Home Community Discussion Forums Most Active Software Boards LabVIEW Topic

LabVIEW

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Domain Account Manager error

Domain Account Manager error

‎01-30-2008 05:06 PM

I have an application that I would like only certain users to have access to a particular button, lets call it "File Changer". These users are all on my same network. My idea is to use the NI Security stuff:
1. create a domain on my computer with the Domain Account Manager
2. Under the Access Control tab add the machine names of each user to the "Grant List", and set the "Select list to activate" to "Grant List"
3. In the program, check the NI Security property "User" to see if they are logged on to the right domain. If so, make the button Visible.
 
My problem is that when one of these remote machines tries to logon, I get "unable to login Error code: -1967345647 IAK_SHARED Machine is denied access". However, when I put the machine's IP address instead of the machine name, it works fine. This can't be a permanent solution, however, since these machines are DHCP. What am I doing wrong?
Also, it occurred to me that someone could make a domain of the same name on their computer and I would have no way to tell the difference between them logged on to the domain on my computer and their created domain. Is there any way to verify that the domain is indeed the one on my computer?
 
In addition, I was experimenting with the NI Security method "Get Access Rights", but don't know what to put into the "ACL" input. I know its the Access Control List, but I don't know the format, etc. Any help there?
 
I'm open to other suggestions also to accomplish the task of granting access to a button for a group of users, keeping in mind that the list of users can change.
 
Michael
0 Kudos
Message 1 of 4
(5,463 Views)
Reply

Re: Domain Account Manager error

‎01-31-2008 06:39 PM

Hello Michael,

By using the machine names instead of the IP addresses of the computers, you run the risk of having a non-resolvable IP address from those names.  In which case, you can get this error.  However, if the IP addresses and computer names are unique, this should not be an issue.  Is there a reason why you can't just grant machine access from all computers on the network, then resolve the user when that person logs on?

I'm not sure what you mean by verifying if the domain is on your computer or not.  When your program begins, I am assuming that you are using the NI Security Invoke Login Dialog Box in order to have the user log in, or you are doing it in your VI and programatically logging that person on.  In which case, you select the domain that you are logging on to.  Of course, if you are using remote front panels, then you will be unable to see the pop up dialog...

Of course, using the programatic login, you can be sure that the user is logging into your local machine's domain and not his own, because you can specify the machine, domain, user, and password.  If you leave the machine at it's default of localhost, the user will not be able to log on to domains on other machines.  Of course, if you want to allow this, you can create a ring control for the machines allowed to log in, so that they don't try to spoof your user name. 

I did a little bit of testing on this, and it looks like if you try to login with the same domain name from a different machine, then the login will return with an error, even if you aren't logging in to a name shared in the local domain.  Of course, the other thing I noticed during this testing was that the boolean control that I had hidden when logged in as userB, showed up no matter what user I was logged in as. 

I'm not sure what the format for the ACL input is.  Can you give some context as to why you are using the method?

Brian Coalson

Software Engineer
National Instruments
View All (4)
Message 2 of 4
(5,441 Views)
Reply

Re: Domain Account Manager error

‎02-01-2008 11:10 AM - edited ‎02-01-2008 11:13 AM

Thank you for the reply. Some responses:

>>However, if the IP addresses and computer names are unique, this should not be an issue. 
They are unique (all machines receive IP's from the same DHCP server), so I'm still not sure of why I get that error. I can ping them with the -a option and it returns the correct IP every time (or vice versa, ping the IP returns the correct machine name). I had to do as you suggested and grant all machine access.

>>I'm not sure what you mean by verifying if the domain is on your computer or not.
Before I was trying to use the Application Property Node NI Security.User to verify whether or not the user is logged into the correct domain. However, this property only returns the domain name and user name, so if I only compared text strings, someone could potentially setup a domain on their machine with the same domain name as the correct domain, and I wouldn't be able to tell the difference. This property would then become useless.

>>Of course, using the programatic login, you can be sure that the user is logging into your local machine's domain and not his own, because you can specify the machine, domain, user, and password.
I must be missing something, because I only see domain, user, and password as inputs to the programmatic login. I'm using the Application Invoke method NI Security.Login in LV 8.5. Do you specify the machine as part of the NI Domain input? If so, what is the syntax?

>>I'm not sure what the format for the ACL input is.  Can you give some context as to why you are using the method?
I didn't full understand this method (the documentation isn't very clear); I thought I might be able to use it somehow. It seems that no one knows how to use it; I can't find any examples on the forums or elsewhere.

I think I've found a decent solution; every person I want to add to the list I create a user name equal to their machine name and a password that is the same to everyone (though unknown to them). Then I just programmatically log them in using their machine name and the default password when the program starts up. If there is an error, the machine name is not a user in the domain, so they won't have access to the button. Someone could still potentially create a local domain with the same name and a user name equal to their machine name, but they shouldn't have access to the password (they have exe's of the program) they would need (this wouldn't be possible if I could specify machine name of the domain, as above).

If you have any insights to my replies or my new proposed solution, I appreciate it.

Michael




Message Edited by miguelc on 02-01-2008 11:13 AM
Download All
0 Kudos
Message 3 of 4
(5,432 Views)
Reply

Re: Domain Account Manager error

‎02-04-2008 01:46 PM

Michael,
 
I'm not clear about the solution you are using, but if the solution that you have posted works well with your system, I see no reason not to use it.  I would think that the fear of a person using the same user name or machine name in order to log in can be put to rest if you only allow users to log on using the domain on the main computer that you administer.  Even if someone creates the same domain name and logs on elsewhere, the control will not appear for that user, because it will recognize the difference between the local computer's domain and a remote domain with the same name.  The login should fail entirely. 
 
The programatic login I was referring to is part of the LabVIEW Datalogging and Supervisory Control Module.  I was assuming that you were using this module, as most users that need these type of features use LabVIEW DSC to implement them. 
Brian Coalson

Software Engineer
National Instruments
Message 4 of 4
(5,407 Views)
Reply