Solved

Acumatica Performs LDAP Lookup for Local Accounts

  • 11 June 2024
  • 2 replies
  • 25 views

Recently, I noticed lots of failed authentication attempts from our Acumatica server to our Active Directory. The usernames on the login attempts are for local Acumatica accounts, not domain accounts.

Most users login to Acumatica with domain\username. Then Acumatica performs an LDAP query to Active Directory for login verification. This is normal and expected. The local account usernames are not.

I would assume Acumatica would only query LDAP IF and ONLY IF the username contains the format domain\username and not query for every single login attempt (including local Acumatica accounts).

 

Thoughts? Do we have a configuration problem?

icon

Best answer by VladS 11 June 2024, 22:25

View original

2 replies

Userlevel 3
Badge

Hello @terpstra !

I wanted to do some research on this topic since I thought it was a pretty interesting problem you were having.

I found this section from our Help page (https://help.acumatica.com/(W(7))/Wiki/ShowWiki.aspx?pageid=8475a118-8bcd-40fb-99ef-cf9fda54f744):

“Generally, to sign in to Acumatica ERP, AD users type their domain credentials without specifying the domain name. But some employees may have both a local user account and a domain user account with the same user name. In this case, Acumatica ERP will authenticate the users based on the password they specify (assuming that the local and domain passwords differ).

If both the user names and the passwords are the same for a local user account and a domain user account, on the Sign-In page, the user can select the account to sign in with as follows:

  • To sign in with a local account, the user enters the user name of the local account (as usual).
  • To sign in with a domain account, the user enters the login in the <Domain_Name>\<User_Name> format, where <Domain_Name> is the NetBIOS domain name of the integrated domain and <User_Name> is the user account name in the integrated domain.”

And:

 

If there is a local account with the name which includes a domain name and a user name from this domain, for example, Terra\User1, a domain user with the name User1 from domain Terra will be mapped to this local account and will inherit all permissions of this account. In this case passwords of a local user and a domain user may differ but they both will access the same user account. To prevent confusion, we recommend that you disable or delete the local accounts of employees who do not perform any administration or configuration tasks in Acumatica ERP.

 

From the Help Page, it looks like the default behavior doesn’t require the domain\ in front of the username. Your situation will depend if there’s both a local and AD account that shares usernames. Let me know if this information helps out, thanks!

@VladS  it sure does. So if I understand that correctly, it will always query AD and the failed login attempts are to be expected.

 

As for logging in without the domain\, I was unable to do so. Probably a configuration issue on our end but I’ll look into it further.

Reply


About Acumatica ERP system
Acumatica Cloud ERP provides the best business management solution for transforming your company to thrive in the new digital economy. Built on a future-proof platform with open architecture for rapid integrations, scalability, and ease of use, Acumatica delivers unparalleled value to small and midmarket organizations. Connected Business. Delivered.
© 2008 — 2024  Acumatica, Inc. All rights reserved