Important Changes in Alpha Anywhere 4.5.3
Description
Changes have been made in this release to how Active Directory authentication works. This may affect your applications. Also, Cookieless Sessions are no longer supported.
Potential Breaking Change to Active Directory Configuration
As a result of changes in the way Active Directory authentication is now implemented, certain applications may need to be reconfigured. If an application uses Forms Based Active Directory for authentication and authorization (i.e. for users and groups) the Active Directory Configuration in the publish profile may need to be updated if the users are defined in one organizational unit and roles are defined in a different organizational units.
The Active Directory Configuration dialog now has an additional prompt for the organizational unit that specifies the groups used by the application. The input value is the distinguished name of the organizational unit. This prompt can be set to "All Organization Units" if groups are in the same hierarchy as specified in the LDAP connection string.
Given this Active Directory structure:
Company Domain (Domain) Users (Users) User1 User2 User3 Car Division (OU) CarUser1 (User) CarUser2 (User) CarUser3 (User) House Division (OU) Application Division (OU) Group1 (Group) User1 CarUser1 Group2 (Group) CarUser2 Group3 (Group) User1
And this LDAP connection string:
LDAP://ad.company.com/CN=Users,DC=ad,DC=company,DC=com
And a setting in the Organizational Unit for groups prompt of:
OU=Application Division,DC=ad,DC=company,DC=com
Then, anyone in Active Directory can login, but only users in an "Application Division" group (i.e. Group1, Group2, Group3) will have access to protected pages.
Next, assume the following LDAP connection string:
LDAP://ad.company.com/OU=Car Division,DC=ad,DC=company,DC=com
And assume that the setting for the Organizational Unit for groups prompt is:
OU=Application Division,DC=ad,DC=company,DC=com
In this case, only users in the Car Division OU will be able to login. Only the users that are assigned to an "Application Division" group will have access to protected pages.
This change affects both the Classic Application Server and the Application Server for IIS.
Cookieless Session Support Removed
Support for cookieless session tracking has been removed from the Classic Application Server. This eliminates the small possibility that previously existed of "session hijacking". Your application users must now support cookies in order to use sessions with the Classic Application Server.