cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Expose user password

tgudobba
14-Alexandrite

Expose user password

Is there a way to expose the user password? or at least login as the user from the admin user.


There are times we need to log on as the user to see what they see. If we can change the password as the admin, seems we should be able to see what it is.


We're running 10.2

6 REPLIES 6

Take a look at this - may want to use.



bellj
1-Newbie
(To:tgudobba)


Not sure of your background or computer security experience but passwords should never be visible by anyone.
If an admin has to log in as a user, then he should change the password and log in. This can be audited and the user will know when he has to get his password reset that someone accessed his account.

This goes for troubleshooting as well. There are no shortcuts when it comes to passwords or security.

My two cents are free today and... my soapbox just broke.

joe bell
GSIMS Administrator
GPS Sustainment Information Management System
719-572-2890
bellj@gpssims.com<">mailto:bellj@gpssims.com>

I wrote a customization that does what you want. Let's you use the other
account, without knowing the password.



It uses a temporary table in the database to supply Windchill, not Apache or
other HTTP server a different user name and password, and audits via
recording into a transaction database table what user used the generic test
or validation account. It auto logs out after a defined idle time period if
no activity is detected. To activate the capability, you go into a login
page that is accessible to only a select set of users known as a whitelist.
The accounts you may pick from are on a blacklist. No matter how hard you
try, the front end doesn't know about these blacklisted accounts, but
Windchill via proper configuration does not see them as disconnected users.
Password changes at login and logout, as does the associated email address.
It's great for testing or production support as a restricted user when you,
yourself, are an administrator in the system and cannot logically relinquish
those rights.



I cannot just release this into the mainstream for free though. It took
quite a long time to develop. At the very least, I am sharing the idea with
others in case they didn't think it was possible.



It works great with active directory and single sign on. It does help that
at the place I currently work, I have architected the single sign on
solution to not work directly through Windchill, but through Apache, which
is the atypical method.










BenLoosli
22-Sapphire III
(To:tgudobba)

I have kept all user information in a password-protected spreadsheet.
Username, password, real name, email, group, location, date account created, etc.

This allows me to login as anyone when I need to for testing purposes and send someone their password when they forget it.
May not be Security approved, but our system is not on the internet as it is classified data.
LiuLiang
4-Participant
(To:tgudobba)

If your Windchill application uses single sign on, authenticated with Corperate AD instead of Windchill DS, you can take a look on my approach.


Occasionally I need to login as a user to reproduce an issue on a PTC support webex session, since our 1st level authentication is through Corperate AD, 2nd level authentication is through Windchill DS, for the Windchill users no exist in Corperate AD, Windchill DS comes to play.


SoI just need to ask the user if I can temperaty use his/her Windchill account for certain period (say half hour or so), s/he should not use Windchill in that period of time and does not need to change his/her password ortell me his/her password because it is the same password for his/her outlook, sharepoint and all other apps. I just rename his Windchill user to something else which does not exist in Corperate AD, say my_<username>, and change this Windchill account password to something I use. Then login asmy_<username>, reproduce the issue to PTC support, then rename my_<username> back to <username>, and inform the user that I am done, s/he can log back in Windchill again.


Becausethe <username> is using Corperate AD authentication, changing Windchill passwordon the same user in Windchill DS won't affect anything and all the user-object relationships in Windchill database won't be affected either as original user and renamed user are still the same ida2a2.

Hi Liu,



It's also possible (Apache, /conf/extra) to set up such that users can be
authenticated from both active directory and internally. Any number of test
users can be created in Windchill and used for log on by Windchill admin's
for this purpose - in parallel with users defined on the network.



We used this extensively at Alcon. Would be great to see an article from
PTC on how to do this in general.


Announcements