Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    LDAP Authorisation for one-way trusted domain

    Scheduled Pinned Locked Moved Support
    progetldap
    8 Posts 1 Posters 104 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ? This user is from outside of this forum
      Guest
      last edited by

      We use ProGet with LDAP integration.

      1. We have to provide access to ProGet feeds to our customers.
      2. We have a single domain which trusts the 6 domains from a single customer.
      3. Domain groups in our domain are assigned privileges in ProGet.
      4. Groups and users from the trusted domains are added to the domain groups from 3.

      Accessing the server with internally works fine.

      When we attempt access to a different website on the same server (only differs by port) with anonymous access, this works fine, so there are no other issues with configuration.

      We cannot access any of the feeds from the customer network. We are continually presented with a login screen for credentials.

      This sounds like we have a currently unsupported scenario - domains in different forests and one-way-trusts.

      Any help towards a solution would be useful.

      Product: ProGet
      Version: 3.1.0

      1 Reply Last reply Reply Quote 0
      • ? This user is from outside of this forum
        Guest
        last edited by

        This scenario should already be supported.

        Have you set the value of LDAPMultipleDomainEnabled to true in all settings? This will search the global catalog for users instead of the domain of the machine that ProGet is installed on. It may require that the privileges are reconfigured since it stores them in "username@domain" format instead of just "username".

        1 Reply Last reply Reply Quote 0
        • ? This user is from outside of this forum
          Guest
          last edited by

          If it works with the same users from one network but not another, then the issue is in your IIS configuration. These prompts are occurring before the request even hits ProGet.

          If your browser is being prompted for credentials, that means a 401/WindowsAuth challenge is being sent and either the browser doesn't accept the challenge (hence the prompt), or the server doesn't accept the NTLM response and returns another 401.

          This could be a lot of things. 80% of the time you can fix it by registering an SPN.

          1 Reply Last reply Reply Quote 0
          • ? This user is from outside of this forum
            Guest
            last edited by

            Any time I have set LDAPMultipleDomainEnabled = True, I cannot access the system afterwards and have to re-install.

            1 Reply Last reply Reply Quote 0
            • ? This user is from outside of this forum
              Guest
              last edited by

              @Alana - good spot.

              ProGet bombs with a 500 if it's an authorisation issue not the browser login window.

              I haven't tried to enter my local network credentials in the browser when accessing from the other network. Trying now... and of course that worked.

              Looking hard at our current implementation (not my team so it wasn't readily available to me) and how they allowed access from the other network. They've used the filing system to secure access but I can put similar setting on my IIS.

              This means I should at least be able to get past this part of the issue soon.

              I'll get back to you.

              1 Reply Last reply Reply Quote 0
              • ? This user is from outside of this forum
                Guest
                last edited by

                Finally got the authentication issue fixed. Now for the authorisation. Currently we get:

                [SecurityException: User xxx not found in directory LDAP.]
                Inedo.ProGet.WebApplication.ProGetHttpModule.AuthorizeRequest(HttpApplication app) +526
                System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
                System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

                I'm assuming it's attempting to authenticate against the local AD. How can I point it towards the other 6?

                1 Reply Last reply Reply Quote 0
                • ? This user is from outside of this forum
                  Guest
                  last edited by

                  That "User xxx not found in directory LDAP" error is a bit of an edge case; what it generally means is that the service user (i.e. credentials the website is running under) does not have permission to query the directory for user information. It can validate the Kerberos auth ticket, but just not query the directory.

                  1 Reply Last reply Reply Quote 0
                  • ? This user is from outside of this forum
                    Guest
                    last edited by

                    We can now support 99% of our clients using the Network Credential Manager. Only one edge case, as discussed with Alex, is still outstanding. We will address that by customising the code in the near future.

                    1 Reply Last reply Reply Quote 0

                    Hello! It looks like you're interested in this conversation, but you don't have an account yet.

                    Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

                    With your input, this post could be even better 💗

                    Register Login
                    • 1 / 1
                    • First post
                      Last post
                    Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation