Single sign-on by VxLogon
VxLogon is a script version of NxLogon. We developed this one to avoid of having problems with anti-virus softwares. It is simpler and easier to deploy and not causing any issue with anti-virus softwares.
Before you implement single sign-on against Active Directory, you need to import users and groups first. To import users and groups, read GUI overview > User.
How it worksTo run it, you need to activate it on 'User > VxLogon' on NxFilter GUI first and then register vxlogon.vbs from VxLogon package as a Windows logon script on GPO. For how to register it on GPO, read User authentication > SSO by NxLogon. The procedure is basically the same.
Unlike NxLogon, you don't need to specify server IP for VxLogon.
Security problemWith VxLogon, to make things easier and simpler, we use DNS protocol as the communication protocol between VxLogon and NxFilter. As a result, you may have some smart enough users to find a way of logging-in with another username to acquire an alleviated permission because the protocol exposed in a script file. To prevent this kind of problem, we added an additional security procedure to activate VxLogon. We defined two special domains for logon and logoff with VxLogon. On 'User > VxLogon',
- Logon Domain : vxlogon.example.com
- Logoff Domain : vxlogoff.example.com
Since we use Nslookup command internally, you have to keep the trailing dot when you change the domains.
TroubleshootingIf you run vxlogon.vbs on CMD you will not be able to see any output because it will run by Wscript which is the default VBSCript engine on Windows. If you want to verify your deployment with logging, run it with Cscript command,
And run NxFilter on CMD as well so that you can monitor what is going on NxFilter side.
Or look into /nxfilter/log/nxfilter.log file.