Solved

LDAP channel binding

  • 20 November 2019
  • 5 replies
  • 1127 views

Userlevel 2
Badge +4

Hello,

Customer is running on IFS Apps9 with SSO and Active directory synchronization.

Could you please advice, how we can ensure that Apps9 will work properly with LDAP channel binding and LDAP signing on Active Directory Domain Controllers?

The link on announced update from Microsoft: 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Best regards,

/Jozef

icon

Best answer by Isuru Gunathunga 27 November 2019, 03:16

View original

5 replies

Badge +2

Hi Jozef,

 

I have listed below information about LDAP and it’s set up with IFS applications along with the backend insight as well hope this helps.

 

IFS Applications are based on standard technologies it can be used with standard network-level security solutions such as firewalls, proxies, TLS/SSL encryption and VPN-networks

 

All client requests to IFS Applications will require authentication. User credential validation can be performed by IFS Middleware Server using either Active Directory, Windows Integrated Authentication (to achieve Single Sign-On) or the Oracle database.

 

The IFS Applications architecture enforces a uniform role-based security model across the entire application. The role-based authorization model of IFS Applications ensures that only authorized employees have access. 

 

IFS Applications relies on standard network, operating system, and database security, and does not add or require a proprietary layer. Only established technologies with known security properties are used, including Oracle Database, Active Directory®, LDAP, HTTP and SSL/TLS.

 

Clienttransmit credentials over HTTP/S to security interceptor which then validates the credentials either with Active Directory or with the Oracle database.

The user authentication process is managed by IFS Middleware Server before the call even reach the IFS Applications backend. All calls from clients pass a security interceptor in the application server before the call reaches the IFS client gateway, thus, all such calls are intercepted and all users are authenticated before the call can continue.

Two authentication schemes are supported, either HTTP Basic authentication, where the user credentials are validating using either Active Directory or the Oracle database, or Negotiate where Windows Integrated Authentication is used to achieve Single Sign-On.

During the authentication process, the supplied user name and password is verified and the granted application roles are added to the authenticated user.

If the user has been granted the IFSUser role, access to middle-tier Services and Activities are allowed, if not, an exception is returned from the application server (HTTP 401 - Unauthorized).

 

 

Hope the information will be helpful.

 

Userlevel 2
Badge +4

Hi Fazil,

thank you very much for information.

The customer is using Active Directory Synchronization for users and user groups with IFS Application9. Will this synchronization runs also through LDAPs? It seems that there is no special option in IFS/Solution Manager, how to setup LDAPs.

 

Best regards,

Jozef

Badge +2

Hi Jozef,

 

Are those groups in active directory as well? If so, once the user is created in AD we can add the users as a member of the group. This way we have to create the user on AD add the user to the Group and then run the Active Directory Synchronization via the IFS application. 

 

Many thanks,

Fazil

Userlevel 5
Badge +10

Hi Jozef,

In which UPD version are you in?

The Product Development team has introduced a solution (266373) in APP9 UPD14 to enable LDAPS in AD Synchronization. The default LDAPS port is 636.

Hope this helps.

 

Best Regards,

Isuru

Userlevel 2
Badge +4

Hi Isuru,

thank you very much!

/Jozef

Reply