Highlighted
05 Base Camper

LDAP and 2FA

Hi Guys, 

So we struggled this week to setup LDAP for our 2FA environment. It is running perfect now in  QA , but we noticed that on the Prognosis Windows Client,   that if the user is not found or LDAP fails, the authentication falls back to AD Authentication

 

What setting can we change to prevent the fall back cause the auditors is going to audit the process.

 

Thanks

 

Leon

Tags (3)
5 REPLIES 5

Re: LDAP and 2FA

@Leon_pelser 

Is this happening in just IRGUI or is it happening in the WebUI as well? 

Can you also state here which two factor authentication (2FA) system you are using that you are seeing this behaviour with?

Are you preferencing them with the domain?

 

Can you confirm which of the following scenarios this is what is happening?

A) "Say User user1 is utilized to login successfully (who is in LDAP but domain is not specified) as they exist in LDAP.. but if user user2 does not exist in LDAP (and domain is not specified) that it looks them up on AD as a fallback and they can successfully login?" 

B) "Say User LDAP\user1 is utilized to login successfully (who is in LDAP) as they exist in LDAP.. but if user LDAP\user2 does not exist in LDAP that it looks them up on AD as a fallback and they can successfully login even though you specified the LDAP domain?"

C) B) "Say User LDAP\user1 is utilized to login successfully (who is in LDAP) as they exist in LDAP.. but if user AD\user2 does not exist in LDAP but by-passes the LDAP configuration in the background and lets a user utilize AD domain?"

 

Thanks

Christopher


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Payments and Infrastructure Consultant – MSci. PA, CISSP, ITIL.
05 Base Camper

Re: LDAP and 2FA

Hi Christopher,

 

In the GUI help search for LDAP it states:

 

LDAP Authentication can be configured for use by both the Prognosis Web application and Windows Client, or the Windows Client only. It is not possible to configure it solely for the Web Application.

With the Prognosis Windows Client, once enabled, if a user is not found within LDAP or LDAP fails, the authentication will fall back to the native OS authentication. This does not apply to the Web Application.

 

I just need to know how to prevent the fallback on GUI. Everything is working on GUI and WEB. It authenticate and works but we need to know how to prevent the fallback?

 

Thanks

Leon

Re: LDAP and 2FA

@Leon_pelser  I will need to do some research if this is even possible as I don't immediatley see jumping out in the documentation I have available to me. I will make some internal inquiries but this may unfortunately require a case if I don't immediately find an answer or find there is no way to disable it.

 



@Leon_pelser wrote:

if a user is not found within LDAP or LDAP fails, the authentication will fall back to the native OS authentication. This does not apply to the Web Application.

 

I just need to know how to prevent the fallback on GUI. Everything is working on GUI and WEB. It authenticate and works but we need to know how to prevent the fallback?

 

Thanks

Leon



 


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Payments and Infrastructure Consultant – MSci. PA, CISSP, ITIL.

Re: LDAP and 2FA

@Leon_pelser 

Immediately something you can try as a work around to prevent fallback is utilizing the ALLOWEDGROUP parameter in PRGNINI.ini and only have it contain LDAP groups. Our documentation says it is "AD" groups but I believe it should work for LDAP groups as well. 

[Security]

AllowedGroup=<domain>\<group>,<domain>\<group>,...

 

Let me know if the "ALLOWEDGROUP" parameter helps and results in the execpected behavior while I continue to look into preventing fallback in the first place.


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Payments and Infrastructure Consultant – MSci. PA, CISSP, ITIL.
Tags (2)

Re: LDAP and 2FA

@Leon_pelser  I have not received any answer internally on how to disable this LDAP fallback. Can you please raise a case and RFE if neccessary to get this setting as it makes sense we would have this setting. 


If my answer helped you today, please be sure to mark the resolved button to assist others.

Christopher R Souser - Payments and Infrastructure Consultant – MSci. PA, CISSP, ITIL.
Blog: What Optimal Transaction Performance Means

A number of our customers use Prognosis to monitor the health of their payment systems. As part of this, they monitor the transactions flowing through the system ...

Read blog