Jump to content

Wrong 'User Access Control' struct values when the password is wrong


Interroga

Recommended Posts

  • AlexUT locked and unlocked this topic

Hello,
Which UniLogic version are you using? This issue was already fixed - Please download the latest version of UniLogic, Update the firmware and test again.


BTW,
just a heads up, I remember that you have Windows 7 64 Bit. There is a Windows update that was released about a week ago, and it causes UniLogic to stop working (as a matter of fact, it is causing a lot WPF .net programs to stop working). The problem is described here:

                https://github.com/dotnet/announcements/issues/53

Microsoft is working on a fix, but I'm not sure when they will release it, so in case your UniLogic stops working (splash screen closes without UniLogic starting), then use one of the workarounds suggested in that link (The easiest is #1, while #3 doesn't require installing or uninstalling anything, just overwriting a file).

Link to comment
Share on other sites

OK. I'm getting the information about when and on which version it was fixed. Maybe it was fixed after 1.22 was released.

Anyhow, the video shows how to reproduce the problem. I was not able to reproduce the problem where the buttons get enabled, but I do see the problem where the User Access Control Tag shows the name of the last logged in user, even though no one is currently logged it (this along with some other invalid members values in the struct, like event type, and user group), so I'm passing this to the Panel R&D team and the Q.A team as well.

 

Link to comment
Share on other sites

Thanks for reply. I apologize on my English. I'm not always clear with words, so I created the video. I have many suggestions about the software and if it's possible to  show this suggestions I will be happy to collaborate.
I will send my suggestions in e-mail for your analysis.


Regards,  Mauro Rovetta.

 

Link to comment
Share on other sites

Suggestions are always a good idea. Some of them, get accepted and improve the usability of the software.


In the manner of your issue:
I just tried to reproduce the problem with UniLogic and UniStream 1.21, and got the same result as with 1.23 (pre-released), and the Panel R&D team leader says that this bug was fixed long time ago, even before 1.21.

I know that you are using the latest version, so if you can, please try reproducing the issue with an empty / new project. Just add 2 users (one admin and 1 operator), and add one button to a screen and link it to L3. Also add a textbox and hows the logged in user, and choose either to hide the button or to have the touch disabled  (with disable color).

Tell me if you were able to reproduce the problem where the button gets visible / enabled (I don't care about the user name that you see in the textbox, since I already saw that it happens).


If the problem does not reproduces with a new project, then maybe something with the big project that you have on the PLC is causing the bug, and in this case we might need that project for debug.

Thanks. 

Link to comment
Share on other sites

Hi,

The wrong Username and Group in the UAC struct are now fixed, and the fixed version will be released in the next version.

In the video, I noticed that 2 buttons get enabled when you  enter the wrong password. Is it also a bug with the UAC (We were not able to reproduce it), and I've asked you last week about it.

Since I don't have your project, then I can't debug it, or try to reproduce the problem with it. The title of this thread is wrong UAC struct values (the title does not indicate a problem with the UAC state, or buttons state).

 

Please update me about the problem.

 

Thanks.

Link to comment
Share on other sites

Hello Saragani.

I forgot to reinforce the need for renewal of passwords in periods as described in the good practices of microsoft in this link. Market systems have expiration dates and character complexity in passwords. Please request the R & D team to include this resource that the market demands along with the CRF21 part 11 standard.

https://technet.microsoft.com/en-us/library/ff741764.aspx

Regards,

 

Mauro Rovetta.

 

Link to comment
Share on other sites

OK, I got your project.

In the video, I saw that button "Menu" and "Finaliza Produção" get enabled when a wrong password is being entered. I see now, from the project, that it is not being enabled by the UAC, but from a bit that is being set from Ladder (which gets the group number from the wrong data in the UAC struct), so the bug is not as dangerous as I first thought.

The bug with the wrong data in the struct has been fixed, and it will be included in UniLogic 1.23.

 

We are currently checking the 16 users issue.

Link to comment
Share on other sites

Thanks for your reply.

Your team thinks about creating time to expire passwords, as I suggested no email sent? I need this resource very much.  The rules for Pharmaceuticals are very demanding on this subject. The rules below are the same used for Microsoft.

·         Validity of passwords for a given time
·         Request to change password at first login after user creation is mandatory
·         Required password change after expiry date
·         Memorization of the last three passwords used by the user to block their reuse.
·         complexity criteria for creating passwords through configuration

Thanks very much for support in this situations.
Regards, 

 

Mauro Rovetta.

Link to comment
Share on other sites

Quote

Your team thinks about creating time to expire passwords, as I suggested no email sent? I need this resource very much.  The rules for Pharmaceuticals are very demanding on this subject. The rules below are the same used for Microsoft.

·         Validity of passwords for a given time
·         Request to change password at first login after user creation is mandatory
·         Required password change after expiry date
·         Memorization of the last three passwords used by the user to block their reuse.
·         complexity criteria for creating passwords through configuration

Our Support manager, Ofir,  already passed your requests. I ca see the next feature requests:
      - Configure "time to expire" for UAC passwords
       - Complexity criteria for creating passwords through configuration
       - User will be blocked after several unsuccessful attempts.
       - User cannot use last 5 passwords
       - An option to ask the user to change his password on his first login to the system
I can't guarantee anything, but I can insure that the  features will be considered.


 

Quote

complexity criteria for creating passwords through configuration

Whats required that is not already exist today? in "UAC" -> "Properties Widow" -> "Password" in UniLogic the user can set:
      Password minimum length
      Must include numbers
      Must include special characters


 

Quote

The rules for Pharmaceuticals are very demanding on this subject

I will add this information to your requests .if you can contact the support and elaborate on the manner it will be great,

  • Upvote 1
Link to comment
Share on other sites

  • 3 months later...

Unfortunately the last version of the software did not correct the problem of the return of the last logged in user, when a user was wrong or without permission. I ask for your help on the issue, as the customer continues to question this error.

The last logged in user is logged out. The next user, upon logging in and entering an incorrect password, causes the system to place the last user again, enabling the last user's group functions.

Link to comment
Share on other sites

Hi Interroga,
I see in our bug tracking system that issue "UAC struct updated with wrong data after 'Login' -> 'Logout' -> 'Invalid Login'"  was fixed & verified by our QA in 22-01-2018, PLC version 1.23.4.
Moreover, I just checked the bug scenario on PLC version 1.23.19:

          1. Login to UAC using correct credentials: User name and group appear in UAC struct
          2. Logout: User name and group data is reset
          3. Login again, now using incorrect credentials
           While the status is correct (5=invalid login),  the user name and group name of last successful login  appear in the struct

and it working as expected.

In what version do you use? 
Is my scenario  is exactly what you are complaining about?

Link to comment
Share on other sites

Thanks NoamM for your reply.

The problem is in last step, ("   While the status is correct (5=invalid login),  the user name and group name of last successful login  appear in the struct")

 

Is because the number group active receive  the value the last user logged. This available the resources in the program , with criteria the actual level group. How can read actual number group if after a  wrong login the number group return for last login group number?

In my point of view, o number group can't receive values that indicate one valid group.

I use actual user name in screen and cause confusion in operation to know and trust in information in the screen.

This is my problem.....

 

 

Link to comment
Share on other sites

Hello Interroga,

Thank you for your reply!

As I can see it, you are using the UAC struct  for current status reference but that's not the right way of using it.

This struct is use to control login of last attempt - what means that every time a user (Admin, Operator and etc.) is trying to login (successfully or not) will be written in the struct.

Since you are displaying the user, group ID and etc... you'll need to use your own logic to make it work.

For example:

  • Good login will be written.
  • Bad login will not be written and will show the last status (User connected or No user connected).
  • When powering up the PLC or logging out, it will show "No user currently connected"

I attached to this post an example project with UAC written logic  - you can find it also in UniLogic example files.

For any additional support - do not hesitate to contact us!

 

UniStream_070_UAC Example.ulpr

  • Upvote 1
Link to comment
Share on other sites

 

I'm sorry for my opinion. I think a" jerry-rigged". Because this name is the variable "User Access Control Struct.User Name" and it is not spelled "last user name logged" and the previewed idea is current user name, not dependent on this login status. This is not clear from the available manuals. I know we can state our opinions so the software can be improved. That's why I participate in the forum.

 

Thanks for example !!!

Best regards.

 

 

Link to comment
Share on other sites

Hello Interroga,

Hope you are doing well and would like to thank you for participation in our forum.

About the struct member names, I will pass it over.

 

If you have any more further questions, do not hesitate to contact us.

 

Best Regard.

 

Link to comment
Share on other sites

  • 4 months later...
  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...