Hi all,
Currently, if domain users sign out, DataMiner allows them to reconnect without asking for new input:
Is there any way for DataMiner to ask domain users to re-enter their password when they log back in (or log in for the first time that day, for example)?
Thank you for the help. Cheers!
Hi Joao,
The above situation is only true when the domain account used to access DataMiner is the same as the domain account you used to login to the client computer.
Because the user already authenticated the domain account on the client computer (to login into the computer itself), there is no need to enter the password again when trying to gain access to DataMiner.
This simplifies user authentication without jeopardizing security (single sign-on).
When the domain account used to authenticate the user on the client machine is different than the one used to access DataMiner, the password needs to be entered every time. The same is true when authentication on either the client machine or DataMiner is not done through a domain account.
I don't believe there is a way to disable the single sign-on.
Hi Ive, Ben,
This question comes from a customer, and they basically ask if it is possible to have DataMiner prompt the user every time.
I also agree that this defeats the purpose of SSO. I thought about the scenario where maybe different people on an NOC could be using the same computer at different times. However, if this is the case, the security issue lies in how the Windows session is being used, not DataMiner.
I am trying to get more information and a real use case that could justify this. I also made the suggestion of using MFA, for example with a RADIUS server, as described in the DataMiner Help.
I will update this post when I manage to get more concrete information.
Thank you for your input.
Hi Joao,
A way around this would be to create a different user account for DataMiner (either on the domain or a standalone DataMiner user).
I just got the information from the customer that this question was to understand what options were available for the Administrator to control user access. They mentioned they were not able to find anything specific in the Help and wanted to be sure they were not missing anything.
Thank you for the help Ive and Ben.
I agree with Ive here, isn’t this the whole purpose of SSO. Is there a specific use case or circumstances that triggered this question João? I can imagine that this is because you do not want somebody else to log in using that account, while it is still sitting there like that. But, then the question arises that the Windows session is then also still active and logged in with that account as well, and there’s probably a lot of other things that you can then do (such as going into the email of that user, etc.).