Also looking forward to get this solved. We will move to LDAPS asap

Hello Nagarjuna,  

Blue Prism performed some testing with regards to this patch on the following functional areas:

• Login Interactive Client/Runtime Resource/AutomateC
• Authentication Exposed Web Service request via SSO Auth
• Authenticating TELNET via SSO Auth
• Active Directory Group Searcher
• Generate Role Report
• View User's Group membership form
• User Roles - assign a group to a user

In Conclusion, the testing found that connectivity between Blue Prism and the active directory has not been impacted when comparing the behaviour pre-patch and post-patch. This behaviour can be characterised by no connectivity issue where Kerberos is enabled and connection timeouts occurring when NTLM fallback is evoked.

Please do reach out to support if there are issues you have experienced with this patch.

Additionally, there is the ability to configure the LDAP port in version 7.0 which will be available soon.

Best Regards,

Christopher "CJ" Johns

Senior Product Consultant - Professional Services, Americas

 www.blueprism.com

Hello, are there any updates regarding ldaps within Blue Prism?  Is the Authentication Gateway the only secure authentication method ​?

Any update?  I'm on 7.1 and don't see any option for specifying the LDAP port. This will definitely be brought up by our auditing firm.

Hello,

I believe that the original post is referring to a security directive that was issued by Microsoft several years ago stating that they intended to turn off simple binds to the non-secure LDAP port, i.e. port 389. This announcement resulted in a lot of organizations planning to turn off this port and requesting that vendors instead support secure LDAP by allowing them to switch port to 636. This is, in our opinion, a misinterpretation of the security directive.

Although Blue Prism connects via the 389 port, we are not performing a simple bind. Instead, the underlying framework we use implements GSSAPI, which is where the agent encrypts its payload using a Kerberos session-key before sending over the wire to Active Directory.

Microsoft will not deprecate the "Insecure" port as the "secure" port has additional overhead and complexity and by using GSSAPI you are able to mitigate the threat.

Our internal teams performed extensive testing at the time this security directive came out to validate that the MS security patch that prevented simple binds to port 389 would not affect us. And through this testing, a decision was made that we would not need to include future enhancements to allow the configuration of LDAP port used by either the Blue Prism Enterprise or Authentication Server products.

As a result of this, I'm adjusting the idea status to "Not planned" - I apologize for any inconvenience or confusion caused.​

Regards,
Rob

@robert.nicklin 

In testing we are finding that when authenticating LDAP using GSSAPI it is falling back to NTLM authentication and not user Kerberos.

We are working to remove NTLM completely.  We are using SSO and have Kerberos working and have the correct SPN for the service account the Blue Prism Server service is running as.

We have NTLM outbound blocked and we see

 

Can you confirm this behavior?

Hi @esearleffsb,

I'm afraid your question goes beyond my level of technical expertise and I believe continued conversation in the thread of this idea would be impractical anyway!

I think the best thing to do would be to raise a support ticket with the appropriate context included and this question, as support engineers will have the ability to help with troubleshooting and, if an issue exists, raise this to the right experts internally to respond to/confirm if there is a problem or unexpected behaviour at play here.

Regards,

Rob