Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

pcAnywhere authentication can pass from the logged in user to pcA authentication

Created: 12 Jul 2010 • Updated: 25 Jun 2012 | 47 comments
Pascal KOTTE's picture
66 Agree
0 Disagree
+66 66 Votes
Login to vote

FEATURE REQUEST: pcAnywhere support SSO authentication can pass from the Windows logged in user to pcA authentication, so avoid request login/pwd again, and expose them storing those into PCA, instead of following best practice using Pass-through authentication.

I can understand in a workgroup mode, or local authentication, or NT authentication level, or not window scomputer, that it is mandatory to ask fo credential before intiating a remote session.
But when using CMS7 with integrated AD authentication....
Can you explain me why this angry PCA QuickConnect ask again for credential, all the same already loggedin: Does SSO means anything for Symantec?

( link not valid any more, do not find again this KB...)
Here the KB confirm this problem: https://kb.altiris.com/article.asp?article=52280&p=1

Thanks all for supporting this KB & up this Idea !! yes
(Using PC anywhere version 12.5.539, integrated wih CMS 7.0 SP2 MR1)

Does any Workaround for such ??? Except to force a fixed generic login/password can be used from any body... no
1st, we need to use the PCA full package to configure, and it is not provided with CMS7, 2nd, it is really not secure enough.
 

Comments 47 CommentsJump to latest comment

Martijn Groothuis's picture

That would be great, and to be honest you would think the application would work that way already.
The most stupid thing is that you have the checkbox to remember the user and password which doesn't even work laugh

Martijn Groothuis
Technical Consultant
If your question has been resolved, please be sure to click Mark as Solution! Thank you.

+5
Login to vote
ICHCB's picture

The remember user and password in the first screen of Qick Connect is to remember the credentials that pcA will use of authentication only for that one host.   
If you don't check the start host if not running and you don't check the deploy thin host then you will have better luck.  If QC tries to reach out to the host to check and start the host service then you have to provide administrative credentials for the target host.   (agreed this is lame if you already have the level of credentials it should use your current windows credentials to do this).    

If you have 10 hosts that you connect to then you will have to enter your credentials 10 times and check the save credentials 10 times.  Once you have connected to all of your host it will quit asking for authentication credentials.  

Hope this helps with understanding what is happening on these screens.

Cheers.

If you find this post helpful please give it a thumbs up!
If you find that this solves your problem please mark it as the solution! 

0
Login to vote
robertser's picture

This is a highly needed feature.  If you are already checking for the logged in user for access to the console why do you need to have them enter their credentials again. Nice to have it their as an option but the default should just be a pass through.  I vote a STRONG YES.

+3
Login to vote
pro.gti's picture

The support agent talked with development and it was indicated this wasn't considered a pressing issue, I wasn't given any assurance that would be included in a future version, though they said the more people that subscribed to the KB article (the link is broken currently) the more likely it would be addressed.

+2
Login to vote
Ludovic Ferre's picture

So the link now works, for everyone to enjoy ;).

I am currently off-net, on a retreat of some kind. I'll be back real soon, and you sure will hear from me then ;-).

Ludovic FERRÉ
Principal Remote Product Specialist
Symantec

0
Login to vote
LShackleton's picture

I'm amazed this isn't there, and it makes me incredibly glad I haven't been able to upgrade yet due to the exporters failing. Even just a checkbox for "use current credentials" would be just fine.

+1
Login to vote
yabru's picture

I've noticed that if you have 'Wait 30 secs for User to accept'  and then lets say the user doesnt acknowledge or there is no response, the remote Session then continues successfully. There should be an option to either 'abort' or 'continue' as there is in DS 6.9

But agreed the most frustrating issue, is to have to reconfirm your user account credentials...

+1
Login to vote
ACassar's picture

This is fixed in the latest build of pcAnywhere solution.  Your probably running with "SuperUser" credentials which cant be denied access to connect to machines.  If you are a "Standard" user,  then you should only be granted automatic access after the timout if the computer is Logged out or Locked.
Check out this kb article for more info  https://kb.altiris.com/article.asp?article=48119&p=1

0
Login to vote
ACassar's picture

....primarily because it doesnt use passthrough authentication.

The Remember User and Password is a MAJOR MAJOR securiy flaw in the design of the pcA quick connect application. 
Whenever you select this option,  the credentials are saved within a CHF file under the path "C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\pcAQuickConnect".
Yes thats right..  they are saved in the All users profile..  So if I log out of my machine and then someone else logs in,  they can run pcAnywhere quick connect and then connect to one of those machines I saved the credentials for, using my PERSONAL credentials...

I have also raised a ticket about this and was told that this wasnt seen as a very serious issue..  Unfortunatly it is serious enough for our firm to reconsider using pcAnywhere solution as a remote control tool.
 

Pass through authentication would fix this issue perfectly..  Saving credentials in stand alone files is an archaic practice and opens the software up to countless security vulnerabilities.

Its a shame because we have had to move away from  DS remote control as well, due to security concerns.

+2
Login to vote
ICHCB's picture

I would say not to use quick connect.   The full product allows you to save your credentials in a location of your choice (the default is all users)  and you don't have the annoying ask several times to get credentials issue.    It doesn't do pass through but at least it isn't Quick connect. 

Cheers.

If you find this post helpful please give it a thumbs up!
If you find that this solves your problem please mark it as the solution! 

+1
Login to vote
ACassar's picture

Unfortunatly thats not really an option for us either.  the Full product is too powerful and is not something we would want to give to people like first line support or trainers for example. QuickConnect would be the perfect solution if only it offered passthrough.

+1
Login to vote
ICHCB's picture

Some one even whent so far as to make an article on how to set up pca as an excel macro to launch it.   I hear you that the QC could be perfect for the fist line support maybe the next version will be better layed out.    Check out the article secion and look at pca and then the Excel maco doc it is kind of trick.  I imagine other uses could be set up like this that may make the full product work for you.  You can use packager to build a custom install to remove features you don't want the front line to have.

Cheers.

If you find this post helpful please give it a thumbs up!
If you find that this solves your problem please mark it as the solution! 

0
Login to vote
ACassar's picture

While you can lock down most of the features with a combination of the packager, group policies and renaming some files, its still doesnt seem possible to completely remove the ability to create BHF files.  Take the "Connection Wizard" for example from the pcAnywhere Tools menu.  This ends up creating a local BHF file which could be used to replace the BHF file on the host.  Restarting the host service would then result in the host starting up with the new configuration. 

You wouldnt know of a way to disable this would you?

I have seen the excel thing before and Im starting to think that developing my own console is going to be the only way to ensure we dont give users the ability to create bhf files and circumvent our security policy (of course nothing is stopping them from buying a retail version of pcA and using that to create the BHF files).
Might not be a bad idea actually,  if I develop my own console ill be able to do some lookups on the DS database and maintain my ability to search for PC's based on the logged on user name.

0
Login to vote
mRizz's picture

This is for me the #1 Feature Missing in Altiris!
Its very annoing to enter the Password again and again on each call.
How can I sustain this Feature Request, the Linke above isnt working

+2
Login to vote
michael cole's picture

/signed

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+1
Login to vote
Jesse A. Gonzales's picture

This is not just an issue for Windows computers and SSO. Symantec needs to understand that if they decide to support a platform that it should function equally on whatever platform. I am not saying that this is Symantec's position, but it certainly seems that pcAnywhere is an inconvenience to Symantec, which is disappointing when trying to support the product. I get the feel that Symantec would like to EOL it (that is only my opinion).

This issue hurts the customer and is compounded if the user supports the Mac. You only have  a choice of pcAnywhere or OpenDirectory. This doesn't help the case that the Macs can be integrated into the enterprise. We have about 3000 Macs and had to use the pcAnywhere method of authenticating, which required us to have a common user on every computer, because you are only allowed to add a single entry in the Active Users or groups window of the Authentication tab of the plug-in settings page. 

I strongly agree that if I am authenticating against the Symantec Management Platform and fall within the group that is assigned pcAnywhere privileges that the credentials that I used to sign into the SMP should carry forward - on any platform that is purported to be supported by pcAnywhere.

I would love to see this product continue, but this product needs a makeover and is pretty long in the tooth. Any product development roadmap communication would be appreciated. 

+2
Login to vote
michael cole's picture

Erm SSO is a minor inconvenience compared to showing my colleague today how i could steal his AD login credentials using PCA QC...

Process:
1) Allow your friend to launch Quick Connect and save some credentials on his PC.
2) Log into his machine as yourself
3) Launch "Asterisk Logger"
4) Launch Quick Connect and pick a connection
5) Copy your friends Activer Directory credentials and watch his face.

I dont think they want to EoL PCA, they just dont seem to be able to fix it or understand its issues.

Symantec, please fix it properly, changing the encryption style on the chf's will only continue to encourage tools like http://www.nirsoft.net/utils/pcanypass.html 
SSO is a means to fixing the security hole, NOT a product enhancement.

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+2
Login to vote
yabru's picture

Given the popularity / severity of this 'Idea', is there any chance we can get a comment from the PcAnywhere Product Manager on this? Or at least whether any of these issues will / are being addressed in future releases?

Or is this not the palce for that...?

+3
Login to vote
pro.gti's picture

Quick Connect shouldn't be part of the default client install IMHO, with the security issues mentioned it's not sutabile for enterprise use.  For those that want to use it however, it should be an option if they have come to rely on it. I have to set up a task now to remove it, which is an annoyance.

+4
Login to vote
Pascal KOTTE's picture

or should I ?

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

+2
Login to vote
chris.vanderlinden's picture

If it is going to continue to be a part of CMS7 (and integrated with NS7)... the NS console should also natively run the remote session itself.

I mean you can install UVNC onto the PC, set it up to use AD / LDAP, and then remote into the PC via a browser.  Why hasn't this been implemented in PCA?

The only nice thing with PCA + NS7 right now is the auditing ability.  Other than that UVNC seems to do a lot better in every other category.

+2
Login to vote
BigRedAV's picture

Secure SSO would be key.

I am trying to replace LanDesk with Altiris, and one piece is remote control. My HelpDesk likes PCA, but they do not like that they have to log in everytime.

It would be nice to have a PCA webpage from Altiris, or PC server, that allows Admins to search and control clients without haveing to log in everytime. I'm looking at differant options.

+3
Login to vote
BigRedAV's picture

Another thing with Authentication is........ If the PC is locked or on but noone is logged in. It would be nice if it did not ask for user interaction on the other end. If an account is logged in, and does not have the pc locked then yes ask. But if i turn a pc on, and try to access it, i cannot with PC Anywhere. Any thoughts on this? Am i missing a setting somewhere?

0
Login to vote
michael cole's picture

Carbon Copy (PCA's predeccessor) would go in straight away if the remote computer was logged out. PCA counts out 30 seconds then goes in. Worse still, if its user-locked, it counts out 30 seconds then disconnects the session.

Net result is my Helpdesk have to wait 30 seconds and it might either go in or disconnect leaving them confused and asking me why its different from Carbon Copy.

There are only two configurable settings also: superusers or standard user which are not configurable which isnt enterprise friendly.

There are other things but keeping this post in track we are asking for SSO for PCA and for quickconnect to be removed from the enterprise product to bring the application more in line with expectations.

I'll drop a "please Symantec" at the end for old times sake ;)

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+1
Login to vote
pro.gti's picture

You should be able to take control of a PC which is locked or when no one is logged in, check how the "Require user to approve connection" setting is configured in your policy perhaps and this article may be of some help as well: 

http://www.symantec.com/docs/TECH138171

0
Login to vote
michael cole's picture

this January's build does indeed allow you to take control at a locked screen. The patch you linked stops that. I dont know if that will become the default policy going forward though

Try this for some fun: Log into a users session, lock their keyboard and mouse and then kill the PCA session. The user will stay locked and unable to do anything until you connect to them again. I dont think that should be by design. However we only managed this by crashing the PCA session by trying to use the drawing tools which often hang it.

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+1
Login to vote
aymansh's picture

Also I need saving IT workers username and password or passing windows authentication. Our customer is very upset from entering the username password each time and may be replace PcA with DeamWare.

Eng. Ayman S. Shehada
Altiris System Engineer

0
Login to vote
Pascal KOTTE's picture

Must use a predefined key (login/password), and you integrate in the Quickconnect operators installation. So they do not need any more to give any login password.

Of course, getting access is just copy a file (integrating the login/pwd), to a new machine... So easy to bypass. But we can also check in inventory this "critic" file, not on undesired machines. We can limit this file to a "user profile" I think.

This seems to be less secure than using AD authentication, but it is not, in the PCA context: In fact; using the AD authentication with PCA 12.5, is exposing the AD login/password because not enough strong crypted. It is a shame to expose a very good KERBEROS, don't do that please !!!

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

+2
Login to vote
Pascal KOTTE's picture

Here some news from Symantec

Altiris pcAnywhere™ Solution 12.6 (What's new)
•  Support for Symantec Management Agent 7.1       
Altiris pcAnywhere™ Solution 12.6 (Key feature)
• Central rollout and administration of remote control agents:
-  pcAnywhere plug-in rollout policy simplifies rollout
-  Remote control policies are centrally managed and controlled by role-based security
-  Usage details presented in standard reports for security and audit purposes
-  Powerful remote control features
-  Multi-monitor support displays monitors connected to the client computer
-  File copy between remote and host computers
-  Screen scaling to quickly optimize view of computer
-  Internet capable remote control
-  Access Server technology included with pcAnywhere Solution provides gateway to manage remote control connections over the Internet
-  Active Directory authentication for secure connections:
-  AD users and groups can be assigned remote control permissions by assigning them to pcAnywhere Solution users. Remote control access can then be easily controlled based on AD group membership Employee exit: identifying employee assets, license harvesting, etc.

The problem is I don't know if the AD authentication still the same or correctly SSO using windows API...

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

+2
Login to vote
Screenbert's picture

While it is not pass-through authentication, the link below has a tool I created that allows for saving credentials and has a few other features. That might help in the interim.

https://www-secure.symantec.com/connect/downloads/pcanywhere-diagnostic-and-connect-tool-v10012

Screenbert

+2
Login to vote
mRizz's picture

Unfortunately Altiris 7.1 with Pca 12.6 did not introduce the SSO feature.

+1
Login to vote
robertser's picture

It is such a shame that they have not fixed all of these glaring features with PCA in 7.1.  Most of these things are features that PCA is already capable of but the integration of it into NS 7 is the hold-up.

+1
Login to vote
Joe Bagnulo's picture

PCA is one of the last remote control tools out there that doesn't support passthrough single-signon authentication.

Its great that SYMC is offerring such a wide range of tools, keep pushing to integrate and streamline usage!

0
Login to vote
michael cole's picture

...But http://www.symantec.com/docs/TECH137703 has caused massive problems for us. PCA can't work when you use another remote session like RDP on the PC since it binds to KVM. We are going more thin client which I imagine is a common global trend again for money savers and using Sunray from Oracle. This uses an RDP session so PCA tries to bind to multiple sessions and falls over which makes it completely unuseable. In this case we are using Carbon Copy!!

I realise this is an AD SSO post but it has turned into a little campaign for a better PCA product.

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+1
Login to vote
cosp's picture

Anything new about pcAnywhere "Single sign in" support on authentication in 7.1

Its a major problem for us to log in each time when you going to remote control

+3
Login to vote
MacBrinky's picture

Looking forward to get that implemented in a future version of pcA but so far no hint about it.

-1
Login to vote
CraigV's picture

...not sure how I got included in this, unless Backup Exec was also tagged to get more exposure! angry

Alternative ways to access Backup Exec Technical Support:

https://www-secure.symantec.com/connect/blogs/alte...

-1
Login to vote
Pascal KOTTE's picture

Only ask for about 2 years...

We can hope Symantec will accelerate a correct "SSO" Windows security correct integration, after the exposure of trhe sources:

http://www.symantec.com/connect/sites/default/files/pcAnywhere%20Security%20Recommendations%20WP_01_23_Final.pdf

~Pascal @ Kotte.net~ Do you speak French? Et utilisez Altiris: venez nous rejoindre sur le GUASF

+2
Login to vote
michael cole's picture

And the thing that really gets me (aside from leaving this product as it already is) is that instead of hearing this from Symantec themselves, several people saw articles like the one on the BBC Technology site and started flooding our company with panic emails as if this was the first problem that PCA has ever had.

Why should we be finding out from Secunia, or BBC or umpteen other websites about PCA instead of Symantec actually informing their customers directly about it first? How many emails have product specialists and sales support and security and account managers already recieved about this? I know a few since i've ended up getting copied and it's just ridiculous.

Fix it.Better still EoL it and replace it with something else since the product name is muddied beyond belief now.

Michael Cole

Principal Business Critical Engineer

Business Critical Services

+1
Login to vote
mike_plichta's picture

I'd like to hear from Symantec what is a higher priority than SSO.  From the 12.6 release note, PC Anywhere now has "powerful remote control features".  If I could post the rage comic "You don't say" picture here, I would do so.  They also say you can mass deploy it but Altiris already has the ability to mass deploy msi files with command line switches.  Apparently making it its own agent took all of last year so you can mass deploy it in the new way. 

Multi Monitor support, well fine I guess that's a nice feature but not a higher priority in my book. 

File copy... hasn't that been in a feature for serveral versions now.  Besides, Altiris can do this.

Standards reports - great more reporting.  Perhaps this would be useful to a call center. 

Fix the pass through authentication, this is costing me way too much time out of my day. 

+2
Login to vote
mike_plichta's picture

I came back to revisit my article since updated to the newest release of PCAnywhere 12.6.8096.  It seems they added an encryption feature that pops up a hex code and asks if you are sure this machine is legit.  This is going in the wrong direction for what I was hoping to see in the product.  While it sounds nice to have added extra security, I don't see how an expert, let alone your standard user could make a decision based on a hex code.  As such, this whole dialog box is unnecessary. 

You can stop this behavior if you remote control the computer from the Altiris console using the advanced settings.  However, it doesn't remember this preference and you must uncheck it ever time (before putting in your credentials).  According to http://www.symantec.com/business/support/index?page=content&id=HOWTO77100 this settings doesn't exist at all in the PCAQuickConnect utility.

I spoke with two levels of tech support and will be speaking with a manager as well soon.  However they could not put me in touch with a project manager whom could tell me what features will be added in the new versions.  They recommended that I talk to a sale rep who usually are in the know about new features. However, reading between the lines, I doubt that a project manager even exists for this product and there will be no added features in the foreseeable future. 

I will update again if I find out more information

0
Login to vote
mike_plichta's picture

I spoke with a manager today who confirmed that the next version will just be bug fixes for compatibility with Windows 8.  No new functionality is forthcoming.  She remined me of the code comprimise that happened last year and most of the work has been patching that vulnerability.  The new pop-up box with the encryption hex code is part of making PCAnywhere safer.  My cynical side says that it's making Symantec safer from lawsuits when PCAnywhere is comprimised again because you, the user, approved the connection.  I've given up on this product being fixed and am moving on. 

0
Login to vote
LynchJJ's picture

We too are leaving Symantec PCAnywhere behind.  Hopefully, Symantec understands that they are losing customers due to this issue.

0
Login to vote
Jesse A. Gonzales's picture

Everybody talks about leaving, but do you have suggestions for a replacement?

0
Login to vote
ACassar's picture

We dumped pcAnywhere a while ago and havent looked back. 

Using a product called Goverlan Remote Control, which has been integrated with NS7 using a right click action on computer objects.  Its not totally seamless (i.e. you need to pre install and license a console component on each admins machine),  but overall it was a pretty cheap to implement,  secure enough for our needs,  performs really well with a great feature set (supports multiple user sessions in a RDP environment for example) and has one of the most responsive support teams I have ever worked with.

This was done at both of the last two companies I have worked for..  once to replace DS6.8 remote control due to security limitations and in prep for NS7\pcAnywhere and at the latest place to replace pcAnywhere in an existing implementation.

+1
Login to vote
LShackleton's picture

Because of the really apalling limitations in PCAnywhere we never got beyond a small pilot in the first place after moving the NS side of things to 7.1. Our support teams still use DameWare NT Utilities for almost all their remote control needs. Very decent product indeed but I wouldn't even want to integrate it in to NS - our support teams were always reluctant to use it so NS is a strictly back-office tool the Infrastructure team only thesedays - our support teams get value out of performant and intuitive tools only (such as DS 6.9).

+1
Login to vote