This is a reposting of an article I originally wrote on my Developing for Dynamics GP blog.
Over the years, I have seen many requests for Windows Authentication support for Microsoft Dynamics GP, and I have to say I have mixed feelings about it. In theory, it sounds good, but in practice it may be a threat to your customer’s financial information security.
Regardless of authentication method, users will still have to select a company to access which defeats the purpose of having a single sign-on.
If we have true Windows Authentication, then a workstation left unattended without being locked, could be used to access the financial system without the additional level of security of requiring a login. Also, if Windows Authentication is used, the password will not be encrypted (see article below).
The encryption of the passwords is what prevents access to the financial data using external tools to access the SQL Server. Having an encrypted password means that you must use the Microsoft Dynamics GP application to access the data and so are then subject to the application’s security system. You cannot bypass the application level security as the password will not work from an external tool.
When a customer asks for Windows Authentication, I think we should not apologize and say that it is not supported. Instead we should sell the benefits of having an extra level of security provided by SQL Server Authentication with encrypted passwords. This extra level will protect the customer’s valuable financial data.
Note: There are some third party ISV solutions which can synchronize the SQL user names and passwords with the Windows user names and passwords. While this simplifies the system by not having to remember more than once password, it is not true Windows Authentication. [Edit] Microsoft Dynamics GP 2010 now has the option to remember the user name and password as well as the company selection.
For more information related to this topic, have a look at the following article:
Post a comment and let me know what you think?
11-Dec-2009: Added follow up comment:
Please don’t get me wrong, I am not saying I don’t want Windows Authentication, just that the extra layer of security with a second login and encrypted password can be a good thing.
I think we should sell the benefits of the way it works now rather than getting defensive when asked by a customer about Windows Authentication.
I would like to see both methods supported in future so that the customer can choose what they want.
The idea of this post WAS to start an open discussion on the topic…. so please keep posting your thoughts as comments.
15-Jun-2010: Added info about new Microsoft Dynamics GP 2010 feature to remember user name and password.
This article was originally posted on the Developing for Dynamics GP Blog and has been reposted on http://www.winthropdc.com/blog.