Ref: 16530007
Title: What is Logon Security?
Date: 12/6/89

Copyright 3Com Corporation, 1991.  All rights reserved.

Logon security is a tool to validate the user's name and password.
It verifies a user's right to be on the network as they are logging on.
Without logon security any user is allowed access to the network but they
may not have access to any files; usually they are given access to only
those resources that can be accessed by the user GUEST.

The GUEST name can be modified in the server's LANMAN.INI file.  If GUEST
does not exist or has been given access to no resources, the
same will be true for any user that does not have an account on a server.

If either a server or an OS/2 workstation has the "logonserver=" parameter
left blank in their LANMAN.INI file, then that machine will not participate
in logon security.  This is because logon security requires cooperative
processing between the workstation and the server.  (Note:  Logon security
does not apply to basic DOS netstations.)

For example, when performing a net logon, the workstation sees that it has
the logonserver=servername or logonserver=\\* parameter in its
LANMAN.INI file.  The workstation then attempts to validate itself
with the server running the net logon service.

The logonserver=servername parameter points to the server that should be
running the net logon service.  The logonserver=\\* parameter allows any
server to validate the user if the server is running the net logon service.

Since the logon security can be defeated simply by omitting an argument to
the logonserver parameter in the LANMAN.INI file, it should be viewed
as an account validation service rather than a security system.


Centralized and Distributed Logon Security

There are two types of logon security:  centralized and distributed.
Centralized security is where one server is responsible for validating
all users.  Distributed security is where more than one server is
responsible for validating accounts.

If logon security is centralized, the servers' LANMAN.INI files have
the parameter centralized=yes.  The parameter logonserver=servername may
be omitted on the servers, because there is no reason for the servers to
participate in logon security.  OS/2 netstations and DOS enhanced netstations
must have the parameter logonserver=servername or logonserver=\\*.

If logon security is distributed, the LANMAN.INI file parameter for the
workstation must be either logonserver=\\* or logonserver=\\servername.
The \\* parameter essentially says "The first server with netlogon service
that validates you is okay with me."  The \\servername value points to the
specific server that is to provide the logon validation for this workstation.


Primary and Secondary Protocols

On servers with dual protocols, logon security will not work under the
secondary protocol.  This is because the srvnet parameter in the LANMAN.INI
file on the server tells the server to service only net1, while the
workstation can access both net1 and net2.

Thus, a server with primary protocol NBP and secondary protocol XNS will not
be able to validate a user who is using XNS protocol.  This will remain true
until more than one network is supported on the srvnet parameter.


Logon Scripts

Logon scripts must be enabled in order for logon security to work
for an individual user.  You may use a default script for all users
or you may use customized scripts for individual users.

To enable the logon script you must either activate the "Use logon
script" button in the admin network interface or issue "net admin
\\servername /c net user username /enablescript=yes" at the command
line.  You must have admin access to the server to issue this command
or to use the admin network interface.

In 3+Open Lan Manager 1.1 a change was made to allow a user to
execute the same script name, but with a different extension
regardless of the type of workstation they logged on from.

Thus, if the user was set up to use NETGO.CMD and the user logged in from
a DOS netstation, the system would then try to execute NETGO.BAT.
If NETGO.BAT did not exist, the user would get a bad command or
filename error.

If the user was set up to use NETGO.BAT and the user logged in from
an OS/2 netstation, the system would then try to execute NETGO.CMD.
If NETGO.CMD did not exist, the user would get a bad command or
filename error.


Custom Scripts

If you decide to create a custom script, the following variables are
available for use.

   %1 = Username to be validated
   %2 = Logon server's computername
   %3 = Sharename of the 3OPEN\USERS directory
   %4 = The path of the user's home directory, relative to userdirs


Common errors

On the workstation, you may see these error messages:

Log0086 = incorrect password
Log2215 = script not enabled

On the server, you may discover that the workstation service cannot start.
This could be caused by the user putting the logonserver=\\servername
parameter in the LANMAN.INI file of the server.  To solve the problem,
take the \\servername portion out or make sure that the server is trying
to log on with the correct password and that you have enabled a script
for the server.

If you move the location of your user directories, make sure you
delete the "users" sharename if there is one and the "userdirs"
sharename, then add the "userdirs" sharename again.  Save the
configuration to a profile, most likely SRVSHARE.PRO, then edit the
LANMAN.INI file on the server userpath= parameter to point to the
new location (for example, userpath=e:\userstuf).  Finally, reboot the
server.

