This year GP Power Tools turns 20 years’ old, and we will celebrate by releasing Build 33 with many enhancements and new features and some fixes. The release of GP Power Tools Build 33 for Microsoft Dynamics GP v18.4 or later is planned for mid-year, once all the development and documentation is completed.
We are excited to tell you about one of the major new features … Login Control.
Login Control adds four features related to logging into Microsoft Dynamics GP. These features are:
- Login Lockout
- Login Multi Factor Authentication
- Login Logging
- Login Single Sign On
The Login Control window is part of the Database Tools module in GP Power Tools and joins the SQL Login Maintenance window for controlling and maintaining SQL logins. New for Build 33, both of these windows have been made accessible to a user with SQL Security Admin privileges.
Here is a summary of each of the features added by this window:
Login Lockout
The standard functionality of Microsoft Dynamics GP, when there are failed login attempts, is to kick the user out of the application after the 3rd attempt, but nothing stops the user (or hacker) re-opening the application and trying again, and again, and again …. indefinitely.
This is where Login Lockout comes in. You can specify the number of consecutive failed logins before a Lockout Period is activated and how long the Lockout Period should run for. Once the Lockout Period is active, that user will not be able to login (even with the correct password) until the Lockout Period has expired.
If there are continued attempts to login with an incorrect password, the Lockout Period is restarted, and so will never expire while someone is attempting to hack the system.
If necessary, an Administrator user or SQL Security Admin user can clear the Lockout Period before it expires to allow a user to access the system.
Login Multi Factor Authentication
Microsoft Dynamics GP does not have any form of Multi Factor Authentication (MFA). Using the GP Power Tools Developer Tools module, it was possible to force a successful login to Microsoft Exchange before allowing access to the application. For details see the free sample project below:
However, this was not true Multi Factor Authentication as it was just a second set of login credentials for either an individual or shared mailbox, but it was better than no MFA at all.
The new Login Control window adds true Multi Factor Authentication using a One Time Password (OTP) from an Authenticator App on your phone (Microsoft or Google Authenticator). Once the feature is enabled, after a user logs in they will be presented with a dialog explaining that MFA has been activated and they can display their secret code as a QR Code or text so it can be added to the Authenticator application of their choice. Once added to the app and an initial One Time Password has been confirmed, Multi Factor Authentication will be active whenever that user logs in.
There is an option that specifies how many hours can pass before a One Time Password is required again. Leaving this as zero, means that they will be challenged on every login. If you want it to only be once per day, a setting of 12 hours would stop it asking again within the same business day.
Login Multi Factor Authentication can be enabled or disabled on a per user or per user class basis, if desired.
Login Logging
Microsoft Dynamics GP does record failed login attempts, but only as in a login.txt file written to the Data folder of the workstation or server currently in use. It does provide date and time and the SQL User ID but does not record the Windows login or machine used and cannot be seen without visiting that workstation.
Login Control provides logging of both failed and successful logins including dates and times, user (both SQL and windows) and machine (name and GP instance). It will also record the count of failed logins and show when a Lockout Period was started.
The number of days that this data is kept for defaults to 90 days but can be controlled from the Login Control window. All Dates and Times are stored in UTC time, but displayed using local time for the current machine, so this works well when there are users in different time zones.
Login Single Sign On
The Microsoft Dynamics GP desktop client uses SQL Authentication for logins and is not linked to the current windows user. Some companies have requested to have a single sign on, so that once logged into windows, launching Microsoft Dynamics GP will bypass the user login window.
Login Control provides a method to provide the Single Sign On (SSO) experience for users after an initial login with their current SQL login password. There must be a SQL Login created using the same name as their Windows login and they need to know the initial password for that login. Password policy and password expiry for the SQL Login must not be enabled.
After the initial login, Login Control will set up Single Sign On for the current user profile using a randomized password. This means that the user’s initial password is no longer functional. Now when logging in, the User Login window will not be displayed, and the user will just need to select a company (unless there is only one company or remember company has been used).
Login Single Sign On can be disabled or reset by the administrator or will be automatically disabled if the password is reset by the administrator. Once disabled, the user will be asked for the initial password or the new “administrator set” password on the next login.
Login Control provides an option to display a dialog before enabling SSO which can allow the user to defer till next login or opt out. If they opt out, that is visible to the administrator and can be reset. The use of the dialog can also be control on a per user or user class basis.
Note: Bypassing the user login while convenient, is removing a layer of security from the company’s ERP and its financial records. While we have made every effort to provide this functionality in a way that is as secure as possible, its use actually makes the application less secure.
More Information
If you are interested in beta testing the Login Control window and Build 33 of GP Power Tools, please contact us. As always, your feedback will help improve the product and its features.
To stay informed for more details and release notices, please subscribe to this blog and our Newsletter mailing list.
Thanks
David
PS: Stay tuned for the next new feature being added to Build 33…. Custom Fields.
This article was originally posted on http://www.winthropdc.com/blog.