Discussion (5)0
Log in or sign up to continue
Ben Spead · Mar 31, 2017

Sven,

I know that customers have set this up before.  Here are some old notes that I found which may point you in the right direction.  NOTE - I have never done this myself so I con't be of much help beyond pointing out this starting point:

Implementation Outline:
1. Configure CSP to accept IIS's authentication headers and pass them to Caché

2. Set up delegated authentication to use existing security model to assign $username and $roles 
based on the user's domain accountname and/or domain groups. (Implement ZAUTHENTICATE.MAC)

3. Enable delegated authentication for any desired services and CSP applications -- in this case 
the system management portal.
·  Configuration (e.g. CSP application definition)
·  Login Page Logic decides based on Gateway Service User, whether to trust REMOTE_USER HTTP 
header, or to prompt for username/password (other fields such as PIN are also an option).

HTH,

Ben

0 0
Oren Wolf · Apr 3, 2017

Sven,

which direction are you talking about?

incoming - clients coming into Caché providing credentials that need to be authenticated against Active Directory

outgoing - Caché/Ensemble needs to authenticate against a third party service and needs to provide credentials that can be authenticated against Active Directory

Oren

0 0
Oren Wolf · Apr 13, 2017

@Sven,

Caché does not support outgoing NTLM authentication, EWS will have to be configured to allow basic authentication which in turn allows Caché to provide a username/password from that domain.

The connection can be made more secure by requiring TLS prior to transmission or requiring client certificate authorization.

Oren

0 0