We've just upgraded from Vault 2.0.1 to 3.0.2 and everything seems to have gone smoothly.
However, one feature we were keen on was the AD Integration. However, if I configure the server impersonation (using Identity Switcher), enter the domain name in Server Options and AD-enable my login, I get an Invalid Username or Password message when trying to login with Vault Client. The server log extract is copied below.
I tried changing the domain to a FQDN (internal.dbt.co.uk) instead of INTERNAL, with no change in the result.
If I use the same login (james.shannon) with my network password to a web site on the same web server as Vault configured with Integrated Authentication, I can login fine. This indicates that not only is my login correct, but also that the Vault server can contact the DC (which is also confirmed by the presence of the DC's name and ip address in the server log below).
Does Vault use the Windows apiLogonUser API or LDAP? We allow both through the firewall that separates our Vault server & the DC (and we also use both methods in our other web apps), but it might help narrow down the cause.
Any ideas?
Many thanks,
--James Shannon
----02/02/2005 12:43:40 sgvaultsystem--()--
System Started
Version 3.0.2.2812
Cache Level = 1
DataBase Buffer Size (KB) = 256
LogFile Path = C:\WINDOWS\Temp\sgvault
Log Level = Debug
Archive Log = Weekly
ReverseDNS Lookup = True
Maximum HTTP Request Length = 102400
Overwrite Log on Startup = False
Session Timeout = 4320
Active Directory Domain = INTERNAL
SGVault Working Directory = C:\WINDOWS\Temp
SGVault Server URL =
Identity = SSN1\Administrator
----02/02/2005 12:43:41 --DC-INTERNAL(192.168.1.130)--SSL Disabled Getting repository Structure.
Active Directory authorization for user james.shannon failed.
Logon failure: unknown user name or bad password
----02/02/2005 12:44:05 james.shannon--DC-INTERNAL(192.168.1.130)--SSL Disabled Login failed: FailInvalidPassword
Unable to login with Active Directory Integration
Moderator: SourceGear
-
james.shannon
- Posts: 3
- Joined: Wed Mar 31, 2004 2:13 am
james,
We use the DirectoryEntry object to attempt to connect to AD. Our code looks like:
Is it possible that the problem is that your Vault server is impersonationing an account on the SSN1 domain, but authenticate a user against the INTERNAL domain?
We use the DirectoryEntry object to attempt to connect to AD. Our code looks like:
Code: Select all
string defaultNamingContext = null;
string domainUser = domain + "\\" + login;
using (DirectoryEntry deRoot = new DirectoryEntry())
{
string pathRoot = "LDAP://" + "rootDSE";
deRoot.Username = domainUser;
deRoot.Password = password;
deRoot.Path = pathRoot;
try
{
defaultNamingContext = deRoot.Properties["defaultNamingContext"][0].ToString();
}
catch(Exception ex)
{
LogError("Active Directory authorization for user " + login + " failed.", ex);
return false;
}
}-
james.shannon
- Posts: 3
- Joined: Wed Mar 31, 2004 2:13 am
Jeremy,
By binding to LDAP://rootDSE you're requiring the Vault server to be in the same domain as the authentication domain. In our case and because the very nature of Vault promotes remote development, we put our Vault server in the DMZ and therefore in its own domain.
Changing your code to that included below would allow authentication against both local and alternative authentication domains. It is based on the sample provided at http://support.microsoft.com/default.as ... US;Q316748.
I've tested your original code and the revised code below on our Vault server in a test app and it definitely fixes this issue.
Is there any chance you guys could integrate this version - we've been waiting so long for AD authentication and are desparate to use it! If this version tests fine for you, then it won't have any impact on existing users.
Thanks,
--James
By binding to LDAP://rootDSE you're requiring the Vault server to be in the same domain as the authentication domain. In our case and because the very nature of Vault promotes remote development, we put our Vault server in the DMZ and therefore in its own domain.
Changing your code to that included below would allow authentication against both local and alternative authentication domains. It is based on the sample provided at http://support.microsoft.com/default.as ... US;Q316748.
I've tested your original code and the revised code below on our Vault server in a test app and it definitely fixes this issue.
Is there any chance you guys could integrate this version - we've been waiting so long for AD authentication and are desparate to use it! If this version tests fine for you, then it won't have any impact on existing users.
Thanks,
--James
Code: Select all
string pathRoot = "LDAP://" + domain;
string domainUser = domain + "\\" + login;
using (DirectoryEntry deRoot = new DirectoryEntry(pathRoot,domainUser,password))
{
try
{
Object obj = deRoot.NativeObject;
}
catch(Exception ex)
{
LogError("Active Directory authorization for user " + login + " failed.", ex);
return false;
}
}
-
james.shannon
- Posts: 3
- Joined: Wed Mar 31, 2004 2:13 am