Is there a way where we can for force the user to enter their username and password (Their AD username and password) to login.
We are looking to implement a manual login in Archer but the username and password is the one present in AD. The challenge is we cannot bring in the AD password into Archer as it is encrypted and the manual login validation is done against the local archer password.
- Active Directory
- Community Thread
- Forum Thread
- RSA Archer
- RSA Archer Suite
Since the Archer LDAP synch process does not synch the user's AD password, the only way to force a user to enter their AD credentials is to not implement SSO and use the Archer manual login URL. This will force people to enter their AD userid and the password they created in Archer plus select their domain from the drop down list (if you have more than one domain). There is no way to synch passwords between AD and Archer.
We have a subset of our user base that, for technical reasons with the devices they use, cannot use SSO. Supporting them, e.g., locked Archer accounts, forgotten passwords, etc., causes huge administrative overhead. We estimate 10% of our manual login user base has some kind of authentication issue every business day, which results in them contacting the Archer team. We use the Bulk Password Reset available here to unlock their Archer account and send them a new password (which must be changed at their next login) which helps. In your situation, I trust there will be an offsetting benefit.
Thank you for your response, Mike.
What we are trying to implement is: Use the Archer Manual Login URL and have the user use the AD credentials instead of the local "Archer creds".
I'm assuming, this will not be feasible out of the box. So we will need to build a page upfront: which will prompt for the AD creds from the user. This will be validated against the AD, once validated, we then use the API to generate a session token in Archer and then redirect to Archer.
Mike is correct. You cannot bring salted pass from AD to Archer.
In some customer environments, we used other types authentication, e.g. SiteMinder SSO allows to do what you described, authenticate first and then send HTTP header to Archer.
In other cases, we used 3rd party servlet to do request authentication. But either may not work with some special cases, e.g. Devices or mobiles.
I wonder if you could accomplish this through IIS configuration and directory security settings in the filesystem? If you configure the site for anonymous authentication and you add directory security to the Archer web root, IIS would not get a Kerberos ticket and would prompt the user for their AD credentials, wouldn't it?
That does make sense. That way IIS will always prompt for authentication. I'll give that a shot and hopefully will work. Thank you for your response.
We have been trying to do something similar since 2016 in version 5.5, we now have 6.3 but still haven't managed to get what we need. We would also like our users to always enter their User and Pwd from AD. Could you please let me know if this method above worked for you?