Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Authentication for users in other Domains

    Scheduled Pinned Locked Moved Support
    ldapprogetauthentication
    6 Posts 1 Posters 6 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      I seem unable to add users from domains other than the one on which ProGet is installed. I know that these domains are visible as I can add users to TFS installed on the same servers. I have an account in several domains - I can add myself from installation domain, but nothing resolves for "xxx\abaranov" or "yyy\abaranov". This is an issue as developers do not have accounts for the installation domain.

      Product: ProGet
      Version: 3.6.1

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        UPDATE: as of ProGet 3.7, the below is oudated. You can simply use the built-in multi-domain provider.


        We will be re-working the privileges page (and AD settings) in ProGet at some point to better support cross-domain privilege assignment. For now, it's not fully supported in the UI but you can get it working with the steps below.

        Note: These steps can only be completed successfully if you have access to run UPDATE and INSERT queries against the ProGet SQL Server database directly... do not perform these steps if you do not have access to do so. To see the server/instance where the database is installed, check ProGet.Service.exe.config in the \Service subdirectory where ProGet is installed for the connection string.

        1. Enable LDAP for multiple domains, execute:

          UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'IntegratedAuthenticationEnabled'
          UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'LDAPEnabled'
          UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'LDAPMultipleDomainEnabled'

        2. Add your fully-qualified domain account as an Administrator (replacing [user] and [domain] with your account name and domain respectively):

          INSERT INTO [Privileges] ([BuiltIn_Directory_Indicator],[Principal_Name],[PrincipalType_Code],[Role_Id],[Feed_Id],[PrivilegeType_Code])
          VALUES ('N', '[user]@[domain]', 'U', 1, NULL, 'G')

        3. Restart the web application. If running the integrated web server, do Start > Run > services.msc and restart the ProGet Service (INEDOPROGETSVC). If hosting the website in IIS, simply restart the ProGet application pool.

        When the website is fully restarted, you should now have access to the website and should be able to search for users in any domain. If you are still experiencing issues with user searching in the UI, you can add users with the query in step (2) above.

        #####Rollback Steps

        To return ProGet to the built-in security module, run the following UPDATE statements and restart the web application:

        UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'IntegratedAuthenticationEnabled'
        UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'LDAPEnabled'
        UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'LDAPMultipleDomainEnabled'
        
        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          Hello, Tod. Thank you for your instructions. It took me a little bit of time to get Sys Admin for the SQL instance.

          I executed things as detailed, and am still unable to access from another domain. Please see below. Any advice is appreciated.

          Server Error in '/' Application.

          Security Exception

          Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

          Exception Details: System.Security.SecurityException: User abaranov not found in directory LDAP - Multiple Domains.

          Source Error:

          An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

          Stack Trace:

          [SecurityException: User abaranov not found in directory LDAP - Multiple Domains.]
          Inedo.ProGet.WebApplication.ProGetHttpModule.AuthorizeRequest(HttpApplication app) +526
          System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
          System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Here is a link to a console program that will perform the same "FindUsersAndGroups" method that ProGet uses to search for users/groups, along with the source code. Hopefully it will help determine the root cause. You can just run the .exe and enter a search string to test and/or use the source to debug.

            Program:
            http://44.inedo.com/proget/ProGet.MultiDomain.Authentication.exe.zip

            Source code:
            http://44.inedo.com/proget/ProGet.MultiDomain.Authentication.Source.zip

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              Tod,

              From testing, it looks like the utility is able to perform searches against top-level and child domains within the forest, but not domains that are in a separate forest that is trusted via a forest-level trust.

              I ran the utility from each of the domains in question, and was able to only get the users from the particular forest.

              Is this a limitation that can be confirmed? Thank you very much.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                As long as the Global Catalog can search the other forest it should work, if there is a restriction on that, then it will not find the user. By default however, it uses the Forest.GetCurrentForest() to determine which GC to query.

                We are now planning to make some improvements to the way authentication works as it is slowly becoming the #1 requested feature/improvement.

                1 Reply Last reply Reply Quote 0

                Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                With your input, this post could be even better 💗

                Register Login
                • 1 / 1
                • First post
                  Last post
                Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation