Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Blue Prism to Active Directory Connectivity on Secure port (636)

NagarjunaAtukur
Level 4
‎24-01-20 05:30 AM
Status: Not Planned
Blue Prism does not specify a port on the request to the Active Directory server, so it utilizes the default port for the LDAP protocol (389).

A recent security finding has identified that applications connecting to Windows Active Directory LDAP over a non-secure port 389 are vulnerable to attacks. To mitigate and completely resolve the security finding  prior to the  mandatory Microsoft Security  Patch  due  in March 2020.

In E1/E2/E3 the requests to lDAP on port 389 will be nullified after Patch in March.

Application teams will need to modify their connections to a secure LDAP using port 636

This is time-sensitive matter and would like to expedite a resolution, Please support this idea.

Thanks,
Nagarjuna Atukuri
6 Comments
Anonymous
Not applicable
‎24-01-20 08:36 AM
‎24-01-20 08:36 AM
Yes, the resolution for this this should be given asap.
0 Likes
ThomasZihlmann
Level 2
‎15-04-20 12:35 PM
‎15-04-20 12:35 PM
Also looking forward to get this solved. We will move to LDAPS asap
0 Likes
crjohns
Staff
Staff
‎27-04-21 04:02 PM
‎27-04-21 04:02 PM
Hello Nagarjuna,  

Blue Prism performed some testing with regards to this patch on the following functional areas:
  • Login Interactive Client/Runtime Resource/AutomateC
  • Authentication Exposed Web Service request via SSO Auth
  • Authenticating TELNET via SSO Auth
  • Active Directory Group Searcher
  • Generate Role Report
  • View User's Group membership form
  • User Roles - assign a group to a user
In Conclusion, the testing found that connectivity between Blue Prism and the active directory has not been impacted when comparing the behaviour pre-patch and post-patch. This behaviour can be characterised by no connectivity issue where Kerberos is enabled and connection timeouts occurring when NTLM fallback is evoked.

Please do reach out to support if there are issues you have experienced with this patch.

Additionally, there is the ability to configure the LDAP port in version 7.0 which will be available soon.

Best Regards,

Christopher "CJ" Johns

Senior Product Consultant - Professional Services, Americas

 www.blueprism.com

0 Likes
BrentGeesaman
Level 3
‎26-10-21 08:05 PM
‎26-10-21 08:05 PM
Hello, are there any updates regarding ldaps within Blue Prism?  Is the Authentication Gateway the only secure authentication method ​?
0 Likes
EliSearle
Level 1
‎14-09-22 08:01 PM
‎14-09-22 08:01 PM
Any update?  I'm on 7.1 and don't see any option for specifying the LDAP port. This will definitely be brought up by our auditing firm.
0 Likes
robert.nicklin
Staff
Staff
‎28-11-22 10:43 AM
‎28-11-22 10:43 AM
Hello,

I believe that the original post is referring to a security directive that was issued by Microsoft several years ago stating that they intended to turn off simple binds to the non-secure LDAP port, i.e. port 389. This announcement resulted in a lot of organizations planning to turn off this port and requesting that vendors instead support secure LDAP by allowing them to switch port to 636. This is, in our opinion, a misinterpretation of the security directive.

Although Blue Prism connects via the 389 port, we are not performing a simple bind. Instead, the underlying framework we use implements GSSAPI, which is where the agent encrypts its payload using a Kerberos session-key before sending over the wire to Active Directory.

Microsoft will not deprecate the "Insecure" port as the "secure" port has additional overhead and complexity and by using GSSAPI you are able to mitigate the threat.

Our internal teams performed extensive testing at the time this security directive came out to validate that the MS security patch that prevented simple binds to port 389 would not affect us. And through this testing, a decision was made that we would not need to include future enhancements to allow the configuration of LDAP port used by either the Blue Prism Enterprise or Authentication Server products.

As a result of this, I'm adjusting the idea status to "Not planned" - I apologize for any inconvenience or confusion caused.​

Regards,
Rob
0 Likes