understanding Sage and SQL security

SUGGESTED

I am looking to confirm my understanding of the new integration Sage 300 Security that comes with Sage 300 2024. My specific situation

- I have a user that is used to login to an system that integrates to Sage 300, for sake of example lets say user was ServiceUser

- at time of upgrade it has a simple password for sake of example lets say it was Balloons, Sage 300 integration only no windows integration

- after upgrade I can no longer login with ServiceUser and Balloons, ideally I want to keep the password the same (not complex) so I don't have to make changes to the other system

- in sql I change the corresponding ##S3_Login_ServiceUser##VAULT user to "not enforce password policy", set the password to Balloons - it is allowed

- return to sage but still can't login to Sage with ServiceUser Balloons

- login to sage as admin change the ServiceUser to something that matches complex password enabled B@lloons2

-now I can login to sage as ServiceUser B@lloons2

When I was doing the upgrade I had a similar situation

- launched DB setup after upgrade

- tried to login as Admin with the non complex password that always worked prior to upgrade - didn't work

- went to the corresponding SQL Admin user, turned of Enforce password policy

- returned to DB setup, it allowed me to put in the old none complex Admin password, and immediately took me to the screen to change it, where i changed it to a complex password

- upgrade was successful

This seemed to point me to the fact that there was some integration between Sage name and password and SQL user which is what is confusing me 

The overall question is:

- is there any integration between turning of "use complex password" in SQL and allowing me to keep a Sage user password not complex.  Or now that we are at Sage 300 2024 - and because there is a local security policy that requires complex passwords - I will be forced to have even my service user have a complex password.

Parents
  • Hi  the Password rules for Sage 300 2024 are controlled by the Local Security Policy -> Account Policies -> Password Policy on the Microsoft SQL Server.  That said, even if you make the rules as simple and relaxed as possible (as per the screenshot below) there is a minimum level of password security hard-set into Sage 300 2024 you simply can't go under.

    For example, on my lab Sage 300 server below, I have set all password rules as relaxed as possible i.e. no complexity, passwords never expire, no minimum length etc and this does work, especially for expiry (so the ADMIN password on my lab server with sample data never expires as security is no worry).  However as you will see by the error below, even with all password complexity removed, Sage 300 2024 still requires:

    • Minimum length 8 characters
    • One uppercase
    • One number
    • One symbol

    So no matter how basic you make the rules, Sage 300 2024 as a minimum will enforce basic password complexity.  In today's world, it does make sense and really Sage are just protecting us against ourselves, even though I understand it has broken your integration.  I hope its not too difficult for you to re-develop to resolve the problem.  Good luck!

  • 0 in reply to Accsys Consulting AU

    thanks for your detailed reply.  A few points for clarification. Can you confirm if I have anything wrong below in my logic 

    The environment has a separate SQL server and a APP server users access sage with a WS installation

    1.  User is set to Sage 300 authentication:  the local security policy of the SQL server applies (not the app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    2.  User is set to windows authentication:  The security policy that applies to the user (either direct or likely a group policy) is applied if none in place then the local security policy of the SQL server (not app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    3.  If user has Both sage 300 authentication and Windows configured in Sage  #1 and #2 are applied  the same way as outlined above depending on which one you use to login

    Does the "password never expire" feature in Sage 300 2024 Sp3 and higher take priority over any local security policy for users set to Sage 300 authentication or both?

    This is to say that if I create my service user with Sage300 authentication only

    - set the password in Sage to never expire 

    - the Local security policy on the SQL server does require password to change every 90 days and you can't re-use a password and you are locked out after 5 tries 

    What will happen to my service user in 90 days - will i need to change the password for it to be able to continue to login to Sage?

    Is it pretty safe to say there would never be a practical need to adjust the  "Enforce password policy"  with Sage 300 2024 SP3 or higher on either the SQL  user ##S3_Login_ (created for Sage 300 authentication) or the user ##S3_Domain_ (created for windows authentication) 

     

Reply
  • 0 in reply to Accsys Consulting AU

    thanks for your detailed reply.  A few points for clarification. Can you confirm if I have anything wrong below in my logic 

    The environment has a separate SQL server and a APP server users access sage with a WS installation

    1.  User is set to Sage 300 authentication:  the local security policy of the SQL server applies (not the app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    2.  User is set to windows authentication:  The security policy that applies to the user (either direct or likely a group policy) is applied if none in place then the local security policy of the SQL server (not app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    3.  If user has Both sage 300 authentication and Windows configured in Sage  #1 and #2 are applied  the same way as outlined above depending on which one you use to login

    Does the "password never expire" feature in Sage 300 2024 Sp3 and higher take priority over any local security policy for users set to Sage 300 authentication or both?

    This is to say that if I create my service user with Sage300 authentication only

    - set the password in Sage to never expire 

    - the Local security policy on the SQL server does require password to change every 90 days and you can't re-use a password and you are locked out after 5 tries 

    What will happen to my service user in 90 days - will i need to change the password for it to be able to continue to login to Sage?

    Is it pretty safe to say there would never be a practical need to adjust the  "Enforce password policy"  with Sage 300 2024 SP3 or higher on either the SQL  user ##S3_Login_ (created for Sage 300 authentication) or the user ##S3_Domain_ (created for windows authentication) 

     

Children
  • 0 in reply to ValerieH
    SUGGESTED
    in sql I change the corresponding ##S3_Login_ServiceUser##VAULT user to "not enforce password policy", set the password to Balloons - it is allowed

    Before I answer your latest questions, I meant to say I know you had success manually changing the policy and password for the vault service user however I would strongly recommend not doing this in the future as these users are meant to be managed by the Sage system and I don't know what the potential impact could be modifying them bypassing any controls Sage enforces.  Glad you had success though.

    Sage 300 Enhanced Security Guide

    This excellent PDF guide will answer a lot of your questions too, and I refer back to it a lot.

    User is set to Sage 300 authentication:  the local security policy of the SQL server applies (not the app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    Correct, Sage 300 does override some of the Local Security Policy rules including minimum complexity and password expiry (when set under Admin Services -> Users).

    2.  User is set to windows authentication:  The security policy that applies to the user (either direct or likely a group policy) is applied if none in place then the local security policy of the SQL server (not app server), and if that policy is set to bare min the  Sage 300 2024 minimum is applied

    When a user logs into Windows or RDS session then opens Sage 300, selects a company and clicks "OK" to login using Windows Authentication, Sage 300 authentication and any security policies are skipped altogether, sending the user straight into Sage 300 where Sage 300 User Authorizations and other possible permissions and restrictions apply, specific to Sage 300 System Manager and the modules themselves.  As you know the credential rules for the user to login to Windows, RDS or even AVD are controlled by Active Directory, Entra AD or a Microsoft account.  Just remember the SQL Local Password Policy rule settings will still impact the ADMIN account, which is always a Sage 300 account, so keep that in mind - especially if no one logs in as ADMIN regularly.  One problem we've had at sites is where the SQL Local Security policy is strictly set by GP and set to something conservative like 28 days.  At these sites someone might log in as ADMIN to perform an admin task a few months after the last ADMIN login occured, only to find the ADMIN password is expired and unable to be changed, requiring use of the new Password Reset tool for Sage 300 with enhanced security.  For some reason, maybe due to other strict settings in the local password policy at these sites, the expired ADMIN account doesn't prompt to be changed upon the first login after expiry - it simply rejects the login with no options to update or change.

    If user has Both sage 300 authentication and Windows configured in Sage  #1 and #2 are applied  the same way as outlined above depending on which one you use to login

    Correct.  If user has both and logs in with Sage 300 Authentication, the SQL server's Local Password Policy rules apply.  If the user logs in with Windows Authentication, all authentication is bypassed allowing the user straight in based on the Windows Session User = Domain User set in Administrative Services for the User.  I.e. if I log into Windows as mydomain\tim and my Sage 300 account has been set to Windows Authentication, User = Tim, Domain = mydomain, then Sage 300 just allows the user straight in with no other checks.

    Does the "password never expire" feature in Sage 300 2024 Sp3 and higher take priority over any local security policy for users set to Sage 300 authentication or both?

    Correct.  I actually didn't look at this option added in 2024 closely and note its available under the ADMIN user, so it now looks like you can prevent the ADMIN password constantly expiring which was a big problem in version 2023 PU2 and later.

    What will happen to my service user in 90 days - will i need to change the password for it to be able to continue to login to Sage?

    According to the PDF, the Sage 300 "Password Never Expires" setting will override SQL Local Security Policy therefore your Service user shouldn't ever expire.  Thinking about it I haven't had our 2024 sites calling up complaining of expiring passwords so it looks like this does work as documented by Sage.

    Is it pretty safe to say there would never be a practical need to adjust the  "Enforce password policy"  with Sage 300 2024 SP3 or higher on either the SQL  user ##S3_Login_ (created for Sage 300 authentication) or the user ##S3_Domain_ (created for windows authentication) 

    I agree 100% and feel you should never make direct changes to Sage 300 SQL users.

    Good luck!

  • 0 in reply to Accsys Consulting AU

    thank you so much for your detailed answers - incredibly helpful and all seems to test out right in my pre-upgrade lab.   

  • 0 in reply to Accsys Consulting AU

    Hi  ,

    I just wanted to extend a sincere thank you for your continuous support and expertise shared within our community, especially around Sage 300 and SQL security matters. Your willingness to guide others and share your deep knowledge makes a great impact and is deeply valued by both our team and fellow community members.

    Thank you for making a difference!

    Warm regards,
    Erzsi

  • 0 in reply to Erzsi_I

    Hi  that's very kind of you to say, thank you, I'm very lucky to work for Accsys Consulting, a 30+ year Sage Business Partner who is happy for me to contribute to the community forums.  I'm not on Jay's level but happy to help where I can!  Cheers...Tim