I know that customers have set this up before. Here are some old notes that I found which may point you in the right direction. NOTE - I have never done this myself so I con't be of much help beyond pointing out this starting point:
Implementation Outline:
1. Configure CSP to accept IIS's authentication headers and pass them to Caché
2. Set up delegated authentication to use existing security model to assign $username and $roles
based on the user's domain accountname and/or domain groups. (Implement ZAUTHENTICATE.MAC)
3. Enable delegated authentication for any desired services and CSP applications -- in this case
the system management portal.
· Configuration (e.g. CSP application definition)
· Login Page Logic decides based on Gateway Service User, whether to trust REMOTE_USER HTTP
header, or to prompt for username/password (other fields such as PIN are also an option).
incoming - clients coming into Caché providing credentials that need to be authenticated against Active Directory
outgoing - Caché/Ensemble needs to authenticate against a third party service and needs to provide credentials that can be authenticated against Active Directory
Caché does not support outgoing NTLM authentication, EWS will have to be configured to allow basic authentication which in turn allows Caché to provide a username/password from that domain.
The connection can be made more secure by requiring TLS prior to transmission or requiring client certificate authorization.
Oren
To leave a comment or answer to post please log in
Sven,
I know that customers have set this up before. Here are some old notes that I found which may point you in the right direction. NOTE - I have never done this myself so I con't be of much help beyond pointing out this starting point:
HTH,
Ben
Sven,
which direction are you talking about?
incoming - clients coming into Caché providing credentials that need to be authenticated against Active Directory
outgoing - Caché/Ensemble needs to authenticate against a third party service and needs to provide credentials that can be authenticated against Active Directory
Oren
Thank you all for your answers.
@Oren:
I want to call Exchange Web Services (EWS) from Caché. The authentication there is NTLM. So this is outgoing.
Sven
You can click "Add new comment" label under the post you want to reply to.
@Sven,
Caché does not support outgoing NTLM authentication, EWS will have to be configured to allow basic authentication which in turn allows Caché to provide a username/password from that domain.
The connection can be made more secure by requiring TLS prior to transmission or requiring client certificate authorization.
Oren
Social networks
InterSystems resources
To leave a comment or answer to post please log in
Please log in
To leave a post please log in