logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
g00tag  
#1 Posted : Thursday, September 6, 2012 1:52:32 AM(UTC)
g00tag


Rank: Newbie

Joined: 9/6/2012(UTC)
Posts: 1

Greetings all,

long time screenconnect user looking to extend support beyond our lan, ie allow technicians to connect from anywhere; however I need to implement two factor. For my purpose a one time password sent via email to a phone would work

ex: 1234441212@txt.att.net

any idears, thoughts or suggestions welcomed.

b00ndock  
#2 Posted : Tuesday, September 18, 2012 11:43:32 PM(UTC)
b00ndock


Rank: Newbie

Joined: 9/18/2012(UTC)
Posts: 3

we need this also, how to setup?
vexation  
#3 Posted : Wednesday, September 19, 2012 4:00:24 AM(UTC)
vexation


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/28/2012(UTC)
Posts: 34

Thanks: 7 times
Was thanked: 3 time(s) in 2 post(s)
Thought I'd also echo my need for this. We're currently trialing ScreenConnect and restricting access to the admin panel to specific IP addresses via web.config but if we could have Two Factor Authentication (SMS or e-mail) i'd be a lot happier with the security side of things.

I believe it's fairly easy to integrate Googles 2-step Auth into most products these days (a pal of mine said that, i'm mostly clueless when it comes to programming) - if anyone has implemented it or similar, i'd love to hear about it!
b00ndock  
#4 Posted : Thursday, September 20, 2012 1:14:49 AM(UTC)
b00ndock


Rank: Newbie

Joined: 9/18/2012(UTC)
Posts: 3

we use DualShield from Deepnet to secure some other applications, was reading up on their site and they have a module to integrate w/ IIS and another 'flexible web authentication gateway'

I've set up Dualshield for other applications to authenticate via radius but this sounds like programming to me, if anyone is interested :

http://www.deepnetsecurity.com/solutions/web/

imo ScreenConnect is the best / fastest remote support tool out there. two factor would make it the ultimate tool for us because we could allow access from the internets
Jake  
#5 Posted : Friday, September 21, 2012 5:08:25 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
We may throw together an example of this ... once we get some breathing room
ScreenConnect Team
b00ndock  
#6 Posted : Saturday, September 22, 2012 11:10:03 PM(UTC)
b00ndock


Rank: Newbie

Joined: 9/18/2012(UTC)
Posts: 3

we need a starting point, that would be great,

Best
BeanAnimal  
#7 Posted : Monday, September 24, 2012 7:50:19 PM(UTC)
BeanAnimal


Rank: Member

Joined: 9/24/2012(UTC)
Posts: 14
Location: Pittsburgh

After a LOT of reading and looking at products (SecureID, Google, SecureCard, etc) it appears that there is no easy way to do this. Most of the products and services cost about $2500 to implement and then another $500 or so every 3 years to renew tokens. I played with SecureCard's (now SafeNets) cloud basesd Two Factor Authentication product today and was able to get somewhere near what we need, but it was still too much of a PITA for end users. In fact, it may not be really possible at all, due to the way ScreenConnect is built. I was able to setup authentication for an IIS website, but SC runs its own web server.

The bottom line, while this application is kind of cool, it really is a toy when viewed in the perspective of professional tools. It is a simple ASP.NET application that hosts itself and does not appear to be well suited to run native in IIS with a SAML or RADIUS TFA front end. The app authors really need to build a configurable RADIUS authentication option and/or SAML. Otherwise, there really is no way to secure this. I have beat up on it, but the simplicity of the authentication is kind of bothersome.

I almost pulled the trigger on purchase today, but when the big picture is/was considered, the bomgar appliance may be cheaper/safer and it appears to work with RADIUS if needed. Don't get me wrong, this software looks to have great potential if some serious consideration is given to security. The authors need to work with CryptoCARD or SecureID to come up woth a simple "check the box to enable two factor authentication" feature.

In fact, if they (ScreenConnect) resold the tokens and service they could make money and save us money, as most of us don't need 10 tokens (the minimum for most TFA/OTP token providers like SecureID or CryptoCard).

The end goal:

Administrator should have to provide UserName and OneTimePassowrd generated from an industry standard token (soft or hard).
Guest should have to provide sesion ID AND OneTimePassword to initiate session. The administator would provide the one time password at the same time the session ID was provided. I could care less about email requests, sms ,etc. 99.99% of my live support sessions are initiated over the telephone, where I can provide the session ID and OTP.

Edited by user Monday, September 24, 2012 8:12:30 PM(UTC)  | Reason: Not specified

Jake  
#8 Posted : Tuesday, September 25, 2012 1:16:24 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
You're trying to authenticate your _guests_ using two factor? If you're over the phone it seems generating a random code session for one time use is quite sufficient for authenticating guests.

I was going to show an example of using maybe google authenticator to add another factor to host authentication.
ScreenConnect Team
BeanAnimal  
#9 Posted : Tuesday, September 25, 2012 9:28:31 AM(UTC)
BeanAnimal


Rank: Member

Joined: 9/24/2012(UTC)
Posts: 14
Location: Pittsburgh

Jake Morgan wrote:
You're trying to authenticate your _guests_ using two factor? If you're over the phone it seems generating a random code session for one time use is quite sufficient for authenticating guests.

I was going to show an example of using maybe google authenticator to add another factor to host authentication.


From the ADMIN console standpoint:
It is a MUST HAVE if the product is to be used public facing. Strong arming or hacking the console means every current session and ALL unatended sessions are vulnerable to the hacker. A public facing product like this will be under attack 24/7, without question. The rub is that we are not only dealing with any flaws in SC code, we are also dealing with the security flaws in the IIS box, firewall, etc. That includes other IIS sites and/or public facing interfaces on the box or IP.

IIS6 and esp IIS7 have some pretty decent built in pluggable interfaces for using 3rd party authentication intefaces.

A VPN or other secure session can not be used to isolate the admin interface because it is the same application as the public interface. We certainly do not want guests having to install and navigate a VPN session to get to the guest interface. What are we to do? Protect the entire application with TFA of some sort One Time Passwords (OTP) makes just about the most sense. If the TFA sits between the application and the public, then strong arms break-in, man-in the middle, web app hacks, etc, are going to be much harder to pull off.


From the GUEST facing standpoint:
Becuase the "public" guest side and the "private" admin side are the same program/interface/application any security flaws here directly translate to security risks for the ADMIN side. That is, the only thing separating the guest from the admin is a username and password. How secure IS this application? What happens when one of us (or a guest) initiates a session from a key logged or otherwise infected 3rd party machine? Yes, it makes perfect sense for the GUEST to have to pass through a OTP in addition to the session ID. Why allow random passerbys (not so random hackers) the ability to try to compromise the application by guessing at session codes? With the entire application protected with a ONE TIME password, this simply can't happen.

Again because this is not hosted IN IIS, it does not appear that products like SercureID, CryptoCards Blackshield, or other two factor authentication can be put IN FRONT of the web application.

I am not a security expert, but I do own an IT consulting business and see security breaches daily. If it faces the public, it is under severe attack, period! As of late, most security breaches into private systems are a direct result of hacked remote support tools. Please consider enabling out-of-band two factor authentication. Honestly, it is not really an option and is instead a must have.

I would also ask (insist) that you offer a fully native IIS6/IIS7 package without the built in hosting. Don't get me wrong, I only need 1 or 2 seats, but simply can not fathom using this product public facing unless it can be fully secured. Because it is not an IIS native app, I can't even use challenge response or other means to secure the admin side. It is out there flapping in the breeze waiting to be hacked.

Jake  
#10 Posted : Tuesday, September 25, 2012 1:34:36 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
The authentication and authorization is completely customizable. We've had plenty of customers rip our stuff out and replace with their SSO plugged directly into ASP.NET.

You can easily put an IP filter on the admin and host pages. Plenty of people do this:
http://forum.screenconne...rict-the-IP-address.aspx

IIS7 is pretty much just HTTP.SYS connected to ASP.NET, for an ASP.NET app at least. There just isn't much that IIS offers in the middle. It did previously with IIS 4/5/6, but that ISAPI stuff was a nightmare to deal with, and all the native C code in those extensions with their buffer overruns is where hackers had a field day on windows machines.

Our web server is also just HTTP.SYS connected to ASP.NET, and is very slim. Now I haven't researched any of the stuff you mentioned, but I can't imagine how any decent plugin would rely specifically only IIS without really just being a part of the ASP.NET HTTP pipeline. Even the IIS MMC plugin primarily just manipulates the ASP.NET configuration. However, as far as configuration goes, it may be a bit tricky to set it up with our system.

You may be able to figure out how to add some authentication to the guest side, but we're not really focused on that. By design it's really easy to connect as a guest, and we want to keep it that way. You can do all kinds of crazy stuff there, but if there is a true vulnerability in the software, chances are you won't be stopping it by doing further authentication with your guests. You can generate your session codes as many characters as you like. You can even not have session codes and just email out 128-bit GUID session IDs. Both of these are unguessable.

It'll be pretty easy to add two factor authentication for the host. We have some other requests for being able to change passwords and stuff like that, so we'll probably wrap it into a single example.
ScreenConnect Team
BeanAnimal  
#11 Posted : Tuesday, September 25, 2012 6:58:20 PM(UTC)
BeanAnimal


Rank: Member

Joined: 9/24/2012(UTC)
Posts: 14
Location: Pittsburgh

Quote:
You can easily put an IP filter on the admin and host pages. Plenty of people do this:
http://forum.screenconne...rict-the-IP-address.aspx
IP filtering is fine, but not what I am looking for, as it does not allow for mobile techs and makes management far too complex.

Quote:
IIS7 is pretty much just HTTP.SYS connected to ASP.NET, for an ASP.NET app at least. There just isn't much that IIS offers in the middle. It did previously with IIS 4/5/6, but that ISAPI stuff was a nightmare to deal with, and all the native C code in those extensions with their buffer overruns is where hackers had a field day on windows machines.
Agreed, but that reality does not help secure this application :)

Quote:
You may be able to figure out how to add some authentication to the guest side, but we're not really focused on that. By design it's really easy to connect as a guest, and we want to keep it that way.
I agree, but a static session ID is a security risk, no matter how long it is. Instead of a SINGLE textbox, the guest would enter a sessionID and OTP, both provided by the tech. This secures the entire application. As it stands a single hacker can bounce as many session ID requests (or for that matter login requests) off of the server as he pleases. Is there a security flaw in the form of a hacker opening a remote session intended for somebody else? I dunno, but do we really want to let them try?

Quote:
You can do all kinds of crazy stuff there, but if there is a true vulnerability in the software, chances are you won't be stopping it by doing further authentication with your guests.
I think you may be missing my point. The "one time password" can be in addition to (or for that matter take the place of) the session code. The key is that it is created out of band with a secure key and it expires without user intervention. Again, hacking remote support applications is the prefered path into secured networks. In my opinion any feature enhancement should take a back seat to security. I am not asking that the guest be forced to generate the OTP, perform additional authentication steps or have their experience changes in any way. I am asking that the security of the process by improved to prevent it from being used as a prybar into the system.

Quote:
It'll be pretty easy to add two factor authentication for the host. We have some other requests for being able to change passwords and stuff like that, so we'll probably wrap it into a single example.
I look forward to seeing an example, as without it I am not willing to purchase the product.

Thank you for taking the time to reply.
tompace  
#12 Posted : Friday, September 28, 2012 2:39:32 PM(UTC)
tompace


Rank: Newbie

Joined: 9/28/2012(UTC)
Posts: 1

+1 for Google Two-Factor Authentication option.
BeanAnimal  
#13 Posted : Saturday, October 6, 2012 2:21:34 AM(UTC)
BeanAnimal


Rank: Member

Joined: 9/24/2012(UTC)
Posts: 14
Location: Pittsburgh

I am going to be frank here, sorry in advance if I offend anybody... (users or SC staff, Jake, etc)

I have played with the trial and like the function of the base product. However, I get the feeling that most of the target audience is not security concious or even vaguely aware of the huge risk that a product like this poses if it is not fully protected. Folks, if you have unatended agents out there and your SC is internet facing, you have lost your mind, PERIOD. The application does not appear to have any built in protection against simple brute force attacks.

Jake, you promised a two factor example. While I have no intent on fiddling with google or giving them my mobile number, I am somewhat baffled that the example has not yet been posted. I have CC in hand and would love to purchase, but am looking for a serious support tool that is built with security in mind. Can you post a timeframe regarding the addition of security features that will help prevent brute force attacks, etc.
Jake  
#14 Posted : Saturday, October 6, 2012 8:32:59 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
The example I promised won't be delivered until at least a few days after we get our first official 3.0 prerelease out.
ScreenConnect Team
srf21c  
#15 Posted : Friday, October 12, 2012 8:34:02 AM(UTC)
srf21c


Rank: Advanced Member

Joined: 10/2/2012(UTC)
Posts: 44

Two factor authentication is an important product security feature to me as well.

Please consider integrating Yubikeys as very affordable two factor authentication technology. http://www.yubico.com/yubikey
Jake  
#16 Posted : Friday, October 12, 2012 9:53:06 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
We ordered one of those yubikeys a few days ago
ScreenConnect Team
Jake  
#17 Posted : Wednesday, October 17, 2012 10:36:11 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Attached is a replacement for Login.aspx that'll enable this. You'll need SC 3.0 build 3550 or greater. And coming is a video showing how to do it.
File Attachment(s):
Login.aspx (11kb) downloaded 109 time(s).
ScreenConnect Team
Tom Casper  
#18 Posted : Wednesday, October 17, 2012 3:05:25 PM(UTC)
Tom Casper


Rank: Newbie

Joined: 10/17/2012(UTC)
Posts: 1
Location: Florida

I use active directory authentication and have created uniquely named usernames and passwords. I have also set it to lock-out the account for 2 incorrect passwords for a period of 72 hours.
Jake  
#19 Posted : Wednesday, October 17, 2012 3:20:19 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Here is the video:


Shows TFA with Google Authenticator, Yubikey, and Email/SMS
ScreenConnect Team
thanks 1 user thanked Jake for this useful post.
vexation on 10/18/2012(UTC)
senner  
#20 Posted : Thursday, October 18, 2012 12:40:23 AM(UTC)
senner


Rank: Newbie

Joined: 10/18/2012(UTC)
Posts: 1

If you are looking to secure almost any web interface with a two factor type system, try Factored!: https://github.com/vangheem/factored

It sits in front of the whole web interface so no changes are required to the existing application, and it can integrate easily to many different backends, google authenticator etc.. The benefit being that nobody knows what services sit behind this service. It is essentially a much easier to use, modify and implement version of SecureID/WebAgent/Apache module without the downfalls of that system and apache since we show you how to use nginx for integration.

If there is a specific two factor authentication method let us know we would be happy to help.

Edited by user Thursday, October 18, 2012 12:49:38 AM(UTC)  | Reason: Not specified

cobash  
#21 Posted : Thursday, October 18, 2012 12:21:34 PM(UTC)
cobash


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
I used the login.aspx that was a few posts up and put it in my 3.0 install but when I try to get to the main page I get the following. Any thoughts?

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
Jake  
#22 Posted : Thursday, October 18, 2012 12:22:56 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
You need a new build ... due out today or tomorrow.
ScreenConnect Team
cobash  
#23 Posted : Thursday, October 18, 2012 12:29:40 PM(UTC)
cobash


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
Ok thanks! Looking forward to it.
davidgregg  
#24 Posted : Thursday, October 18, 2012 3:28:39 PM(UTC)
davidgregg


Rank: Newbie

Joined: 10/18/2012(UTC)
Posts: 1
Man

Jake Morgan wrote:
Here is the video:


Shows TFA with Google Authenticator, Yubikey, and Email/SMS


What is the URL for the QRCode generator used in this demo for using Google Authenticator??
Jake  
#25 Posted : Thursday, October 18, 2012 4:50:38 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
ScreenConnect Team
keiffers  
#26 Posted : Friday, October 19, 2012 9:44:38 PM(UTC)
keiffers


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/15/2012(UTC)
Posts: 21
Location: Columbus, Ohio

Was thanked: 2 time(s) in 1 post(s)
I just downloaded 3.0.3573.4675, applied the modified login.aspx and made the modifications mentioned in the video and email format two factor authentication is working great so far.
srf21c  
#27 Posted : Friday, November 2, 2012 12:59:59 PM(UTC)
srf21c


Rank: Advanced Member

Joined: 10/2/2012(UTC)
Posts: 44

I was also able to get the email two factor method working in short order. The Yubikey method is failing however with the message "Invalid one-time password". Current build is 3.0.3665.4688 linux version.
Jake  
#28 Posted : Friday, November 2, 2012 1:02:49 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Can you test your key here:

https://upgrade.yubico.com/getapikey/

Let me know if that works .... I'll take a look and see if I can figure out why in the meantime.
ScreenConnect Team
srf21c  
#29 Posted : Friday, November 2, 2012 1:26:36 PM(UTC)
srf21c


Rank: Advanced Member

Joined: 10/2/2012(UTC)
Posts: 44

Test worked fine, it returned a client ID and secret key. Should edit my Login.aspx file and update it with these values? The howto video didn't mention anything about it.
Jake  
#30 Posted : Friday, November 2, 2012 1:28:14 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
You don't need to do that ... I don't think. forget the secret key, but maybe try to swap in the ClientID and let me know if it works. Doubtful though. I'll test myself on linux here in a little while.
ScreenConnect Team
ESchuler  
#31 Posted : Friday, November 2, 2012 1:34:35 PM(UTC)
ESchuler


Rank: Newbie

Joined: 11/2/2012(UTC)
Posts: 7
Location: MA

Thanks: 1 times
Two factor was working fine until I downloaded the latest Pre-Release 3.0.3665.4688. Now, when I copy the Login.aspx file into the ScreenConnect folder I get a Runtime Error on my Login page. Previous release was 3.0.3648.4686 (when it was working).
Jake  
#32 Posted : Friday, November 2, 2012 1:36:43 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
The latest pre-release "prefers" to run under .net 4.0 instead of 2.0, and there is a collision because .net 4.0 added the "Tuple" class that we previously defined ourselves. I'll have to rework some stuff to get it working.
ScreenConnect Team
srf21c  
#33 Posted : Friday, November 2, 2012 1:57:26 PM(UTC)
srf21c


Rank: Advanced Member

Joined: 10/2/2012(UTC)
Posts: 44

Jake Morgan wrote:
You don't need to do that ... I don't think. forget the secret key, but maybe try to swap in the ClientID and let me know if it works. Doubtful though. I'll test myself on linux here in a little while.


Edited Login.aspx and updated the clientID, restarted ScreenConnect service, then tried two factor yubikey login; failed with the same error. Is there any logfile or debug output I can peruse to see what's going on?
Jake  
#34 Posted : Friday, November 2, 2012 5:00:28 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
srf21c wrote:
[
Edited Login.aspx and updated the clientID, restarted ScreenConnect service, then tried two factor yubikey login; failed with the same error. Is there any logfile or debug output I can peruse to see what's going on?


OK, so under mono, the full error is this:

System.Net.WebException: Error getting response stream (Write: The authentication or decryption has failed.): SendFailure ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server. Error code: 0xffffffff800b0109 at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.validateCertificates (Mono.Security.X509.X509CertificateCollection certificates) [0x00000] in :0 at Mono.Security.Protocol.Tls.Handshake.Client.TlsServerCertificate.ProcessAsTls1 () [0x00000] in :0 at Mono.Security.Protocol.Tls.Handshake.HandshakeMessage.Process () [0x00000] in :0 at (wrapper remoting-invoke-with-check) Mono.Security.Protocol.Tls.Handshake.HandshakeMessage:Process () at Mono.Security.Protocol.Tls.ClientRecordProtocol.ProcessHandshakeMessage (Mono.Security.Protocol.Tls.TlsStream handMsg) [0x00000] in :0 at Mono.Security.Protocol.Tls.RecordProtocol.InternalReceiveRecordCallback (IAsyncResult asyncResult) [0x00000] in :0 --- End of inner exception stack trace --- at Mono.Security.Protocol.Tls.SslStreamBase.AsyncHandshakeCallback (IAsyncResult asyncResult) [0x00000] in :0 --- End of inner exception stack trace --- at System.Net.HttpWebRequest.EndGetResponse (IAsyncResult asyncResult) [0x00000] in :0 at System.Net.HttpWebRequest.GetResponse () [0x00000] in :0 at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in :0 at System.Net.WebClient.OpenRead (System.Uri address) [0x00000] in :0


It apparently doesn't like the certificate from the yubi people. Looking into how mono validates certs....
ScreenConnect Team
Jake  
#35 Posted : Friday, November 2, 2012 5:07:20 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
OK, so my default mono has no certs installed. You should run mozroots to import all the mozilla root certs:

Code:
sudo mozroots --import --machine --ask-remove


Now everything works for me. I'll probably make the error somewhat more discoverable in the future.

And for the people running .NET 4.0, just do a text replace changing "Tuple" to "Elsinore.ScreenConnect.Tuple" ... we'll be compiling that stuff into our assemblies soon enough anyway, and we'll have a better "Tip or Trick" for this whole process.
ScreenConnect Team
srf21c  
#36 Posted : Friday, November 2, 2012 6:21:55 PM(UTC)
srf21c


Rank: Advanced Member

Joined: 10/2/2012(UTC)
Posts: 44

That did the trick, thx. You guys rock.
itspecops  
#37 Posted : Tuesday, November 6, 2012 8:22:17 PM(UTC)
itspecops


Rank: Newbie

Joined: 11/6/2012(UTC)
Posts: 2
Location: Portland, Oregon

Great news and good to hear we are going to get two factor authentication implemented.

Also, if I could add my 2 cents, we should make sure that we get alerts to failed login attempts, even if the user doesn't exist, that way we know the doors are being rattled.

Here is a suggestion, if screen connect detects that an IP address has made X amount of failed attempts to an existing or non existing user, ban that IP address and take away the login page from that specific IP, so no user input fields exist, reducing the attack surface. Once they figure out they can't brute force it, they may try to inject code into the input fields, of course that won't prevent them from trying directory traversal or other types of URL manipulation attacks, but of course that's where IPS / IDS comes in.

- Robert



ESchuler  
#38 Posted : Wednesday, November 7, 2012 12:00:25 PM(UTC)
ESchuler


Rank: Newbie

Joined: 11/2/2012(UTC)
Posts: 7
Location: MA

Thanks: 1 times
Modified the Login.aspx and now works once again. Excellent, Thank You!
cobash  
#39 Posted : Wednesday, November 14, 2012 8:16:34 AM(UTC)
cobash


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
I updated to the stable version of 3.0 and when I try to use the Two Factor Authentication I am getting the following.

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.


<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>

Any suggestions?
Jake  
#40 Posted : Wednesday, November 14, 2012 2:45:19 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
This is now a "Trick" in our Tips and Tricks forum:
http://forum.screenconne...ctor-Authentication.aspx
ScreenConnect Team
hongdida  
#41 Posted : Friday, July 11, 2014 3:36:01 AM(UTC)
hongdida


Rank: Newbie

Joined: 7/11/2014(UTC)
Posts: 1
Japan

Originally Posted by: davidgregg Go to Quoted Post
Jake Morgan wrote:
Here is the video:


Shows TFA with Google Authenticator, Yubikey, and Email/SMS


What is the URL for the QRCode generator used in this demo for using Google Authenticator??


check the comments on the article

http://www.techrepublic....gin-to-non-google-sites/
norrislees  
#42 Posted : Thursday, July 24, 2014 9:35:16 AM(UTC)
norrislees


Rank: Newbie

Joined: 7/24/2014(UTC)
Posts: 1
Man
United States
Location: San Joes

Originally Posted by: hongdida Go to Quoted Post
Originally Posted by: davidgregg Go to Quoted Post
Jake Morgan wrote:
Here is the video:


Shows TFA with Google Authenticator, Yubikey, and Email/SMS


What is the URL for the QRCode generator used in this demo for using Google Authenticator??


check the comments on the article

http://www.techrepublic....gin-to-non-google-sites/


Thanks for suggestion.

Users browsing this topic
Similar Topics
Only require two factor authentication once in any particular browser (Feature Requests)
by user3235442 1/13/2016 4:49:00 AM(UTC)
Two Factor Authentication using LDAP (Advanced Customization)
by KBrickler 3/10/2015 2:45:19 PM(UTC)
two factor authentication stopped working since switch to SC 5.1 (Bug Reports)
by nobody961 1/17/2015 11:20:42 AM(UTC)
LDAP with Two Factor Authentication, account management (Advanced Customization)
by WDavidson 7/10/2014 5:59:55 PM(UTC)
Two Factor Authentication (Tips and Tricks)
by Jake 11/14/2012 2:44:23 PM(UTC)
Yubikey two factor authentication (Feature Requests)
by srf21c 10/5/2012 2:49:43 AM(UTC)
two factor authentication (General Information)
by g00tag 9/6/2012 1:52:32 AM(UTC)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.