The default method to grant and control access to applications and resources within AppsAnywhere is using Active Directory or OpenLDAP users and groups. Computers objects can also be specified when configuring app restrictions.
A service user account is required to establish an LDAPS connection to your directory.
This service account should be configured as described in this table:
A domain account for LDAPS queries from AppsAnywhere to your AD.
Read permissions for all domain users, computers and groups so they can be used within AppsAnywhere for access and authentication.
Password should be set to never expire. MSA is not supported.
By default, all domain controllers are configured to accept LDAPS connections on port 636. If this is permitted without the need for an SSL certificate, no further action is needed.
If your domain controllers require a certificate for LDAPS connections, you will need to provide your Root CA Certificate so that we can install this to your AppsAnywhere appliance.
Please generate the certificate in the X.509 Base64 .CRT format with the filename ldaps-ca.crt and save this to a location that is accessible by AppsAnywhere Support.
SPN Records (for SSO)
In order for AppsAnywhere to support Kerberos Windows Pass-through SSO, the AppsAnywhere service user account above requires SPN (Service Principal Name) records to be added.
These SPN records must be created before SSO can be configured via the ACC (Appliance Configuration Console).
The SPN records required are as follows:
HTTP/<FQDN of Load Balanced AppsAnywhere service>
HTTP/<FQDN of Appliance(s)>
Replace <FQDN of Load Balanced AppsAnywhere service> with the Fully Qualified Domain Name of your AppsAnywhere load balanced service.
Replace <FQDN of Appliance(s)> with the Fully Qualified Domain Name of the AppsAnywhere appliance(s).
Please note that the SPN record syntax is case-sensitive.
The HTTP part of the SPN must be in uppercase and the FQDN in lowercase e.g. HTTP/appsanywhere.uni.edu
If you are deploying more than one AppsAnywhere Server, you must add an SPN record for each AppsAnywhere appliance FQDN. E.g. appsanywhere02.example.com
SPN records can be created using the Windows setspn.exe tool or via the Attribute Editor tab within the user's account properties (via the Active Directory Administrative Center or via Active Directory Users and Computers).
For further information regarding the Microsoft setspn.exe tool please see the Microsoft documentation.
These must be run as a domain admin on a domain joined machine.
setspn -a HTTP/appsanywhere.uni.edu appsanywhere_ldaps setspn -a HTTP/appsanywhere01.uni.edu appsanywhere_ldaps setspn -a HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
setspn -d HTTP/appsanywhere.uni.edu appsanywhere_ldaps setspn -d HTTP/appsanywhere01.uni.edu appsanywhere_ldaps setspn -d HTTP/appsanywhere02.uni.edu appsanywhere_ldaps
You can check that the values are correctly set by running the following command in a CMD window using the account name you have your SPN records against.
setspn -l appsanywhere_ldaps
The correct response should look something like this.
Registered ServicePrincipalNames for CN=appsanywhere_ldaps,CN=Users,DC=uni,DC=edu: HTTP/appsanywhere.uni.edu HTTP/appsanywhere-srv01.uni.edu HTTP/appsanywhere-srv02.uni.edu
If access control (ACL) is applied to the LDAP directory that AppsAnywhere connects to, the following list of attributes should be made available to the AppsAnywhere service account.
AppsAnywhere can be configured with additional attributes to search on when creating the LDAP connection, any additional attributes configured for the search will also need ACL applied to allow the AppsAnywhere service account to read them.