Alpha DevCon 2018
Results 1 to 10 of 10

Thread: Lockout user while connected to Active Directory

  1. #1
    Member
    Real Name
    Shane
    Join Date
    Jan 2014
    Posts
    18

    Default Lockout user while connected to Active Directory

    I am successfully using the Active Directory authentication on my site but am concerned about one major issue. The site is mainly used internally but is available for employees that travel through our website. Since it's open to the web, I'm afraid that if a malicious attempt to access the site it may lock down our Active Directory after too many failed attempts.

    When not using AD as the login source, it's possible to set a maximum attempt value so the user is locked out for a period of time. Is there any way to still enforce this rule while using AD so that Alpha locks the user but AD does not?

    Any help would be appreciated.

  2. #2
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Lockout user while connected to Active Directory

    Normally you set this at the AD domain level
    http://www.omnisecu.com/windows-2003...out-policy.php explains howto

    If that is not working for for some reason create a table for websecurity users with a field lock yes/no. I have no clue how AA implements the AD user policy not tested yet.

  3. #3
    Member
    Real Name
    Shane
    Join Date
    Jan 2014
    Posts
    18

    Default Re: Lockout user while connected to Active Directory

    Thanks for the reply bea. I know how to set up AD to handle user's login attempts and I really don't want to have to handle to users table inside Alpha because the data would not stay live with AD (in case someone changes their password or a new user is added).

    I see that currently Alpha is set up to allow AD to handle all aspects of the login, which is great normally, but I would Alpha to block a session after too many failed login attempts while still connected to AD (not allowing AD to shutdown a windows user even though they are locked out of Alpha). How would I go about requesting this be added?

  4. #4
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Lockout user while connected to Active Directory

    If you look at the security setting there is a field for lockout after x attempts of login failure you have to test this against AD, i think this setting is standalone and the results failures are logged in the log file or you can write a simple UDF in replacement.
    BTW are we talking about inter or intra net users?

  5. #5
    Member
    Real Name
    Shane
    Join Date
    Jan 2014
    Posts
    18

    Default Re: Lockout user while connected to Active Directory

    The setting that allows you to choose lockout options is no longer available once you enable security via AD. Most users will be intranet but the reason I want this change is so those same users can access via internet. If I open to the internet with current AD settings, a simple brute force attack could lock out every user in the company.

  6. #6
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Lockout user while connected to Active Directory

    Create two instances one external ip the other on the local netwerk you can filter the ip where is comming from in the was setting [ bound to ip] the rest is pending on you hardware infrastructure

  7. #7
    Member
    Real Name
    Shane
    Join Date
    Jan 2014
    Posts
    18

    Default Re: Lockout user while connected to Active Directory

    Quote Originally Posted by bea2701 View Post
    Create two instances one external ip the other on the local netwerk you can filter the ip where is comming from in the was setting [ bound to ip] the rest is pending on you hardware infrastructure
    create two instances? Do you mean 2 separate application servers? Also, if I am filtering dedicated IP's, wouldn't that mean my users would always have to access from a static IP address?

    Thanks for your help.

  8. #8
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: Lockout user while connected to Active Directory

    If you have one was lic upto 4 cores on one machine is what u can run. Configure 1 instance for internal use for NAT with AD behind the firewall the second bound the was instance to an external ip on the machine [outside world].
    You can trace and filter on ip but that is not 100% success and for mobile devices impossible.. Bind the instance to an ip/nic means it will not listen to other traffic works perfect to split your internal and external users. For External use the normal was security settings. Create 2 instances = 2 application servers = yes

  9. #9
    Member
    Real Name
    Josh Cole
    Join Date
    Jun 2012
    Posts
    678

    Default Re: Lockout user while connected to Active Directory

    Does Alpha with the AD integration provide the ability to use AD security groups in Alpha to control access to pages/components/elements?

  10. #10
    Member
    Real Name
    Shane
    Join Date
    Jan 2014
    Posts
    18

    Default Re: Lockout user while connected to Active Directory

    Quote Originally Posted by coleresources View Post
    Does Alpha with the AD integration provide the ability to use AD security groups in Alpha to control access to pages/components/elements?
    Yes. You can import your current AD user groups once you've connected to the server. Then you have the option to allow access via the normal security groups options in components.

Similar Threads

  1. Replies: 4
    Last Post: 06-04-2014, 03:25 PM
  2. User Lockout on multiple servers
    By sjackson@drake in forum Application Server Version 11 - Web/Browser Applications
    Replies: 1
    Last Post: 11-01-2012, 11:37 AM
  3. Alpha Five with Active Directory
    By daniejam in forum General Questions
    Replies: 8
    Last Post: 03-06-2012, 07:24 AM
  4. Active Directory Integration?
    By StevenMcLean in forum Application Server Version 10 - Web/Browser Applications
    Replies: 21
    Last Post: 04-15-2011, 02:10 PM
  5. User LockOut
    By jmcbrayer in forum Application Server Version 10 - Web/Browser Applications
    Replies: 6
    Last Post: 03-04-2011, 07:00 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •