Hi Everyone,
We're having a security issue with Report Caster & Library after following the setup instructions for external authentication in the WebFOCUS Security and Administration 7.6 PDF. I've opened a ticket up with the support but I thought I'd bounce the scenario off you guys and get your thoughts/suggestions.

The Report Caster and/or Library logon process is not authenticating users passwords.

Our Reporting Server is running on Windows 2003 Server with security set to OPSYS. Managed Reporting is configured for internal authorization and external authentication (set to WFRS). So as I understood things - with this configuration authentication is being done by the OS through the Reporting Server. What I don't understand is why the password isn't being authenticated during the Report Caster / Library logon. I've looked through the edatemp log and I see connection requests when I use the WF admin and web consoles or the MRE admin console/applet or the dashboard but nothing when I sign on to Report Caster and Library directly.

The only setting that makes any difference in the functionality we are seeing is if the Report Caster 'Authentication Plugin' property is set to 'None'. Then no one can login. When its set to 'Trusted MR Sign-on' our MRE users can login but passwords aren't authenticated. Give me a call if you have question or want to discuss.
Thanks, Devon

In this configuration MR trusts caster thus the password is not required. The behavior you are experiencing is a known issue and has been fixed. CSS should be able to supply you with a patch

Just for some closure on this.

CSS informs us this is a known security bug with version 7.6.0. They will not be supplying a hotfix. Their suggestion is to upgrade to version 7.6.4 as it is apparently no longer an issue in that release.

RC does appear to be challenging with 7.6.4. But I just discovered that the Administration Console isn't.

Hello security.