Infralution Support

Bob Dukes · Joined: 16 Aug 2010 Posts: 52

Using License Tracker 5.8.1 and Authentication License Server with stand-alone database. Had authenticated key that belonged to crashed computer. Tried deactivating in Tracker, but authentication count didn't change. Ditto for set limits. Is there way to change the authentication count to 0 or delete the key altogether from both the tracker and server database?

Infralution · Joined: 28 Feb 2005 Posts: 5027

The authentication count is just the total number of times the key has been authenticated on a new (different) computer. You can't change this - but it doesn't affect whether the key can be authenticated. Whether a key can be authenticated depends on the number of currently active authentications and the Max Authentications limit. To allow a computer to be installed on another computer you can either Deactivate the existing Authentication for a specific computer (using the Authentication->Deactivate menu) or increase the Max Authentications limit (using the Authentication->Set Limits menu).
_________________
Infralution Support

Bob Dukes · Joined: 16 Aug 2010 Posts: 52

Thanks for clearing up the meaning of the authentication count. What happens when I select a key in Tracker and then delete it (either from the file drop-down menu or by right clicking the selected key and selecting delete)? Is the key and all it's authentication information deleted from both the tracker and the stand-alone database? If not, is it possible to do this another way?

Infralution · Joined: 28 Feb 2005 Posts: 5027

If you delete a License Key then it is deleted from both the License Tracker and Authentication databases. This does not mean that the key could not be used by someone however if you have given it to them. This is because the Authentication Server was designed so that it can authenticate keys without the actual keys having to be uploaded to it. In general you should only delete keys if you have not issued them to someone (eg if you generated keys for testing). To deactivate keys you have issued you should select the License Key and use the new Authentication > Deactivate menu. This deactivates all existing authentications for the license key and sets the Max Authentications for the key to zero. In version prior to 5.8 you had to remove the authentications and use the Authentication > Set Limits menu to do this.
_________________
Infralution Support

Bob Dukes · Joined: 16 Aug 2010 Posts: 52

Thanks for the info about deleting keys. Understanding that the authentication server will still authenticate deleted keys makes it very clear about when to use delete or deactivate. I'll only delete keys that haven't been released to customers. - Bob

CynoxDev · Joined: 15 Feb 2013 Posts: 8

Infralution · Joined: 28 Feb 2005 Posts: 5027

The authentication server was designed so that it did not have to be connected to the main License Tracker database to support hosting it on shared hosting platforms. In this usage we did not want to have to upload every key generated to the separate authentication database. To facilitate this the server was designed so that it will authenticate a key as long as that key was generated using the required Product passwords.

If there is no record in the Authentication database for a license key being authenticated then it will be created and when you import data from the Authentication Server the data is matched to records in the License Tracker database. If the license key had been deleted from the License Tracker database then, after importing, the License Key will show up as a License Key without a Distributor or a Customer. So by sorting on the Distributor it is possible to find any license keys which have been "resurrected" in this way. But if you Deactivate license keys rather than deleting them then this problem will never arise.

Currently when the Authentication Server is connected directly to the License Tracker database it uses the same logic however we could potentially change its behaviour so that it this case if requires the license key to be present in the database.
_________________
Infralution Support

CynoxDev · Joined: 15 Feb 2013 Posts: 8

Thank you for the explanation. I thought unknown keys would be declined to prevent the possible use of key generators.

Infralution · Joined: 28 Feb 2005 Posts: 5027

If you use a 10 character Product Password and a different 10 character authentication password then you should be very secure. To crack the authentication password using brute force algorithms would require repeated calls to the Authentication Service to try the result. The Authentication server includes protection against this sort of attack by limiting the number of calls from a given IP address within a period of time. Regardless, given typically web service response times, with a 10 character password the cracker would be trying for a few million years to be able to generate a valid key. That is without even considering the Product Password which also has to be cracked.
_________________
Infralution Support

CynoxDev · Joined: 15 Feb 2013 Posts: 8

Thank you again for the quick response. So far i am very satisfied with the support and the overall implementation, capabilities and easy of use of ILS. On top of that for a fair price. I also use the Encryptor that is pretty easy to use as well and seems like an ideal solution for me, because i did not want to fiddle around with obfuscation.

Keep up the good work!

Marcus