Symptom
In certain circumstances, users may be able to log into browser-based Area Access Manager or VideoViewer by entering their user name without a password.
A user may be able to do this if all of the following criteria are met:
1) A record for the user account has been created on the Users form in System Administration.
2) The user has a user name specified in the User name field on the Internal Account tab on the Users form.
3) The user's internal account has been disabled. This is done by clearing the User has internal account check box on the Internal Account tab on the Users form.
RESOLUTION PATH 1:
If you have OnGuard 2008 (6.0.148) installed, apply Hot Fix 1.10.
If you have OnGuard 2008 Plus (6.1.222) installed, apply Hot Fix 3.6.
If you have OnGuard 2009 (6.3.249) installed, apply Hot Fix 2.2.
If you have OnGuard 2010 (6.4.500) installed, apply Hot Fix 0.2.
RESOLUTION PATH 2:
Execute the following query against the AccessControl database. The query invalidates the password for all users without internal accounts, so they will not be allowed to log into OnGuard.
UPDATE USERS
SET LOGONPWD=NULL
WHERE HAS_INTERNAL_ACCOUNT=0
If users are later modified to meet the criteria listed in the Symptom section of this article, the issue will arise again, and this query will need to be run again to resolve it.
A user may be able to do this if all of the following criteria are met:
1) A record for the user account has been created on the Users form in System Administration.
2) The user has a user name specified in the User name field on the Internal Account tab on the Users form.
3) The user's internal account has been disabled. This is done by clearing the User has internal account check box on the Internal Account tab on the Users form.
Resolution
To resolve the issue, follow one of the two resolution paths below.RESOLUTION PATH 1:
If you have OnGuard 2008 (6.0.148) installed, apply Hot Fix 1.10.
If you have OnGuard 2008 Plus (6.1.222) installed, apply Hot Fix 3.6.
If you have OnGuard 2009 (6.3.249) installed, apply Hot Fix 2.2.
If you have OnGuard 2010 (6.4.500) installed, apply Hot Fix 0.2.
RESOLUTION PATH 2:
Execute the following query against the AccessControl database. The query invalidates the password for all users without internal accounts, so they will not be allowed to log into OnGuard.
UPDATE USERS
SET LOGONPWD=NULL
WHERE HAS_INTERNAL_ACCOUNT=0
If users are later modified to meet the criteria listed in the Symptom section of this article, the issue will arise again, and this query will need to be run again to resolve it.
Note that browser-based Visitor Management applications are not affected by this issue.
Applies To
OnGuard 2008 (6.0.148) or later
Browser-based Area Access Manager
Browser-based VideoViewer
Additional Information
None