Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook
Devcon 2020 Goes Virtual! LEARN MORE >

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

AD Authentication hybrid

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    AD Authentication hybrid

    Is there a way to use AD for Authentication of Login ID and password ONLY, and then use the Security Framework for Groups and Members? Our AD infrastructure cannot support Groups and Members for over 25K users and 500+ applications across the Enterprise. SO I would like to set up the Framework in my app as if it is using SQL, but then add code to the Login form to check AD for UID + Password only.
    Last edited by mcbyte2; 04-13-2017, 01:09 PM. Reason: More info on what I want to do.
    Tags: activedirectory, security
    #2
    Re: AD Authentication hybrid

    I did this for a college many years ago. Their IT department wrote a small utility that used their AD to login. That utility kicked out a hash (using MD5(), see below) of the userID (no password) and that hash value was included as a parameter in a URL that opened a special login.a5w page. My SQL-based Users table also had that hash value for each user.

    Hash example:
    ?md5("[email protected]")
    = "b126137bb8fbbff5793e176e8e4b98b6"

    My login.a5w page did NOT have a login dialog. It just had xbasic that grabbed the hash and did a lookup in my Users table to find a matching hash value. If found, I used a5w_login_user() to login the user without using the login dialog. You can find help on that function in Alpha's help document.

    If I were doing this again today, I would add required expiration parameter to the URL would fail after a few minutes if reused.

    On the Security Framework side the passwords were all the same. So the AD did not have to deliver a password. If you needed unique passwords, you would have to coordinate sync'ing them between AD and Alpha.
    Steve Wood
    See my profile on IADN

    Comment

      #3
      Re: AD Authentication hybrid

      Bruce, is the security frame work for your AA applications going to have very many "Web Security Groups?"

      If you have only a handful of security groups then I suppose it is not much of a hassle to pick which groups a user belongs to when adding a new user record and updating the Web Security Members tables. (I'm assuming you will be putting the Alpha Web Security Tables into SQL and not leaving them as .DBF. Otherwise, you may end up needing multiple copies of the DBF files - a copy for each instance of the AA Web Server - and managing those would be tough.)

      But, if you have a lot of Web Security Groups, how are you going to managing assigning groups to each user?

      Comment

        #4
        Re: AD Authentication hybrid

        If you're going to use a5w_login_user, then have a look at the current security stuff in the Context Object... e.g. the method Context.Security.Login()

        http://downloads.alphasoftware.com/a...t/context.html

        Comment

          #5
          Re: AD Authentication hybrid

          Thanks David, for the reminder. I only recently came across the Context... functions, need to update in various places.
          Steve Wood
          See my profile on IADN

          Comment

            #6
            Re: AD Authentication hybrid

            To all responders: THANK YOU! We are now looking at setting up a generic "Authentication Provider" that will work something like this:

            1) Default page of the AA app does a redirect to a common //Login.a5w?AppKey=XXXX page that is used by all our AA apps.
            2) Common //Login.a5w page uses contents of App Key parm to look up two things in SQL table:
            a) If AD check is successful: The URL to start the calling app with, and that URL ends with a standard ?LoginID= parameter
            b) If AD is not successful: URL to tell the user about the login issue. This can be generic for ALL apps ("Please call the Help Desk"), or specific per App Key
            3) //Login.a5w page redirects the user to URL from 2a or 2b
            4) On successful AD check, the AA app now has the Login ID to use as session variable that just needs to match same person's entry in the AA Framework's User table.

            We can then use the Framework to manage Users and Groups on a per-app basis, while ALL apps have a common way to use AD for Authentication ONLY.

            Of course, this approach will ONLY be used for apps that are housed and used INSIDE our network (or accessed via VPN). Not something we would use for apps published on the web.

            And we are also considering Steve's ideas to use an encrypted hash (instead of the ?LoginID=parameter with UserID in plain text), as well as a time limit.

            Thoughts?

            Comment

              #7
              Re: AD Authentication hybrid

              To all Responders - THANKS! You have given me some ideas. We are probably going to build some sort of "AD Authentication" service that can be used by any of our AA applications. This would include a config table that identifies the URL's to use for each AA app: Starting page (for successful AD check) and error page (for unsuccessful AD check). The Auth Service would also put up a standard Login Page (showing the App name from the config database) and append the login ID to the redirect URL's for each app. The Login ID could be a time-limited MD5 hash, rather than clear text (as suggested by Steve). After successful login, the AA apps can use the Security Framework to manage Groups and Members for Authorization as normal. Thoughts?

              Comment

                #8
                Re: AD Authentication hybrid

                Good question, Rich! We are just getting started with Alpha, and I have never done anything with the Security Framework because of the "All or nothing" approach to integrating with AD. Is it possible to use the same SQL tables for Security across multiple apps?

                Comment

                Previous template Next
                Working...
                X