0
Answered

Change Identity Broker Chris21 logon mechanism

Garry Gee (SRWSD) 6 years ago in UNIFYBroker/Frontier ichris/chris21 • updated by anonymous 3 years ago 9

Identlty Broker connects to Chris21 via the Chris21 Internet Option asp method.
It logs on to the Chris21 API with a Chris21 user account named IBROKER.
We would like to change the account Identity Broker uses to be an Active Directory Account as our instance of Chris21 has an account expiry for all Chris21 local accounts of 1 month. (this is a global setting in Chris21).
Our Chris21 administrator has suggested that if Identity Broker can use and AD account, the account expiry can be controlled by AD - so we can set it to not expire.
Please provide a quote on this work before proceeding if it is not covered by support hours..

Affected Versions:
Fixed by Version:

Adam - Could we achieve this configuration (GRTNAME = <AD Service account>)?

IDBCHRS40:Prerequisites and IDBCHRS40:Frontier chris21 connector do not suggest to me that that is possible, but it may just be the language chosen giving me that impression. The lead for Identity Broker for Frontier chris21 is Matthew Clark, who should be back tomorrow. He may have a better answer for you.

Matt - Could you confirm if we could use Service account for Chris21 connector?

Hey Dilip, chris21 supports LDAP authentication (unsure of how this is set up on the chris21 side). As long as the connector is configured to use the account credentials of the AD account with this passthrough option configured in chris, you should be able to achieve what you want.

I don't believe the connector has an SSPI-type option allowing it to just run under the context of the service account, but just set the username and password of the connector to the AD account you want to use.

Within Chris21, they configured the account to perform external authentication to AD. Once that was done, the Unify connector was able to successfully authenticate and pull records from chris21 using that account.

Waiting for confirmation from their side to close the issue.

Confirmation received that this configuration was successful.

Change implemented to production