Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Windows Authentication with LDAP on ProGet 3.8.0 not working
-
In older versions of ProGet, Windows Authentication just worked when LDAP was enabled. Now, Windows Authentication does not work. Forms works just fine, but not Windows Auth.
Product: ProGet
Version: 3.8.0
-
Could you be more specific about what doesn't work, e.g. messages and what version you upgraded from? Depending on which version you upgraded from, the change that most likely affected you was the separation of Integrated Authentication from the User Directory which is disabled by default when the directory is changed -- you can re-enable it from the Admin > Integrated Authentication page.
-
This is actually a fresh install attempt. We had 3.6.1 installed on a different system that we were testing, and decided to test 3.8.0. Our LDAP user we use for admin was added to both LDAP and Multiple AD. We turned on Forms authentication and confirmed we could log in fine with our LDAP user. We then turned off Forms authentication and turned on Windows Authentication. After that, we get endless prompts for our users. Type in the same user/password, continuously fails, until we hit cancel and get a "HTTP Error 401. The requested resource requires user authentication." error.
-
The database server is different as well. This is a completely fresh install of ProGet 3.8.0.
-
If I turn off Negotiate and leave NTLM, I'm brought to the Forms style authentication again. But leaving Negotiate on using the same credentials fails every time.
-
The upgrade is a coincidence, and the problem could have been triggered by something as simple as restarting the application pool; this is handled entirely by IIS (more specifically, Microsoft Negotiate).
Negotiate authentication uses Kerberos (see Kerberos Explained), and this is difficult to debug. You can search for things like “windows negotiate authentication fails” to find all sorts of tips, but this article has been a good resource.
In my experience, the most common reasons this doesn’t work:
- accessing by a different url (buildmastersv vs buildmastersv.mydomain.local)
- having a time difference between server and domain controller
- not having certain patches/windows updates
NTLM is a different type of authentication, which may not be desirable.