@Leon_pelser 

Is this happening in just IRGUI or is it happening in the WebUI as well? 

Can you also state here which two factor authentication (2FA) system you are using that you are seeing this behaviour with?

Are you preferencing them with the domain?

Can you confirm which of the following scenarios this is what is happening?

A) "Say User user1 is utilized to login successfully (who is in LDAP but domain is not specified) as they exist in LDAP.. but if user user2 does not exist in LDAP (and domain is not specified) that it looks them up on AD as a fallback and they can successfully login?" 

B) "Say User LDAP\user1 is utilized to login successfully (who is in LDAP) as they exist in LDAP.. but if user LDAP\user2 does not exist in LDAP that it looks them up on AD as a fallback and they can successfully login even though you specified the LDAP domain?"

C) B) "Say User LDAP\user1 is utilized to login successfully (who is in LDAP) as they exist in LDAP.. but if user AD\user2 does not exist in LDAP but by-passes the LDAP configuration in the background and lets a user utilize AD domain?"

Thanks

Christopher

Hi Christopher,

In the GUI help search for LDAP it states:

LDAP Authentication can be configured for use by both the Prognosis Web application and Windows Client, or the Windows Client only. It is not possible to configure it solely for the Web Application.

With the Prognosis Windows Client, once enabled, if a user is not found within LDAP or LDAP fails, the authentication will fall back to the native OS authentication. This does not apply to the Web Application.

I just need to know how to prevent the fallback on GUI. Everything is working on GUI and WEB. It authenticate and works but we need to know how to prevent the fallback?

Thanks

Leon

@Leon_pelser  I will need to do some research if this is even possible as I don't immediatley see jumping out in the documentation I have available to me. I will make some internal inquiries but this may unfortunately require a case if I don't immediately find an answer or find there is no way to disable it.

---

---

@Leon_pelser wrote:

if a user is not found within LDAP or LDAP fails, the authentication will fall back to the native OS authentication. This does not apply to the Web Application.

 

I just need to know how to prevent the fallback on GUI. Everything is working on GUI and WEB. It authenticate and works but we need to know how to prevent the fallback?

 

Thanks

Leon

---

@Leon_pelser 

Immediately something you can try as a work around to prevent fallback is utilizing the ALLOWEDGROUP parameter in PRGNINI.ini and only have it contain LDAP groups. Our documentation says it is "AD" groups but I believe it should work for LDAP groups as well. 

[Security]

AllowedGroup=<domain>\<group>,<domain>\<group>,...

Let me know if the "ALLOWEDGROUP" parameter helps and results in the execpected behavior while I continue to look into preventing fallback in the first place.