NTLM Login Problem on S10

  • This topic is empty.
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #821
    Avatarbcdavis1979
    Member
    • Total Post: 2
    • Newbie

    Our company recently purchased a couple Wyse terminals for testing and possibly implementing. Thanks to the resources on this site I have managed to accomplish most of our goals, but I am having trouble implementing NTLM login to our domain on one of the test units.

    I have two Wyse units here on my desk, one is a VX0 running 6.0.0_14 and NTLM works perfectly as expected on it. The S10 unit I have is running 5.3.0_9 and no matter what I try it tells me invalid username/password when I try to login with NT domain credentials.

    Any help or suggestions you could provide would be greatly appreciated!

    My wnos.ini file is as follows:


    ;*************************************************************
    ;* *
    ;* This wnos.ini file was generated with the *
    ;* Configuration File Generator *
    ;* Copyright by Thomas Moellerbernd *
    ;* *
    ;*************************************************************


    ;*************************************************************
    ;* General 1 *
    ;*************************************************************

    autoload=0
    Privilege=High

    ;*************************************************************
    ;* General 3 *
    ;*************************************************************

    NoticeFile=notice.txt Resizable=yes Timeout=100

    ;*************************************************************
    ;* Input Devices *
    ;*************************************************************

    Language=Us

    ;*************************************************************
    ;* Display *
    ;*************************************************************

    Resolution=1280x1024 Refresh=60
    DeskColor="0 0 0"
    Desktop=kdmcballa.bmp Layout=Center
    Screensaver="5" LockTerminal=yes Type=2 Image=kdmc.bmp
    ShutDownInfo=yes

    ;*************************************************************
    ;* Time *
    ;*************************************************************

    Timeserver=dc1.kdmc.local Timeformat="24-hour format" Dateformat=mm/dd/yyyy
    TimeZone='GMT - 05:00' ManualOverride=yes Daylight=yes Start=030507 End=100507 TimeZoneName="Eastern Standard Time" DayLightName="Eastern Daylight Time"

    ;*************************************************************
    ;* Network *
    ;*************************************************************

    SignOn=NTLM ConnectionManager=Hide EnableOK=Yes DisableGuest=yes
    PasswordServer=pna.kdmc.local
    MaxVNCD=1
    VncPassword="MABBMGBGMABB" Encrypt=yes
    VncPrompt=Yes Accept=10

    ;*************************************************************
    ;* ICA *
    ;*************************************************************

    IcaBrowsing=UDP
    Seamless=yes HideTaskBar=Yes FullscreenReserved=yes
    PnliteServer=172.31.6.11
    DomainList=kdmc
    #11168
    ConfGenConfGen
    Keymaster
    • Total Post: 11009
    • Jedi Master
    • ★★★★★★★

    Hi,

    I guess you are using a Windows 2003 domain.
    I know there is an issue with Windows 2003 as per default NTLM compatibility is switch off there.
    Search MS website to fins a tip on how to enable it again. I don’t have my notes in front of me otherwise I would have posted it here.

    Cheers
    CG

    #11169
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi,

    I did some work on this recently for an article on this site, you will need to set two reg settings on your domain controller. Check out the white paper in this download, the keys are at the end of the article:

    http://www.freewysemonkeys.com/site/modules.php?name=Downloads&d_op=viewdownloaddetails&lid=109&ttitle=VDI-NoBroker.zip

    Of course NTLM is an old authentication method and not as strong as Kerberos, Microsoft decided to turn off accepting this in pure AD 2003 domains. You will have to be OK to accept the security implication before making this change.

    Cheers,
    -TT

    #11170
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    I just read your wnos.ini,

    You are using ICA so do you need NTLM? Why not just use signon=1, this will allow authentication via the PNliteserver=

    Signon=NTLM can be useful in RDP only environments,

    Cheers,
    -TT

    #11174
    Avatarbcdavis1979
    Member
    • Total Post: 2
    • Newbie

    Changing the config to signon=1 accomplished what I was looking for.

    Thanks for all of your help!!!

    #12292
    AvatarIvor
    Participant
    • Total Post: 3
    • Newbie

    I read thoroughly all of the material in “Using VDI with NTLM Authentication and No Connection Broker” and I absolutely love the option- it gives me everything I want for a smooth end user ride– except:

    I’m running a mixed environment of RDP connections, phasing out Server 2003 Terminal servers in favor of Parrallels Virtuoso VDI environments with a mix of V10’s and ThinStation PC’s as they die out.

    I have a problem logging onto a V10 using NTLM, as an example, if the user password has expired or I have reset the password in AD (server 2003) and forced an immediate password expiration. AD seems to treat the password as invalid as the V10 is unable to launch a Window to force the password change right then. My only choice seems to be to not force the password change after resetting the password, then I have to turn off auto-launching the RDP session to connect to the users VDI so I can force the password change before they go into their VDI, where they can change their password, then set the user’s ini to autolaunch again after that– otherwise I go into a loop.

    If users didn’t wait until they see the whites of the eyes of a password change, this would be rare, but I know my people well enough to know I need out of this issue!

    Any one else see it or have a solution?

    #12295
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Hi Ivor,

    Yes it almost a great solution except for the password change. Unfortunately I do not know of a solution to this currently but maybe ConfGen has an idea – ConfGen?

    Glad you liked the no broker article, it took some time to put together 🙂

    Cheers,
    -TT

    #12301
    AvatarIvor
    Participant
    • Total Post: 3
    • Newbie

    I really appreciate what you have put together and all of your hard work. The WYSE documentation is so poorly organized and incomplete I was ready to give up on the V10’s– until I found your site.

    I have a second dilemma, mostly related to the way the Parallels Virtuozzo suite runs. We are a small State of California agency, but are under mandate to encrypt all mobile data. On our PC’s, we run a software suite called Credant Mobile encryption that will encrypt all data to a burned CD, DVD, USB flash drive, etc. as well as on the hard drive per policies you set on the global manager. The devices check in with the global manager to pull the policies. On Parallels, what is different than VMWare that makes it great is that you install available software on the hardware and then each VD has zero kb links to the software, so each VD instance is only 100Mb– but, the actual VD is actually Server 2003 with an XP graphic skin applied to it.

    My encryption software does not run on server 2003, so I cannot force a push of an encryption client to an external flash drive or burner via the VDI-V10 mapping. I can either rename usbstor.sys on the VD to disable file transfers or disable all drive mappings via RDP for most staff, but I am at a loss for how to handle the clients that have legitimate needs to go mobile with agency data besides yelling about policy and making them go to an actual PC to initially encrypt their drive. The only other option would be to look for an additional software vendor.

    Anyone have any thoughts?

    #12306
    Avatarthinkthin
    Member
    • Total Post: 1707
    • Jacked into The Matrix
    • ★★★★★★

    Have you tried the Wyse USB virtualizer, it “should” allow your encryption software to see the USB stick natively and allow it to work.

    Now you have a V10L get the USB software from the downloads – TCX section of wyse.com. Next get the match V10L firmware and an evaluation key from wyse sales. You put the eval key into the wnos.ini, you will need three lines in the wnos.ini to set this up:

    #TCX Eval keys, separate with a comma if you have more than one
    TCXlicense=xxxx-xxxx-xxxxx-xxxx-xxxx

    #Set up a time server or key will not work:
    TimeServer=

    #Enable USB but trun off RDP USB mapping
    SessionConfig=All MapDisks=No

    I would love to hear if your software works with USB re-direction,

    Cheers,
    -TT

Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.