Security Overview > Login Security > OS-Based Login Security
  
OS-Based Login Security
System administrators can control user access to the character interface directly from the operating-system level using the Enforce OS User ID field in Security Control (36.3.24).
If you are not using an application password, using the Enforce OS User ID feature lets you essentially bypass application login security completely and rely on operating-system security for your character-based users.
The .NET UI supports Microsoft's Active Directory authentication for use with the Enforce OS User ID field. With Active Directory support, user passwords can be centrally managed. User accounts must be created in the QAD system, and the User ID must match the Active Directory User ID. Note that in the QAD system, the User ID is limited to eight characters.
Important: Regardless of this setting, users logging in through .NET UI must enter a valid user ID and password to access the system.
When the Enforce OS User ID check box is selected, the default user ID displayed in the login screen is the same ID used by the operating system, and the user cannot change it. This must still be a valid system user ID defined in User Maintenance (36.3.1).
In addition, when the Enforce OS User ID check box is selected, the Single Sign-On Enabled option cannot be selected, and vice versa. Enforce OS User ID uses Windows environment variables to verify user credentials. An unauthorized user may potentially be able to reset the %USERNAME% environment variable in order to gain access to the system, masquerading as a different user. You should consider this issue carefully when defining your security model—implementing single sign-on may be a better solution for your environment.
Subsequent processing depends on whether a password is required for the user:
If no password is specified in the system user record, login proceeds automatically, subject to proper licensing.
If the user record includes a password, the system displays a password prompt.
Important: If you enable this feature and reset user passwords for the application to blank, be careful if the Enforce OS User ID check box is ever cleared. If you do so without reentering passwords in user records, anyone can gain access to the system by entering just a user ID. When you clear this check box, the system displays a message to warn you of a potential security compromise. In addition, if using the .NET UI, it is not recommended that you reset user passwords for the application to blank. It is relatively easy to create a new user on an existing Windows machine with an ID that matches one in the application.