I am in the process of configuring Vault to use Windows Authentication for when our users log in. I understand I have to enter the domain name in the Server Option tab and then for each user select the Authenticate using Active Directory box. I also understand I need to run the IdentitySwitcher tool. Our Vault server is in a different domain than the one our users are authenticating in. My question is which domain am I setting the user that needs to be impersonated? The domain the Vault server is in? Or the authenticating server?
I am using the latest version (3.0.7)
Thank you,
Kim
Windows Authentication
Moderator: SourceGear
-
Guest
I guess that's where I'm stuck. I'm not clear what you mean by the Vault server should be impersonating a user who is on the authenticating domain. Are you referring to the account I'm logged on to the server with? Are you referring to the account I'm logging into the Vault Admin tool with?
I have the domain entered on the Server Options tab and I have checked the box Authenticate using AD on my Vault account which is in the same format as my domain account (firstname.lastname) yet when I connect to Vault client it's prompting me to authenticate.
I have the domain entered on the Server Options tab and I have checked the box Authenticate using AD on my Vault account which is in the same format as my domain account (firstname.lastname) yet when I connect to Vault client it's prompting me to authenticate.
The misunderstanding is how Active Directory authentication works in Vault. Vault (because it is a web service) will always prompt for a username and password. We haven't implemented the auto-login aspect of active directory.
Vault uses AD only as a password verification mechanism. Whatever password is entered in the Vault login dialog is forwarded to AD to reject or accept. This was implemented as a way for admins to utilise AD to enforce password expiration and password toughness.
I understand the benefits of single-signon, but Vault (for the near future, at least) will always prompt for a username and password. If one of your users can type in his AD username and password in Vault and log in to Vault, you have AD authentication working correctly.
By impersonation, I mean that web services can be set to run as a domain user (usually one with restricted rights). This is necessary, because the web service needs to contact the domain controller to verify that the username and password are valid. Impersontation is configured in the VaultService\web.config file.
Vault uses AD only as a password verification mechanism. Whatever password is entered in the Vault login dialog is forwarded to AD to reject or accept. This was implemented as a way for admins to utilise AD to enforce password expiration and password toughness.
I understand the benefits of single-signon, but Vault (for the near future, at least) will always prompt for a username and password. If one of your users can type in his AD username and password in Vault and log in to Vault, you have AD authentication working correctly.
By impersonation, I mean that web services can be set to run as a domain user (usually one with restricted rights). This is necessary, because the web service needs to contact the domain controller to verify that the username and password are valid. Impersontation is configured in the VaultService\web.config file.