Unable to login with Active Directory Integration

This forum is now locked, since Gold Support is no longer offered.

Moderator: SourceGear

Locked
james.shannon
Posts: 3
Joined: Wed Mar 31, 2004 2:13 am

Unable to login with Active Directory Integration

Post by james.shannon » Wed Feb 02, 2005 7:04 am

We've just upgraded from Vault 2.0.1 to 3.0.2 and everything seems to have gone smoothly.

However, one feature we were keen on was the AD Integration. However, if I configure the server impersonation (using Identity Switcher), enter the domain name in Server Options and AD-enable my login, I get an Invalid Username or Password message when trying to login with Vault Client. The server log extract is copied below.

I tried changing the domain to a FQDN (internal.dbt.co.uk) instead of INTERNAL, with no change in the result.

If I use the same login (james.shannon) with my network password to a web site on the same web server as Vault configured with Integrated Authentication, I can login fine. This indicates that not only is my login correct, but also that the Vault server can contact the DC (which is also confirmed by the presence of the DC's name and ip address in the server log below).

Does Vault use the Windows apiLogonUser API or LDAP? We allow both through the firewall that separates our Vault server & the DC (and we also use both methods in our other web apps), but it might help narrow down the cause.

Any ideas?

Many thanks,

--James Shannon


----02/02/2005 12:43:40 sgvaultsystem--()--
System Started
Version 3.0.2.2812
Cache Level = 1
DataBase Buffer Size (KB) = 256
LogFile Path = C:\WINDOWS\Temp\sgvault
Log Level = Debug
Archive Log = Weekly
ReverseDNS Lookup = True
Maximum HTTP Request Length = 102400
Overwrite Log on Startup = False
Session Timeout = 4320
Active Directory Domain = INTERNAL
SGVault Working Directory = C:\WINDOWS\Temp
SGVault Server URL =
Identity = SSN1\Administrator
----02/02/2005 12:43:41 --DC-INTERNAL(192.168.1.130)--SSL Disabled Getting repository Structure.
Active Directory authorization for user james.shannon failed.
Logon failure: unknown user name or bad password
----02/02/2005 12:44:05 james.shannon--DC-INTERNAL(192.168.1.130)--SSL Disabled Login failed: FailInvalidPassword

jeremy_sg
Posts: 1821
Joined: Thu Dec 18, 2003 11:39 am
Location: Sourcegear
Contact:

Post by jeremy_sg » Wed Feb 02, 2005 9:01 am

james,

We use the DirectoryEntry object to attempt to connect to AD. Our code looks like:

Code: Select all

			string defaultNamingContext = null;
			string domainUser = domain + "\\" + login;
			using (DirectoryEntry deRoot = new DirectoryEntry())
			{
				string pathRoot = "LDAP://" + "rootDSE";
				deRoot.Username = domainUser;
				deRoot.Password = password;	
				deRoot.Path = pathRoot;

				try
				{
					defaultNamingContext = deRoot.Properties["defaultNamingContext"][0].ToString();
				}
				catch(Exception ex)
				{
					LogError("Active Directory authorization for user " + login + " failed.", ex);
					return false;
				}
			}
Is it possible that the problem is that your Vault server is impersonationing an account on the SSN1 domain, but authenticate a user against the INTERNAL domain?

james.shannon
Posts: 3
Joined: Wed Mar 31, 2004 2:13 am

Post by james.shannon » Wed Feb 02, 2005 10:36 am

Jeremy,

By binding to LDAP://rootDSE you're requiring the Vault server to be in the same domain as the authentication domain. In our case and because the very nature of Vault promotes remote development, we put our Vault server in the DMZ and therefore in its own domain.

Changing your code to that included below would allow authentication against both local and alternative authentication domains. It is based on the sample provided at http://support.microsoft.com/default.as ... US;Q316748.

I've tested your original code and the revised code below on our Vault server in a test app and it definitely fixes this issue.

Is there any chance you guys could integrate this version - we've been waiting so long for AD authentication and are desparate to use it! If this version tests fine for you, then it won't have any impact on existing users.

Thanks,

--James

Code: Select all

         string pathRoot = "LDAP://" + domain;
         string domainUser = domain + "\\" + login;
         using (DirectoryEntry deRoot = new DirectoryEntry(pathRoot,domainUser,password)) 
         { 
            try 
            { 
               Object obj = deRoot.NativeObject;
            } 
            catch(Exception ex) 
            { 
               LogError("Active Directory authorization for user " + login + " failed.", ex); 
               return false; 
            } 
         }


jeremy_sg
Posts: 1821
Joined: Thu Dec 18, 2003 11:39 am
Location: Sourcegear
Contact:

Post by jeremy_sg » Thu Feb 03, 2005 9:10 am

I've made the changes to the AD authentication. Email me using the button below this post, and I'll send you a temp build of 3.0.3.

james.shannon
Posts: 3
Joined: Wed Mar 31, 2004 2:13 am

Post by james.shannon » Thu Feb 03, 2005 12:23 pm

Jeremy,

Works like a champ.

Many thanks,

--James

Locked