Using a logon tickets ("authentication token") to log into CIS mobile makes sense for several reasons. As regards the security of the system it can prevent a password from being locked due to repeated failed attempts or guesses (brute force). This is because the ticket will be checked first, and only if it is a valid one will the password be checked too.
A simple version of a logon ticket is just a universal passphrase for all users. A more sophisticated ticket system is now also implemented in CIS mobile. As well as this you can easily implement your own ticket check or administration in the add-on project (vb.net) and then, for example, only allow logon from certain IP addresses.
If someone happens to lose a mobile device its access to CIS mobile can easily be deactivated on the server.
Checking a logon ticket to provide more security
With CIS mobile it is easy to manage logon tickets for every user:
Existing tickets are displayed in a sortable table. Furthermore, you can lock/unlock or delete selected tickets or send them via e-mail.
You can also get a detailed protocol of events, e.g. creation of a ticket here and see a list of mappings between usernames and e-mail addresses.
Link the ticket administration
Details to a ticket for user "demouser"
It is possible to automatically generate and send a new ticket via e-mail. Alternatively it can be created manually by a CIS mobile administrator.
Enter a key for the new ticket or press "generate" to let CIS mobile create a new ticket for you that follows the configured guidelines.
NB: Even tickets that have been created manually are only valid if there is a corresponding mapping for the user to his or her e-mail address in the system.
A 30 days trial ticket is created
Logon tickets can only become valid and be used to logon to CIS mobile if mapping exists from the user to an e-mail address. This ensures that only a well-defined group of users can have access to the application. Users can be locked out by simply removing them from the list.
Tickets will be sent to the e-mail address in this list
You can adjust several parameters in the CIS mobile settings for tickets:
Valid in days after requesting (Default: 180 days):
When a user requests a new ticket which is sent to his e-mail address, it will only be valid for the given timespan and will expire automatically.
Only the most recent ticket is valid (Default: deactivated):
Once a new ticket is activated for a given user only it (and no previous ticket) is valid for logon to CIS mobile.
Minimal length (Default: 5 characters):
A new ticket created automatically will have at least the number of characters defined here.
Maximum length (Default: 10 characters):
A new ticket created automatically will not exceed the number of characters defined here.
NB: The algorithm that creates a new ticket chooses a random length that is between the given minimum and maximum sizes. You can consult it in the VB.NET add-on project bundled with CIS mobile or even modify it or implement your own algorithm.
Must contain digits (Default: no):
Automatically generated tickets contain at least one digit.
Must contain uppercase and lowercase letters (Default: no):
With default settings, a new ticket consists of lower case letters only.
Text in email when sending a ticket :
You can find language dependent versions of short text files in the directory config\tickets\views. These texts will be used for the e-mail that a user receives after requesting a new ticket. You can edit these texts but you should keep the following placeholders:
@ticket@: Will be replaced by the new ticket that has been generated (e.g. "trialticket2013")
@validuntil@: Will be replaced by the date until which the new ticket will be valid
NB: By default CIS mobile will try to send the e-mail via localhost. To succeed, the IIS with SMTP has to be configured properly. Alternatively you can use any other SMTP server. Provide the configuration details in the CIS mobile settings. Please see "SMTP Server" in the documentation for further details.
If there is a valid mapping from user name to e-mail address in CIS mobile, this user can request a new logon ticket and use it to log on to the system. The ticket is only valid for this combination of username and e-mail address and cannot be used by any other user.
NB: To send tickets via e-mail, an SMTP server needs to be configured and/or stated.
A new ticket has been sent
Any event referring to the ticket system, e.g. the creation of a new ticket, will be logged in the file ticketlogs.txt in the directory config\tickets. Click/touch on "protocoll" in the administration menu to consult or open the file on the server with a text editor.
Logged events in the protocol
Open the project "s10cisaddon.sln" with Visual Studio. It can be found in the directory config\s10cisaddon.
In the class "addon" you can modify or extend the following methods:
CheckTicket: Checking the validity of a ticket
RequestTicket: A user is requesting a new ticket
GenerateTicketKey: The algorithm that creates a new passphrase for a ticket
The VB.net project bundled with CIS mobile
Modifications will take effect when a user logs on to CIS mobile after you have recompiled the project.
It is not possible to compile if a user is active because the DLL will be in use. Use the S10 repository to end all sessions or wait until all users have logged out. Inactive users will be logged out automatically after a certain time.
The file tickets.cis containing all logon tickets as encrypted lines of text will be saved once a day to a backup file in the directory config\tickets\backup_tickets.
By means of this it is possible to restore a former state of all tickets. To do so, just overwrite the file tickets.cis in config\tickets with one of the backup files. Due to the encryption it is not possible to edit the text files manually.