Critical Issue - Platform 9.1.601.0 - AD authentication

Critical Issue - Platform 9.1.601.0 - AD authentication

  

Hi everyone,

I thought this issue had been solved with 9.1.601.0 - this issue was first introduced on version 9.1.600.0 which was then removed from availability because of some critical issues.

Going straight to the point: the issue is on a new entity 'UsersAuthenticatedExternally' existing on 'ADAuthProvider' from system components. That entity has an identifier which is not AutoNumber:


That new entity is being used on the OSPlatformAuthentication WS within method 'User_AuthenticateWithCredentials':

Only the UserName is being set and as such any new record will always try to insert a '0' identifier - the error message is:

I have submitted feedback from the error logs, so you have all the details associated with above description.


The consequence was that only one user was able to login to servicecenter, servicestudio, etc - whoever got their UserName first on that entity :)

For now I have installed platform 9.1.601.0 with the only difference being that I published a previous version of 'ADAuthProvider'.


Thanks,

Tiago

Hello Tiago,

Thank you for your feedback and great work rooting out the cause for this issue.

We are currently looking into how soon we can fix this in the product.

By the way, this only happens if you're using hybrid authentication ( AD users mixed with platform users ), which has some security implications on its own. The issue was introduced following a security fix on the functionality.*

This mode of authentication is inherently unsafe and preferably should not  be used.

I will update this thread regarding how to proceed if you are facing this issue.

Best regards,

Ricardo Silva


* This is not true. Check my reply further below

Hi Ricardo,

We have had hybrid authentication in the past, when still going through platform configuration and other stuff. But it's been a while that we don't. I believe the hybrid authentication is set with 'Fallback to built-in authentication' on ADAuthProvider, right? Currently that is set to False on all environments.

Any legacy wrong setting elsewhere?

Let me know if any further detail is needed.

Thanks,

Tiago 

Oh, by the way, we're alright now. No further issues after I published ADAuthProvider for Platform Version 9.1.501.0

Sorry, you are right.

Upon further analysis it seems that the protection mechanism is not implemented as I thought it was.

This happens on normal authentication, which makes it more severe.

We are currently looking into a potential fix which we hope will be available in the platform revision which is scheduled to be released later this week as a Release Candidate.

Best regards,

Ricardo Silva

Hi Ricardo,

I see 9.1.603 as release candidate. Has the above issue been addressed on new version?

There are several fixes security related, some of which I might have reported. I will send email to support for further details.

Thanks

Tiago