Automated Login Using A HTA File

One of our clients had the concept of kiosks in particular locations/office/factories. These kiosks were used to give users access to a number of applications for information. One of the things they wanted the kiosk to have access to was their ServiceNow knowledge base.

We didn’t want to make the knowledge base public because it contained sensitive information, and at the same time didn’t want the users to have to enter a username and password to login.

I experimented with a login using a HTA file (same technology as Help the help desk functionality). The idea being that this could sit on the desktop and when clicked, will login automatically to ServiceNow.

We never used this solution, but I thought the idea was interesting and one I haven’t played with before so posting it here just as a concept.

So the approach was this (actual code at the end):

I created a new user record specific for each kiosk. The username was the windows username that the kiosk was logged in with. On the user table, we created 2 new fields:

1) u_ip which IP restricted who could access using this account

2) u_automated_login which was a True/False field to determine if this user record could use automated login or not

Then I created a HTA file which would read the username of the logged in user. Then it would do a HTTP post which was the same as the login.do page, except it would also pass an additional parameter across with it of ‘AutomatedLogin’.

Editing the Login installation exit, I then would check if the additional parameter was passed through, if so, I would check if this user had the Automated Login checkbox ticked, and finally, would check if their IP address matched against the one on record. If all these passed, I would log the user in automatically.

 
Continue reading