Authentication problem with VPN (Vault 2.0)

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
Thomas Linder Puls
Posts: 153
Joined: Tue Jan 20, 2004 2:28 am
Location: PDC, Copenhagen Denmark
Contact:

Authentication problem with VPN (Vault 2.0)

Post by Thomas Linder Puls » Wed Feb 25, 2004 4:10 am

When I run the Vault client on a machine which is connectet to the server via VPN, I cannot get authenticated correctly on the service itself.

I did not have the problem with Vault 1.2.x.

I think the problem is related to: Microsoft Knowledge Base Article - 303650

At least I also experience the following problem:
  • When accessing http://myserver/VaultService in the Internet Exloprer: no problem
  • When accessing http://myserver.mydom.xx/VaultService in the Internet Exloprer I am prompted for username and password
Changing the Internet Explorer settings (adding *.mydom.xx to "Local intranet") removes the problem for the Internet Explorer, but it continues to exist for Vault.

Currently we use the following workaround: The VaultService WEB accepts anonymous access.

Can you help us?
Thomas Linder Puls
Visual Prolog www.visual-prolog.com

JD

Post by JD » Fri Mar 05, 2004 6:12 pm

We've got the same issue here. A contractor for whom we have a Vault license isn't able to connect to the server via the Vault 2.0.1 client.

His machine is not joined to our domain, so when he goes to any network resource, he has to authenticate with the domain user/pass we gave him. When he goes to the service in IE, he gets that prompt and after logging in can see the VaultService page.

However, when trying to connect via the new Vault client, he just gets "server could not be found" or something similar. The end of the message is 401 : Not Authorized. Enabling Anonymous Access for the VaultService site in IIS fixes this, but we never had the problem with the 1.2.3 version we were using.

Did the 1.x have anon access enabled by default? It's an internal machine and there's still the Vault account security, so I'm not terribly worried about it... but we generally don't have anon access turned on for internal resources.

JD

jclausius
Posts: 3706
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Post by jclausius » Sat Mar 06, 2004 11:13 am

did someone run iislockdown or possibly change the anonymous authentication on the virtual directory's security setting? by default, the virtual directory, vaultservice, is created w/ anonymous access.

just about every vault web service call has built in authentication / authorization mechanisms. so, unless you have a compelling reason to change, i would strongly recommend running with anonymous access on.

with that said, we have had some users insist on using windows authentication security. note, this is actually tied to the .net framework itself, and not the vault code - the vault client always sends the credentials of the currently logged in windows account.

most of these customers reported a degredation on overall vault performance. it seems the extra load placed on iis to do the authentication for every vault web service call can have quite an impact.

in any case, if you would still feel better setting up this security, i would recommend taking a look at the following links:
here is a sample i quickly whipped up for vaultservice's web.config that allows the domain users JEFFC and CHARLESD access to the vault service. please note, jeffc and charlesd must be logged onto the domain for this example.

Code: Select all

< authentication mode="Windows" />
< authorization >
   < deny users="*" />
   < allow users="MYDOMAIN\JEFFC, MYDOMAIN\CHARLESD" />
< /authorization >
Jeff Clausius
SourceGear

Post Reply