We are going to integrate Dynamics NAV 2013 with PHP eCommerce and are planning to do this by dynamics nav web services. I know that to integrate with PHP I have to enable NTLM authentication, but I'm wondering if is it possible to publish web service which doesn't require login/password authorization?
Second thing, if I want to allow only specified IP's to access my web service, is it possible to do this in Navision or it's server administrators problem?
The client consuming a Nav web service has to be authenticated and mapped to a system user account, but it is possible to authenticate via the user name and the corresponding web service access key instead of the domain password.
Common approach is to create a user account that is used for web service access only, generate the web service access key, and pass this dedicated user's credentials from the consuming application. Client application will be required to provide the security certificate.
Besides, it is a good idea to create a separate service instance specifically for external access (usually users connecting via WAN).
Create a new Nav server instance and set ClientServicesCredentialType" = "NavUserPassword". How to configure authentication via NavUserPassword
Create a user account with Web Service Access Key: Use an Access Key for SOAP and OData Web Service Authentication
Setup security certificate for the web service: Implementing Security Certificates
Develop your application that will consume Nav web service, and pass the Nav user name and the web service access key instead of the password from this application.
This way, all users connecting from your web application will be authenticated, but they won't have to enter user name / password and you don't risk exposing your domain account credentials.
As for your second question - there is no way to setup this restriction from inside Nav that I'm aware of. I think this is a task for sysadmins - firewall applications allow you to setup very elaborate access rules.
No you can't disable auth (you able to select auth type other than ntlm though). And I believe there is no case in witch you shoud do this with Nav. Nav stores financial information so no-no-no you should not do this under any corcumstances.
No you can't restrict acceess by IP via Nav.
Related
I have a backend service, which I don't want to be expose, and also, just the employees that uses Gsuite oAuth should access.
Instead of exposing the backend and add the logic of oauth in it, I looked at the vouch-proxy project, which fits me very well (a proxy that redirects unauthenticated traffic to oauth login page and then, when a valid token is passed, it's redirect to the backend.
Before using this vouch proxy, do GCP has something built-in for it? Or another kind of setup that my backend service is not exposed?
Google Cloud provides the Identity-Aware Proxy (IAP) that would precisely fit your needs since it's integrating well with G Suite domain and can sit in front of your Load-Balancer.
I have setup Cloud IAP on a development environment (spun up with Kubernetes and using Let's Encrypt) and everything is working fine.
The setup is pretty basic for this app:
1) An API that has a number of REST endpoints and a persistent data store, in project A
2) A SPA front end app that utilizes said API, in a different project B
In my browser (tried Chrome and Firefox), I can authenticate my Google user in both apps via the IAP screen (by going to each domain in a browser tab), but once I try to use the SPA and it attempts requests to the API, I see the network requests 302 redirect to the Google IAP sign-in page.
Question:
Is there a header or cookie that needs to be sent over via the API requests on behalf of the user so that IAP allows pass-thru?
Note
I see these two cookies btw GCP_IAAP_AUTH_TOKEN and GCP_IAAP_XSRF_NONCE.
What's protected with IAP, "API" or "SPA"? If it's SPA, IAP should work as normal. If it's API, your best option today is to use https://cloud.google.com/iap/docs/authentication-howto to have SPA authenticate to API, and maybe also have it pass down https://cloud.google.com/iap/docs/signed-headers-howto so that API can separately verify the end-user's credentials.
Passing down GCP_IAAP_AUTH_TOKEN from SPA to API won't work, we strip that before passing the request to the end-user application for security reasons (in case the transport between the load balancer and the application is HTTP, just to make life a little harder for an attacker.)
How do I set up a web application with OAuth2 authentication, where the web application connects to two underlying REST services (through client-side JavaScript from the user's browser)?
I am controlling all servers, and I need to make sure that nobody accesses the web application and the REST services without authentication.
How should this be done?
Should I configure all three servers (the web application and the two REST services) using a single application id?
BTW:I plan to use IdentityServer4 as the authentication server.
Best regards,
Morten :-)
Can someone help me with my understanding?
So i understand how one can use ADFS and SAML to provide SSO access to the Console via IAM. However im not as clear how this can be done at the application level
So take MS Dynamics as an example. It will be on an EC2 instance which is on a domain controller hosted in the VPC (for mgt etc). However the users themselves will be in an on-prem AD server and we'd want to authenticate users accessing the dynamics web front end with that on-prem AD server. Is this as simple as setting up ADFS between the two sites and configuring the app itself to use ADFS / SAML for claims based authentication?
For application level support, it depends on the ability of the app to support claims based/SAML authentication. CRM supports ADFS configuration. You have one of 2 choices
You can hook it up directly to your on-premises ADFS if it is really about just providing access to your corporate employees. If it requires partner access that ADFS can still federate to other ADFS/IDP organizations.
You can set one up in AWS next to or on the DC that it has and treat it as a Federation Provider and then set up trust to the corporate ADFS where the users live.
I'd recommend #1 as it is simpler. Go with #2 only if you are operating this as a different company or you are building multiple server apps in this AWS site that require local ADFS for things like server to server communication.
Thanks
//Sam
I want to connect to the Office 365 web service for my organisation, however when I browse to the web service address and log in, the page just returns blank.
Any clever people here who know what I am missing?
I'm using this format: "https://" + "Server name" + "/EWS/Exchange.amsx"
To get the right endpoint to talk to, you use the Discovery Service API. This will return the URL for your organization’s endpoint. The O365 endpoint can change (don’t use hardcoded URL’s in your code), by using the Discovery Service API you always have the right URL you need.
Common endpoint discovery tasks using the Discovery Service API
https://msdn.microsoft.com/en-us/office/office365/howto/discover-service-endpoints