Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Authentication for users in other Domains
-
I seem unable to add users from domains other than the one on which ProGet is installed. I know that these domains are visible as I can add users to TFS installed on the same servers. I have an account in several domains - I can add myself from installation domain, but nothing resolves for "xxx\abaranov" or "yyy\abaranov". This is an issue as developers do not have accounts for the installation domain.
Product: ProGet
Version: 3.6.1
-
UPDATE: as of ProGet 3.7, the below is oudated. You can simply use the built-in multi-domain provider.
We will be re-working the privileges page (and AD settings) in ProGet at some point to better support cross-domain privilege assignment. For now, it's not fully supported in the UI but you can get it working with the steps below.
Note: These steps can only be completed successfully if you have access to run UPDATE and INSERT queries against the ProGet SQL Server database directly... do not perform these steps if you do not have access to do so. To see the server/instance where the database is installed, check
ProGet.Service.exe.config
in the \Service subdirectory where ProGet is installed for the connection string.-
Enable LDAP for multiple domains, execute:
UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'IntegratedAuthenticationEnabled'
UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'LDAPEnabled'
UPDATE [Configuration] SET [Value_Text] = 'True' WHERE [Key_Name] = 'LDAPMultipleDomainEnabled' -
Add your fully-qualified domain account as an Administrator (replacing [user] and [domain] with your account name and domain respectively):
INSERT INTO [Privileges] ([BuiltIn_Directory_Indicator],[Principal_Name],[PrincipalType_Code],[Role_Id],[Feed_Id],[PrivilegeType_Code])
VALUES ('N', '[user]@[domain]', 'U', 1, NULL, 'G') -
Restart the web application. If running the integrated web server, do
Start > Run > services.msc
and restart the ProGet Service (INEDOPROGETSVC). If hosting the website in IIS, simply restart the ProGet application pool.
When the website is fully restarted, you should now have access to the website and should be able to search for users in any domain. If you are still experiencing issues with user searching in the UI, you can add users with the query in step (2) above.
#####Rollback Steps
To return ProGet to the built-in security module, run the following UPDATE statements and restart the web application:
UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'IntegratedAuthenticationEnabled' UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'LDAPEnabled' UPDATE [Configuration] SET [Value_Text] = 'False' WHERE [Key_Name] = 'LDAPMultipleDomainEnabled'
-
-
Hello, Tod. Thank you for your instructions. It took me a little bit of time to get Sys Admin for the SQL instance.
I executed things as detailed, and am still unable to access from another domain. Please see below. Any advice is appreciated.
Server Error in '/' Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.
Exception Details: System.Security.SecurityException: User abaranov not found in directory LDAP - Multiple Domains.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: User abaranov not found in directory LDAP - Multiple Domains.]
Inedo.ProGet.WebApplication.ProGetHttpModule.AuthorizeRequest(HttpApplication app) +526
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
-
Here is a link to a console program that will perform the same "FindUsersAndGroups" method that ProGet uses to search for users/groups, along with the source code. Hopefully it will help determine the root cause. You can just run the .exe and enter a search string to test and/or use the source to debug.
Program:
http://44.inedo.com/proget/ProGet.MultiDomain.Authentication.exe.zipSource code:
http://44.inedo.com/proget/ProGet.MultiDomain.Authentication.Source.zip
-
Tod,
From testing, it looks like the utility is able to perform searches against top-level and child domains within the forest, but not domains that are in a separate forest that is trusted via a forest-level trust.
I ran the utility from each of the domains in question, and was able to only get the users from the particular forest.
Is this a limitation that can be confirmed? Thank you very much.
-
As long as the Global Catalog can search the other forest it should work, if there is a restriction on that, then it will not find the user. By default however, it uses the
Forest.GetCurrentForest()
to determine which GC to query.We are now planning to make some improvements to the way authentication works as it is slowly becoming the #1 requested feature/improvement.