Solved Seat license security (1 Viewer)

[Pat Hartman]

I'm working on upgrading my application's security to prevent the client from abusing his purchased seat licenses. When the application license is renewed annually, all the seat licenses will also be renewed. If they have purchased 10 seat licenses, they get 10 tokens that are entered the first time during the new period that a user logs in. I can keep a table with active log in records to prevent multiple people from using any given Token but I'm not sure exactly how to prevent multiple employees from sharing the same Token as long as they don't log in at the same time. I was thinking about capturing the CPU Serial number and saving that with the token. However, I'm not sure how this would work if the client is using Citrix or RD. I don't have any way of telling if this will work or if all Citrix/RD users end up with the same CPU Serial number because the code captures the serial number of the server rather than the local CPU.

Does anyone know the answer
or have the ability to run a test to determine which CPU you get when you run the code within Citrix or RD? Since Citrix is based on RD, I'm guessing that if one shows the server CPU, the other will also.

If you have an alternative suggestion, I'm open. I don't have the budget or the skill set to create a website with API's that can be used to track users. It all has to be done using Access on the client system. The application can be installed with an ACE BE or a SQL Server BE so if there is some SQL Server feature that would be useful, I can't use it because of my ACE installs.

Thanks,
Pat

 

[Edgar_]

Does that service provide a free trial that does not involve credit cards? Can you provide a test app or the instructions to put one online? What do users use when working with that service? Access or their browser?

 

[Pat Hartman]

There is no free trial. The app is semi-custom. This is an Access forum so this is an Access question. Citrix of course runs in a browser but it emulates Windows on a desktop so Access runs exactly as it would on your c drive. If the users were always running the app on their LAN, I could grab their CPU ID, or their HDD ID but with Citrix, I'm pretty sure that everyone will "see" the same CPU ID and HDD ID.

 

[gemma-the-husky]

@Pat Hartman

I just store the current users in a table with the number of rows matching the licence count.

If a client had 10 licenses, the table would include 10 rows. Each user gets his login stored in this table, so they can only have 10 active logins.

It doesn't matter who is logged in, but when all slots are full, nobody else can. If a login is there by accident you can clear that slot, but that user cannot then open any new forms.

If users want to play games they can get around it that way, by clearing real users, and logging in again, but it would be painfully slow.

Sage does something similar I think..

I suggested this idea to @isladogs some time ago, so he may be able to give you some practical feedback.

 

[Edgar_]

The browser exposes some data, which, in combination, could possibly serve as "fingerprint". If you open your browser's console and type navigator you get an object with many different key value pairs that you could use as fingerprint. But not having anything to test your setup or that service, I don't know how to make use of any of those things.

 

[Pat Hartman]

@Edgar_ in a corporate environment, the user doesn't open a browser to start Citrix. The Citrix admin provides a shortcut that either starts a "desktop" running under the control of Citrix or a tunnel which opens a single application. My client prefers the single application option and so clicking on the shortcut, opens only my Access application but running on the Citrix server rather than on the local PC.

I don't have a Citrix environment where I can experiment to see what I could see which is why I posted here. If I had a Citrix environment I could play with, I could find the answer for myself. But thanks.

 

[Pat Hartman]

It doesn't matter who is logged in, but when all slots are full, nobody else can. If a login is there by accident you can clear that slot, but that user cannot then open any new forms.

So, sounds like you're saying that each time a form opens, the user ID is is looked up in the login table to see if it is associated with a valid license? I was trying to decide if I wanted to connect licenses to people so that every person who logs in needs a valid license or if I wanted to just control concurrent users which is what your license method is doing. I'll have to discuss the concept with my partner. If they are concurrent licenses, the client would need a lot fewer of them so we would have to charge more for them.

This may be easier to implement than licenses assigned to individuals. It will also probably be more convenient for the client since it eliminates the problem of turnover.

 

[The_Doc_Man]

Pat, it is possible to do a CMD-level operation in multiple parts. If you can determine your process ID (PID), then

netstat -o -a >filename.txt

captures information about the network connections into the file filename.txt, which might be helpful. There are other options with netstat that tell you other things. I don't have a CITRIX environment either, but there might be a nugget or two that is helpful.

 

[Pat Hartman]

Thanks Doc but nothing about that makes any sense.

I'm going to see if I can work with Dave's suggestion. The annoyance will be having to update a hundred forms to check the license whenever a form opens.

 

[Edgar_]

@Pat Hartman
It's hard to establish a strategy without the tools at hand, but by your description, if the shortcut provided by Citrix is a regular Windows shortcut, you can modify it. Instead of directly opening the "single application", you can make it point to an accde file. This file would handle authentication and then open the "single application". The accde file could connect to a remote database with license information and set the necessary permissions for that session.

The Access application hosted on Citrix could then check with the same database to verify if the user is permitted based on their machine fingerprint. In simple terms, if there is no machine fingerprint, add the machine information to the remote database linked to the token. If another user attempts to use the token, the accde file would check if the token already has machine information. If it does, it would verify if it matches the current attempt. If not, access would be denied.

It's very effective, I use this method a lot.

 

[gemma-the-husky]

So, sounds like you're saying that each time a form opens, the user ID is is looked up in the login table to see if it is associated with a valid license? I was trying to decide if I wanted to connect licenses to people so that every person who logs in needs a valid license or if I wanted to just control concurrent users which is what your license method is doing. I'll have to discuss the concept with my partner. If they are concurrent licenses, the client would need a lot fewer of them so we would have to charge more for them.

This may be easier to implement than licenses assigned to individuals. It will also probably be more convenient for the client since it eliminates the problem of turnover.

I don't really do that. The user who installs the application requires a valid license key, but I issue the same licence key for all users at a given client. So 20 users might have the app installed, but only 10 of those, say, would be able to login concurrently.

Yes, every form that opens checks that the license is still valid, and that the user still has an active login slot, or the form won't open.

 

[Pat Hartman]

@gemma-the-husky It seemed to me that it would be more flexible to have a separate license key for each seat license. That way, if the client wants to add a new license mid year, I can just create a new key that they can add and have it expire when the app license expires. That way I can prorate the key for a partial year but renew them all at once when the app license expires. Or, just renew as many as the client wants. When they add a new app license, I'll delete all the old seat license records and then add the new keys for the upcoming year.

@Edgar_ As I mentioned several times, I don't have a Citrix server I can connect to to test with. I never had a reason to examine the desktop icons before so I really don't know what they execute and I have no way of determining that now without access to Citrix now.

if the shortcut provided by Citrix is a regular Windows shortcut, you can modify it. Instead of directly opening the "single application", you can make it point to an accde file.

That isn't the way Citrix works. Whatever the shortcut runs - assuming it is actually a Windows shortcut, it most certainly is not an .accde or any other type of Access file. The shortcut has to initiate the connection to Citrix and whatever credentials are passed dictate what type of connection opens. i.e. whether it is a remote desktop or just a single application such as an .accde. Without access to a Citrix environment, I have no way to determine what Citrix can "see" of the users PC. Once the desktop or app is open, the user computer sends keystrokes/mouseclicks/movements to Citrix and Citrix sends back the image of what I would see were I running the app locally. No data gets transferred between the user computer and Citrix except that which is typed in using the application interface.

Citrix might allow the user to see properties of the window it is running in but I would be really surprised if there were any way to get out of the Citrix box once control is in it and poke around the user PC itself. That would seem to be a serious security flaw. Do you run a virtual server on your computer? Can you get from inside the Virtual server and see anything on the PC running that server? Citrix would be similar in concept except the virtual machine is running on some server across the internet rather than on the local PC.

 

[Edgar_]

As long as the Citrix app can communicate with an external server and you can distribute an accde file with it that also can communicate with the same server, the solution is complete.

 

[gemma-the-husky]

@gemma-the-husky It seemed to me that it would be more flexible to have a separate license key for each seat license. That way, if the client wants to add a new license mid year, I can just create a new key that they can add and have it expire when the app license expires. That way I can prorate the key for a partial year but renew them all at once when the app license expires. Or, just renew as many as the client wants. When they add a new app license, I'll delete all the old seat license records and then add the new keys for the upcoming year.

@Edgar_ As I mentioned several times, I don't have a Citrix server I can connect to to test with. I never had a reason to examine the desktop icons before so I really don't know what they execute and I have no way of determining that now without access to Citrix now.

That isn't the way Citrix works. Whatever the shortcut runs - assuming it is actually a Windows shortcut, it most certainly is not an .accde or any other type of Access file. The shortcut has to initiate the connection to Citrix and whatever credentials are passed dictate what type of connection opens. i.e. whether it is a remote desktop or just a single application such as an .accde. Without access to a Citrix environment, I have no way to determine what Citrix can "see" of the users PC. Once the desktop or app is open, the user computer sends keystrokes/mouseclicks/movements to Citrix and Citrix sends back the image of what I would see were I running the app locally. No data gets transferred between the user computer and Citrix except that which is typed in using the application interface.

Citrix might allow the user to see properties of the window it is running in but I would be really surprised if there were any way to get out of the Citrix box once control is in it and poke around the user PC itself. That would seem to be a serious security flaw. Do you run a virtual server on your computer? Can you get from inside the Virtual server and see anything on the PC running that server? Citrix would be similar in concept except the virtual machine is running on some server across the internet rather than on the local PC.

Hi Pat

I think it's probably fiddly whichever way you do it. I decided the best way for me was to make a database sharable by a client, so the licence key works for any user for that client. It's then a different issue for the client to decide on the number of active users they want to pay for. All I need to do is provide a single new key when the old one expires.

I don't have hundreds of different clients using a database, unfortunately. If I did, maybe I would be looking for a different idea.

 

[Pat Hartman]

I want to give them the flexibility of adding seats mid term and not tie it to their annual subscription, except to prorate them so they all renew on the same date.

 

[The_Doc_Man]

OK, my first suggestion wasn't too helpful. Pat, have you looked at Client Access Licensing tools?

Client Access Licenses (CAL) & Management Licenses | Microsoft Volume Licensing

Don't know if this will help, but they have an offering.

 

[tvanstiphout]

OK, my first suggestion wasn't too helpful. Pat, have you looked at Client Access Licensing tools?

Client Access Licenses (CAL) & Management Licenses | Microsoft Volume Licensing

Don't know if this will help, but they have an offering.

This article explains MSFT's licensing. It does not help Pat with her licensing requirements (other than perhaps adopt similar verbiage).

 

[The_Doc_Man]

Tom, it looked to me like it could be used for that purpose. But MS has other license management software as well, though you have to have O365 to use it.

 

[Pat Hartman]

Thanks @The_Doc_Man but as I said, I do not have a budget to create the web pages and APIs needed to support a "phone home" solution. I do not have the skill set to create these tools myself. I have looked at some that are available on line and none works as is. I would need to rebuild my license process to conform to the selected tool and then I would need to pay the annual subscription price. I don't have enough subscribers to spend the time/money. So, I'll just do a little tightening up of the seat count process when I distribute the next release in March.

If someone with the correct skill set is interested in a joint venture for a tool that works with Access, please reach out.

Happy New Year

 

[Solo712]

Pat,
it is not clear from the OP or the subsequent discussion what type of "seat licensing" you have in mind. There are basically two types: 1) per named user where an individual license is tied to a specific software installation, 2) per active user - license limits the number of users who can use it at any given time. If you are contemplating @2 you do not need any specific tokens & checking for their duplicates. The scheme shown by Dave would do nicely. You can always increase the number of active users in the license with little or no overhead. FYI, the @1 type of licensing has been used by large software manufacturers who have the means to check compliance by obtaining access to a licensee's networks. With corporations now switched to mobile computing, it has lost its effectiveness in the business setting and is now more and more limited to the off-the-shelf individual private users. At any rate, it not look like your case.

Best,
Jiri