Authentication via LDAP server
How to link users in Vertec with users in a LDAP server (e.g. Active Directory)
Product line
Standard
|Expert
Operating mode
Cloud Suite
|ON-PREMISES
Modules
Services & CRM
Budget & Phases
Purchases
Resource Planning
Business Intelligence
Created: 14.11.2016
Updated: 09.09.2024
|
Inserted section on 2FA.
For all authentication options, see Authentication overview.
Users in Vertec can be linked to users in a LDAP server (e.g. Active Directory), provided the LDAP server is correctly configured. The customer is responsible for this. When logging into Vertec, the user can then log in with their LDAP login name and password. A number of properties are available for this in the authentication system settings:
LDAP administrator |
Here, a Vertec user must be defined as LDAP administrator. All Vertec administrators can be selected. This user is always authenticated directly via their Vertec login. Therefore, it is also possible for the administrator to access Vertec, even without an available LDAP server. |
LDAP authentication against domain |
The domain name that users can use to authenticate themselves. |
LDAP server address |
The server address of the LDAP server without port. |
LDAP server port |
The port on which the LDAP server can be reached. If empty, the default port 636 is taken. |
LDAP certificate thumbprint |
The thumbprint of the LDAP server certificate. If the LDAP server has a trusted certificate, as of Vertec 6.5.0.16, the thumbprint check is waived if the operating system accepts the certificate as valid. In this case, as of Vertec 6.5.0.16, you need to enter any character in this field (must not be left blank). If you are using Vertec 6.7.0.1 or a later version, you can leave the field blank. If the LDAP server does not have a trusted certificate and if the thumbprint entered here does not match the thumbprint entered when connecting to the LDAP server, the connection is denied. Please note: Even if the certificate is automatically renewed by the LDAP server, the thumbprint will change and must be entered again. Otherwise, the login to Vertec will fail. To enter the certificate thumbprint in Vertec, double-click on the certificate (.cer File), Details tab, Thumbprint field. If you select the entry, the value to be copied is displayed in the lower area. Note: If you select the entire string in the lower area, invisible unicode characters are included – see https://support.microsoft.com/en-us/help/2023835. If this string is copied into Vertec, a question mark appears at the beginning of the string. This must be deleted, otherwise the thumbprint comparison fails. It is a pure sequence of hexadecimal numbers. No special characters or colons are permitted between the characters. Only spaces are allowed as separators. For more information on certifications, see Cloud Server. |
Changes to the system settings become active in the Vertec Cloud App and the Vertec Web App only after restarting the Cloud Server. The Vertec Desktop App must also be restarted (logging out is not enough). Cloud subscription customers can trigger the Restart via the Customer Portal.
The following guidelines apply:
- Linking to the Vertec user is done via the member loginName on the user. This must match the domain user name.
- To delegate authentication to the LDAP server, these four system settings must be set:
- LDAP administrator
- LDAP server address
- LDAP authentication against domain
- LDAPS certificate thumbprint, if the LDAP server does not have a trusted certificate, see Description.
If one of these settings is not set, authentication occurs via Vertec via login name and password.
The exception is the user registered as LDAP administrator, which is always authenticated via the Vertec login. This happens as follows: Desktop App or Cloud Server searches for the login name of the registered LDAPAdmin user. If a user wants to log in with this login name, the username and password are directly matched with the Vertec database.
- Only secure connections via SSL/TLS are allowed.
If the host or LDAP server goes down while the Cloud Server is running, users will be shown that the authentication server is not reachable when they attempt to authenticate. If the LDAP server is reachable again, the Cloud Server reconnects transparently. In this case, there is no need to restart the Cloud Server.
There are cases where the connection to the LDAP server is lost after a prolonged period of inactivity. For example, when using Azure Active Directory, this is the case after four minutes (see https://azure.microsoft.com/de-de/blog/new-configurable-idle-timeout-for-azure-load-balancer/). In such cases, it is advisable to ensure at the network level that this does not happen, for example by configuring a TCP keep alive timeout that is less than four minutes.
With Vertec version 6.1.0.11, the static connection of the Cloud Server to the LDAP server has been removed. The cloud Server then establishes a new connection to the LDAP server (similar to the Desktop App) for each authentication attempt.
Remember me
The feature Remember me logged in also works via LDAP. If login data are stored locally, they have priority over logging in via LDAP server (since no login comes at all).
2 Factor Authentication (2FA)
Vertec supports a 2nd factor for logging into cloud clients (Cloud App, Web App, Phone app) via authenticator app, e.g. Google Authenticator. This can also be activated in conjunction with a login via LDAP.
Especially if the Vertec instance is available over the internet, we strongly recommend requiring a complex password in combination with 2FA.
For detailed information, see the article 2 Factor Authentication.
Authentication via an external tool
If you already use LDAP and want to use the usual two-factor authentication of an external tool for Vertec logins, this is possible if the tool allows it with LDAP.
To date, an application with Duo, for example, is known whose authentication proxy displays a push message on the Duo app when a user attempts to log into Vertec via LDAP, where the user can confirm their login attempt.
The application takes place purely in the external tool, which is compatible with LDAP, and has nothing to do with Vertec itself. Therefore, only the push notifications for logging into Vertec work, no direct input of codes etc.
Logging
The log entries concerning LDAP are located in Vertec.CloudServer.log. when using a cloud client or in Vertec.Deskop.log. when using the Desktop App.
The connection to the LDAP server when the Cloud Server or the Desktop App is started is shown by info messages (Connecting to the LDAP authentication server, Connected to the LDAP authentication server). These always appear in the log when LDAP is configured.
Log entries for LDAP configuration and bind call errors appear as debug messages in the log file if the appropriate DebugCategory named VertecLib.LdapPasswordAuthenticationProvider is specified. Contact your Vertec advisor.