This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OnBase Authentication Security Issue

Eric_Morris
Champ in-the-making
Champ in-the-making

‎10-27-2014 06:57 PM

We have recently determined that allowing OnBase authentication is too much of a security risk for even our system administrator to have and need feedback for best practices to address this issue. Our sys admin can use OnBase authentication to login as a user and it appears the audit trail does not distinguish between NT authentication and OnBase authentication. Therefore, it allows the sys admin to perform tasks as the individual. So, I need help answering the following questions:

(1) Can we turn off OnBase authentication? If so, what admin functionality will be lost if we do?

(2) If we cannot turn off OnBase authentication or choose not to, does the audit trail differentiate between NT and OnBase activity?

Thanks in advance.

Labels:
0 Kudos
10 REPLIES 10

AdamShaneHyland
Employee
Employee

‎10-28-2014 06:30 AM

Hi Eric,

Thanks for your post.

I'll start off with your second question.  Regardless of the authentication method the users used to login to OnBase, the same audit trail will exist for the user.  Both authentication methods (along with any other authentication method) will tie to a user in OnBase (ie Config | User).  It is this user (ie usernum in the database) off of which the audit is based and tracked.

For your first question, there is no method to disable standard OnBase authentication.  By default, standard authentication is enabled for the MANAGER and ADMINISTRATOR accounts and for any user account which you manually created and set a password.  Once the system is configured for Network Authentication (in your case Active Directory), users are created based on User Group membership.  These users are NOT created with standard OnBase passwords and therefore are not allowed to login to the system with standard authentication.  The administrator would need to manually configure a password for the user account (ie Config | User | <account> | Settings) in order for the user to be able to login with using their Network account. 

Hope this helps.

0 Kudos

John_Anderson4
Star Collaborator
Star Collaborator

‎10-28-2014 06:48 AM

It would be nice to be able to disable onbase authentication (with the possible exception of MANAGER/ADMINISTRATOR), and have it logged when it's enabled. And I think it should log what type of authentication was used to connect. Are there any SCR's for this?

With Workview Config moving into OnBase Studio in v14, are there any components left that REQUIRE OnBase authentication? Does Hyland Timer Services still need it?

0 Kudos

AdamShaneHyland
Employee
Employee

‎10-28-2014 07:43 AM

Hi John,

To my knowledge there are no SCR's requesting the ability to force Network Security authentications for all users (except MANAGER and ADMINISTRATOR) nor did I see a specific SCR to log the authentication method used by the user.  I would recommend reaching out to your first line of support to request the functionality.

That being said, there is a method already available which could be used to update all user account by removing the manually configured OnBase passwords which would allow you to force users to use Network Security. This process would require a database update and engaging the support of Hyland Technical Support. The challenging being that unless it is directly tied to the OnBase user it would not work as the configuration of Standard vs. Network Security authentication is configured on the Client side (ie using the -AL switch vs. not using the -AL switch, or configuring the UseNTAuthentication setting in the obUnity.exe.config).

As for WorkView in OnBase 14, since it used the OnBase Studio which is built off of the Unity Framework, there are not direct requirements of standard OnBase authentication accounts.  You have the option to use Network Security or Standard OnBase authentication depending on the user account and permissions. 

As for the Workflow Timer Service, to my knowledge you would need to have a Standard OnBase account for this purpose.  This does not mean that the Service account is can't also be a domain user, but the OnBase account mapped to the AD account would have to have a standard OnBase password. 

Take care.

0 Kudos

AdamShaneHyland
Employee
Employee

‎10-28-2014 08:50 AM

As an update, SCR: #143190 adds the ability to force the use of Network Security over Standard Authentication at the user level.  This feature is scheduled to be available in the next release of OnBase.

Take care.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC