Jiwa

[DannyC]

I log into Jiwa from a workstation and get an error "the password provided is incorrect"

I'm 100% certain the password is correct.
I am also confident I am connecting to the correct database as I get an entry in the SY_LoginAudit table.
I'm 100% confident the keyboard language is English.

What else can I be looking at on the workstation?
SQL driver version? And where would I go to validate it is correct?
Is the password sent to the SQL Server via some kind of encryption? And how would I go about seeing if there is some kind of mixup with the encryption key?
Is there a way to capture the password at the SQL side?

Jiwa 7.2.1 SR15
SQL Server 2014

[SBarnes]

See this link viewtopic.php?f=26&t=1666&p=7255&hilit=JiwaEncrypt#p7255 same thing applies but use the password fields

[DannyC]

For those playing along at home, based on the above response from Stuart, I knocked up the attached plugin which you can directly compare with the string in HR_Staff.Password.

Still not sure yet if the plugin will actually compile & fire if the password is deemed wrong (even though it isn't) but this works on my demo database. Yet to deploy to client!

[Mike.Sheen]

Still not sure yet if the plugin will actually compile & fire if the password is deemed wrong

It won't. Plugins are not read and loaded until after the user is authenticated successfully.

Is the password sent to the SQL Server via some kind of encryption?

We don't send the password to SQL Server. We read from HR_Staff the stored encrypted password (HR_Staff.Password), and the associated salt (HR_Staff.PasswordLastSavedDateTime) and then we encrypt what the user typed in with the stored salt and compare the encrypted password with the encrypted password we read from HR_Staff.

And how would I go about seeing if there is some kind of mixup with the encryption key?

You don't - it's not a key based encryption scheme.

I assume the following basic troubleshooting has been done?

1. Another Jiwa user can/can not login on the problem machine?
2. On the problem machine, when logged in as a different Windows user, the user can / can not login on the problem machine?
3. Resetting their password in Jiwa to "password" and they can now login? Changing it back to problem password and the problem returns?

[Mike.Sheen]

I've written a little test app to help diagnose this.

You simply enter the password, and the PasswordLastChangedDateTime and it will encrypt the password the same way we do when you login to Jiwa - and you can compare the encrypted data with the value in HR_Staff.

The executable can be simply put in the same folder as the Jiwa application, and then run.

JiwaPasswordTest.rar

(4.72 KiB) Downloaded 64 times

The source is also attached.

JiwaPasswordTest_Source.rar

(14.26 KiB) Downloaded 58 times

[DannyC]

Nice app.

When I try it on the client PC, I get this:

pw error.png (6.35 KiB) Viewed 6522 times

When I copy & paste from the client database the HR_Staff.PasswordLastChangedDateTime value and their password value into my plugin, I get a garbled string.

No one can log onto Jiwa on this PC. Doesn't matter who the jiwa user is, or who the Windows user is.
I have checked the .Net version on the PC too. It's at 4.8.0484
And I have also checked that SR15 has been installed, so it has the latest JiwaEncryption.DLL.

[Mike.Sheen]

It could be the cipher suites installed on the machine aren't what we expect.

We don't explicitly install any cipher suites - we rely on ones installed already as part of the Windows and / or .NET Framework.

What OS is this PC?

I'll get specifics on what cipher suites we want and how to find out if they are on the system in question and post back here.

[DannyC]

What OS is this PC?

Windows 10 from recollection - not that I checked. Maybe Win 11?

As an aside, I installed the JiwaPasswordTest app on the server (where they can successfully log on) and it displayed the correct encrypted password, so all good there.
Appreciate your help on this

[Mike.Sheen]

I've modified the app to report the error message if an error is encountered - it should give us more of a clue.

Attached is the modified executable.

JiwaPasswordTest.rar

(4.78 KiB) Downloaded 65 times

The only change was to add the following code to the bottom of the encryptUltraButton_Click method:

Code: Select all

if (encryptedPassword == "ERROR")
{
   LogMessage("Encryption Error: " + encryption.ErrorMessage);
}

[Mike.Sheen]

The crypto provider is "Microsoft Base Cryptographic Provider v1.0"

We're using MD5 as the hash algorithm (CALG_MD5), and RC2 block encryption algorithm (CALG_RC2) from the advapi32.dll.

https://learn.microsoft.com/en-us/windo ... algorithms

I'm still trying to work out how to tell if the encryption algorithm depends on another component. I think we can safely say MD5 isn't the issue, so RC2 being so old may be an issue on newer systems.

But the error detail the last change to the test app will help a lot in working out what bit we're having trouble with.