lower in my expectations, and that *really* is saying something!! Feck me, what a terrible company! Good job they are "friends" with labour eh?

[DMcCoy]

It's not like sims even has case sensitive passwords yet!

[pete]

The problem is users who use crap passwords, write down their crap passwords, tell their crap passwords to other people and consider their convenience more important than keeping data secure, buffered by management who doesn't see password (and thus data) security as a big part of the teachers job and so doesn't bollock them sufficiently when said lax password security is raised as an issue.

Single sign-on doesn't help with that, multiple passwords doesn't either because I bet anyone on here £5 that at least 50% of your staff have an identical AD and SIMS password, regardless of whether you've told them not to. That password will also give you access to their online banking 30% of the time, and they'll tell you that "I use that for everything" after telling it to you accidentally.

[j17sparky]

The problem is users who use crap passwords, write down their crap passwords, tell their crap passwords to other people and consider their convenience more important than keeping data secure, buffered by management who doesn't see password (and thus data) security as a big part of the teachers job and so doesn't bollock them sufficiently when said lax password security is raised as an issue.

Single sign-on doesn't help with that, multiple passwords doesn't either because I bet anyone on here £5 that at least 50% of your staff have an identical AD and SIMS password, regardless of whether you've told them not to. That password will also give you access to their online banking 30% of the time, and they'll tell you that "I use that for everything" after telling it to you accidentally.

lmao True.

Id say I know around 75-80% of the teachers passwords. God help them all if i was that type of person to raid their banks! Mind i do need a new car *mawhaha..*