Directory Connection

The default method to grant and control access to applications and resources within AppsAnywhere is using Active Directory or OpenLDAP users and groups. Computers objects can also be specified when configuring app restrictions.

Service Account

A service user account is required to establish an LDAPS connection to your directory.

This service account should be configured as described in this table:

Username:

appsanywhere_ldaps

Usage:

A domain account for LDAPS queries from AppsAnywhere to your AD.

Permissions Required:

Read permissions for all domain users, computers and groups so they can be used within AppsAnywhere for access and authentication.

Password Policy:

Password should be set to never expire. MSA is not supported.
Must not contain any special characters (£$%^*@ etc.)

LDAPS Certificate

By default, all domain controllers are configured to accept LDAPS connections on port 636. If this is permitted without the need for an SSL certificate, no further action is needed.

If your domain controllers require a certificate for LDAPS connections, you will need to provide your Root CA Certificate so that we can install this to your AppsAnywhere appliance.

Please generate the certificate in the X.509 Base64 .CRT format with the filename ldaps-ca.crt and save this to a location that is accessible by AppsAnywhere Support.

SPN Records (for SSO)

In order for AppsAnywhere to support Kerberos Windows Pass-through SSO, the AppsAnywhere service user account above requires SPN (Service Principal Name) records to be added.

These SPN records must be created before SSO can be configured via the ACC (Appliance Configuration Console).

The SPN records required are as follows:

HTTP/<FQDN of Load Balanced AppsAnywhere service>
HTTP/<FQDN of Appliance(s)>

Replace <FQDN of Load Balanced AppsAnywhere service> with the Fully Qualified Domain Name of your AppsAnywhere load balanced service.
Replace <FQDN of Appliance(s)> with the Fully Qualified Domain Name of the AppsAnywhere appliance(s).

Please note that the SPN record syntax is case-sensitive.

The HTTP part of the SPN must be in uppercase and the FQDN in lowercase e.g. HTTP/appsanywhere.uni.edu

Example:

HTTP/appsanywhere.uni.edu
HTTP/appsanywhere01.uni.edu
HTTP/appsanywhere02.uni.edu

If you are deploying more than one AppsAnywhere Server, you must add an SPN record for each AppsAnywhere appliance FQDN. E.g. appsanywhere02.example.com

SPN records can be created using the Windows setspn.exe tool or via the Attribute Editor tab within the user's account properties (via the Active Directory Administrative Center or via Active Directory Users and Computers).

For further information regarding the Microsoft setspn.exe tool please see the Microsoft documentation.

Example Commands

These must be run as a domain admin on a domain joined machine.

Adding SPNs
setspn -a HTTP/appsanywhere.uni.edu appsanywhere_ldaps
setspn -a HTTP/appsanywhere01.uni.edu appsanywhere_ldaps
setspn -a HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
CODE
Removing SPNS
setspn -d HTTP/appsanywhere.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere01.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
CODE

Verifying Records

You can check that the values are correctly set by running the following command in a CMD window using the account name you have your SPN records against.

Listing SPNs
setspn -l appsanywhere_ldaps
CODE

The correct response should look something like this.

Listing SPNs
Registered ServicePrincipalNames for CN=appsanywhere_ldaps,CN=Users,DC=uni,DC=edu:
HTTP/appsanywhere.uni.edu
HTTP/appsanywhere-srv01.uni.edu
HTTP/appsanywhere-srv02.uni.edu
CODE

Directory Attributes

If access control (ACL) is applied to the LDAP directory that AppsAnywhere connects to, the following list of attributes should be made available to the AppsAnywhere service account.

Active Directory

dn
cn
displayName
objectClass
memberOf
primaryGroupId
sAMAccountType
sAMAccountName
userPrincipalName
objectGUID
objectSid

Open LDAP   

dn
cn
givenName
objectClass
memberUid
member
uniqueMember
uid
entryUUID

AppsAnywhere can be configured with additional attributes to search on when creating the LDAP connection, any additional attributes configured for the search will also need ACL applied to allow the AppsAnywhere service account to read them.