Specifically, we have a single service account that is used by several thin client devices. The account logs in to the terminal server automatically and launches an application. (The application itself requires a login so our security exposure is tolerable.) As the application is launched the %clientname% environment variable is read and sent to the application so that workstation specific workflows can be configured.
Now the interesting part. When 2 or more thin clients log in within 1 second of each other, they can "steal" each others name. This was tied back to the %clientname% environment variable changing in between the initial login and when %clientname% is sent to the application. It seems when the second thin client logs in as the first is launching the application the second is overwriting the environment variables (all within the same user profile because a shared service account is used) resulting in the second thin clients name being used for both. So... Environment variables are user specific not session specific.
Work arounds:
1) Configure different service accounts for each workstation/client.
2) Require end users to log in with their own credentials rather than using a service account.
3) Use non-volatile session specific variables in the WMI instead of environment variables.
No comments:
Post a Comment