LOGON_OS_LOCATION

Copyright © Cloud Software Group, Inc. All Rights Reserved

Chapter 6 Administering Process Attributes : General iProcess Engine Configuration : LOGON_OS_LOCATION

LOGON_OS_LOCATION

General iProcess Engine Configuration

Summary

This attribute defines the default location where passwords should be validated when a user attempts to logon to this iProcess Engine node.

This attribute is only used on the Windows variant of iProcess Engine. It has no effect if it is set on a UNIX system.

Applies To

The attribute must be set for ALL processes.

Permissible Values

The attribute value must be a text string containing a single valid machine name or domain name.

Default Value

This attribute is not defined automatically when you install or upgrade iProcess Engine. To use this attribute, you must explicitly assign a value to it using the SET_ATTRIBUTE command.

The attribute only appears in the output of the SHOW_ALL_ATTRIBUTES command if you have explicitly assigned a value to it using the SET_ATTRIBUTE command.

Notes

If the iProcess Engine is running on a machine that is a domain member or domain controller, the user account could exist in multiple places. The iProcess Engine node therefore uses the following search path to find the location it should use to validate the user’s password:

1.

the value of the user’s SW_DOMAIN user attribute (if defined). This attribute specifies a single valid machine name or domain name that should be used to validate a particular user’s password. (See TIBCO iProcess Windows (Workspace) Manager’s Guide for more information about this attribute and how to set it.)

2.

the LOGON_OS_LOCATION value (if defined).

3.

the search path provided by the Windows LookupAccountName function (which iProcess Engine uses to find the user’s account name). This path is:

a.

well-known Windows security identifiers. (A security identifier (SID) is a unique value that identifies a security principal or security group in Windows operating systems. Well-known SIDs are a group of SIDs that identify generic users or generic groups.)

b.

built-in and administratively defined local accounts.

c.

the primary domain.

d.

trusted domains.

Note that:

•

If both attributes are set, the SW_DOMAIN value takes precedence over the LOGON_OS_LOCATION value.

•

If iProcess Engine is running on a standalone machine, passwords are always validated against local machine accounts. The SW_DOMAIN and LOGON_OS_LOCATION attributes are ignored even if they are set.

If the SW_DOMAIN or LOGON_OS_LOCATION attribute is defined, iProcess Engine checks to see if the user account exists in that location. If the account does not exist there, or if the password does not match the one defined, password validation fails. An error is also written to the sw_warn file indicating that a mismatch has occurred. For example:

2006/11/30 13:23:16(BENCHTST:1968:1968:0:aduser1:filosuvm.c:1.18:373): 1631-WARNING: <LogoniProcessUser (): LookupAccountName(ssfsf) failed: No mapping between account names and security IDs was done.> <> <> <>

2006/11/30 13:23:16(BENCHTST:1968:1968:0:aduser1:filosuvm.c:1.18:373): 1631-WARNING: <LogoniProcessUser (): LogonUser(auser1@UK-BONDIC) failed: Logon failure: unknown user name or bad password.> <> <> <>

You should define LOGON_OS_LOCATION (or the SW_DOMAIN user attribute) if user accounts with the same name exist in two or more trusted domains, because you cannot guarantee which domain the LookupAccountName function will check first, and so pick the account information from. Consequently, a logon attempt may fail because it is validated against the wrong domain.

If you use a UVAPI package to perform password validation, you should note that using the LOGON_OS_LOCATION and/or SW_DOMAIN attributes requires that you use extended (_ex) versions of some UVAPI interfaces. The extended interfaces support the passing in and out of user location information from the SW_DOMAIN user attribute and/or LOGON_OS_LOCATION process attribute. (The old interfaces are still supported, but if you use them the location of the user is not passed down from LOGON_OS_LOCATION or SW_DOMAIN attributes.)

See TIBCO iProcess User Validation API User’s Guide for more information.