Active Directory Connection
Moderator: SourceGear
Active Directory Connection
Does Vault connect to Active Directory using SSL or is it plain-text? My security team was asking me and I can’t find anything.
Re: Active Directory Connection
Hello,
All communication between the Vault client and server is done over HTTP and utilizing IIS Web Services. You can configure IIS for SSL support to keep your data secure.
Please let me know if you have any additional questions.
Thanks,
Tonya
All communication between the Vault client and server is done over HTTP and utilizing IIS Web Services. You can configure IIS for SSL support to keep your data secure.
Please let me know if you have any additional questions.
Thanks,
Tonya
Re: Active Directory Connection
Tonya,
Not quite what we were looking for. We are migrating to AD user authentication. We need to know if the Vault server-to-AD server communication is done using SSL or non-SSL. We know about the 'Use SSL' checkbox in the user login, but don't see an option for the AD server connection.
Thanks,
Jeff
Not quite what we were looking for. We are migrating to AD user authentication. We need to know if the Vault server-to-AD server communication is done using SSL or non-SSL. We know about the 'Use SSL' checkbox in the user login, but don't see an option for the AD server connection.
Thanks,
Jeff
Re: Active Directory Connection
Hi Jeff,
Sorry about the confusion on my part.
Vault uses the System.DirectoryServices.DirectoryEntry to connect to the AD Server with the default option of connecting with the "Security" parameter. According to the Microsoft documentation, "security" is:
Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating.
Please note that when the Vault Server makes the Active Directory Services request, the user/password are not null. Also, the communications is only between the Vault Server and the Active Directory Services. The Vault Client is not involved with this part of the login process.
If this doesn't properly answer your questions, please let me know.
Thanks,
Tonya
Sorry about the confusion on my part.
Vault uses the System.DirectoryServices.DirectoryEntry to connect to the AD Server with the default option of connecting with the "Security" parameter. According to the Microsoft documentation, "security" is:
Requests secure authentication. When this flag is set, the WinNT provider uses NTLM to authenticate the client. Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client. When the user name and password are a null reference (Nothing in Visual Basic), ADSI binds to the object using the security context of the calling thread, which is either the security context of the user account under which the application is running or of the client user account that the calling thread is impersonating.
Please note that when the Vault Server makes the Active Directory Services request, the user/password are not null. Also, the communications is only between the Vault Server and the Active Directory Services. The Vault Client is not involved with this part of the login process.
If this doesn't properly answer your questions, please let me know.
Thanks,
Tonya
Re: Active Directory Connection
Tonya,
Thanks for that info. Do you know which port the Vault server is using to connect to the AD server? Ports 389 and 636 are typical.
Jeff
Thanks for that info. Do you know which port the Vault server is using to connect to the AD server? Ports 389 and 636 are typical.
Jeff
Re: Active Directory Connection
Hello again,
It should be the default port. Like you said, typically port 389.
Tonya
It should be the default port. Like you said, typically port 389.
Tonya