Authorization Plugin - on failure, user still logged in

[Thomas Tenaglia]

Hi,

I wrote a plugin to perform authorization after a user is authenticated.  This is on XP developed with Visual Studio 2010.  The problem I have is the user is always logged in, even if the authorization fails.  When simulating, I get authentication success, authorization failure, gateway failure, and the user is still logged in.  I am using the local users for the auth and gateway, and my plugin for authorization.  Since this is in a VM, I'm testing using the XP Administrator user.

What am I missing here?

Thanks,

Tom

[David Wolff]

Hi Tom,

That's strange.  It might help to see the logs.  What version of pGina are you using?  

D

--
You received this message because you are subscribed to the Google Groups "pgina-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pgina-devel...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Thomas Tenaglia]

Hi David,

Version 3.0.13.1.  Which logs would you like to see?

Thanks,

Tom

[Thomas Tenaglia]

So I tried it with a user not in the administrators group and it worked (denied on failed auth).  Any user (system "Administrator" or other user) in the admin group is permitted access regardless of the authorization failure.  What do I need to do to not allow this? (I mean, admin accounts should be protected more...)

Thanks,

Tom

[Nate Yocom]

Yah, I suspect you've hit the LocalAdminFallback behavior. Basically,
pGina has always had a catch to allow members of the local
administrators group to login irrespective of what the plugin stack
says - otherwise if you mess up your stack ... you're hosed (though
safe mode *might* help in some circumstances).

Here's the comment in the code
(https://github.com/pgina/pgina/blob/master/pGina/src/Lib/pGinaTransactions.cpp)
:)

// If we failed, and the 'LocalAdminFallback' option is on, try this
with LogonUser iff the username is an
// admin locally. In fact, it is so rare that this should be turned
off, that we don't expose it in the UI
// even.. woah!

So - try setting LocalAdminFallback (DWORD) to 0x00 in the registry -
I suspect then you'll get the behavior you expect - but be warned -
lockout may be imminent!

Nate

[Tom Tenaglia]

That sounds like it might be it. Thanks Nate. I checked the code of
the Login Users auth plugin, though I didn't think to check core
pGina. I will explore that DWORD value.

I have another question... How do I get something to display on the
screen while the auth is being performed (as it can take some time by
design)? Can I simply show a form on the screen with my message and
then close it when the auth succeeds? (I'm moreso asking a best
practices question here for pGina).

Thanks,

Tom

[Nate Yocom]

Generally displaying your own UI/forms is not recommended - I think
David has added some support for the status message bits in the latest
3.x CP? or maybe I'm thinking of something else...

[Tom Tenaglia]

Well, here's my dilemma... After entering credentials into the login
UI, the form disappears, leaving a blank screen while the
authorization is performed. I would like to show the user something
to the effect of "Please wait..." and then automatically close that
message when the authorization is complete. What's the best way to
tackle that?

Thanks,

Tom

[David Wolff]

You can configure a "Please wait..." message via the "Logon progress message" in the pGina configuration interface.

Cheers,

David

[Tom Tenaglia]

David,

That sounds perfect. Is that available for XP? Forgive me, I can't
seem to find the option in the config UI. Can you walk me through
where it is?

I'm running 3.0.13.1.

Thanks,

Tom

[Tom Tenaglia]

There I go again being a developer on a stable release. :-X I
downloaded the Beta, and there it is. Will say this, while installing
the beta, it couldn't delete the pginagina.dll, so I renamed it (can't
delete it myself) and it progressed, dropping the new version.

Will test my functionality with the beta. Sorry for the extra email.

Thanks,

Tom

[David Wolff]

Tom,

The progress message only works on Credential Provider based systems (Vista and above).  Sorry, for XP, you may need to create a dialog of your own.

Cheers,

David

[Tom Tenaglia]

David,

I can do that. Using .Show() or .ShowDialog() don't seem to bring up
the form though. Perhaps I need to go about it a different way?

Right now I'm trying to show a Windows form at the beginning of the
authorization section of the plugin and then close the form at the
end. It's not showing up. So, it brings me back to the original
question of how to get it to show up.

Any ideas? Research on the Internet didn't yield me any answers.

Thanks,

Tom

[Nate Yocom]

You'll need to modify the GINA code directly if you want to add custom
UI to the login on XP - all plugins are run as part of the pGina
service, which is not connected to any UI session.
Nate