Feature Request - Integrated Windows Authentication

If you are having a problem using Fortress, post a message here.

Moderator: SourceGear

Post Reply
mtidd
Posts: 5
Joined: Thu Jul 05, 2007 9:03 am

Feature Request - Integrated Windows Authentication

Post by mtidd » Wed Feb 25, 2009 11:15 am

I was curious about the status of integrated windows authentication in Fortress/Vault/Dragnet.

I have seen a reference to "feature request 11228" in the following post
http://support.sourcegear.com/viewtopic ... uest+11228

Basically what I am looking for is full single sign on for active directory. All clients, plugins and websites should optionally use the user's windows domain credentials.

Has there been any progress on this feature? Is it in the works at all?

Thanks,
Marc

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Wed Feb 25, 2009 11:26 am

Currently, you can have Active Directory authentication, it's just that our products don't go out to the domain controller and grab the users. You have to input the users, then enter in the AD information in the admin web page. Then the users can use their same login and password as for Windows, and when they change passwords, they only need to change their Windows password, and the change is picked up for their source control login.

The particular request that you mentioned was for the users to be picked up from Active Directory so an admin doesn't need to enter anything at all for user information. Currently, that request doesn't have a set schedule, and it's not going to make the next release. I can add your 'vote' to it though.
Beth Kieler
SourceGear Technical Support

mtidd
Posts: 5
Joined: Thu Jul 05, 2007 9:03 am

Re: Feature Request - Integrated Windows Authentication

Post by mtidd » Thu Feb 26, 2009 11:07 am

Hi Beth.

Thanks for the response. It sounds like the request I mentioned is not what I am looking for. I am fine with the current active directory integration and do not mind adding the users.

The functionality I am asking about is from the user perspective. The active directory integration saves us from creating seperate accounts in Fortress; that is great. It would be nice if Fortress went one step further and actually used the users current windows credentials to automatically sign them in to Fortress. This is commonly refered to as "Single Sign On".

I don't want to have to save user names and passwords in Profiles or website cookies. Once the user signs on to the domain all Fortress clients, plugins and websites should use the windows credentials and not prompt for user and password. Are there any open requests for this feature?

Thanks,
Marc

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Fri Feb 27, 2009 5:04 pm

I'm looking around to see if I can find a feature request for that. If I don't find one, I will make one.
Beth Kieler
SourceGear Technical Support

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Tue Mar 03, 2009 9:56 am

I found a feature request for this and have added your vote. It's the one you mentioned. I must have read the wrong one.

F: 11228
Beth Kieler
SourceGear Technical Support

jstarbird
Posts: 146
Joined: Wed Jul 22, 2009 11:49 am

Re: Feature Request - Integrated Windows Authentication

Post by jstarbird » Mon Mar 08, 2010 12:21 pm

Please add my vote on this one as well. My users are constantly complaining about the lack of this feature.


Thanks,
J

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Mon Mar 08, 2010 5:40 pm

I've added your vote. Thanks for the feedback.
Beth Kieler
SourceGear Technical Support

bwelch
Posts: 1
Joined: Tue Dec 28, 2010 1:24 pm

Re: Feature Request - Integrated Windows Authentication

Post by bwelch » Tue Dec 28, 2010 1:42 pm

Please add my vote to the requests for this feature: login with users domain credentials. My shop is looking at purchasing Vault and this one feature, or lack of, has me on the fence as to whether to reccomend Vault or another SCM.
If we go with Vault I realize we can somewhat mitigate this issue by setting Vault to use AD Authentication and use Vault profiles to store login information, but with domain passwords regularly expiring staff will also have to go and regularly update all of their vault profiles to. I know keeping this all in sync will become a point a frustration for our staff.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Wed Dec 29, 2010 4:43 pm

but with domain passwords regularly expiring staff will also have to go and regularly update all of their vault profiles to.
That's not true. When you use our integrated AD authentication, after you set it up the first time, users Vault passwords are checked against AD, so nothing in Vault has to change with their passwords.

I did add your vote to the feature request though. Thank you for your input.
Beth Kieler
SourceGear Technical Support

jstarbird
Posts: 146
Joined: Wed Jul 22, 2009 11:49 am

Re: Feature Request - Integrated Windows Authentication

Post by jstarbird » Tue Jan 04, 2011 1:27 pm

Beth wrote:That's not true. When you use our integrated AD authentication, after you set it up the first time, users Vault passwords are checked against AD, so nothing in Vault has to change with their passwords.
Beth,
we do not find what you said here to be true. When our users Windows passwords change they have to update their Vault saved profiles separately otherwise Vault continues to use their old passwords. We are still on 5.0.2, so wondering if this is something that has changed since then?

Thanks,
J

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Tue Jan 04, 2011 2:51 pm

I can run a quick test just to make sure there isn't a bug. You shouldn't need to put in a password at all for the users anywhere in Vault.

One thing I saw once in the past though is that if a user used the Change Vault Password function in Vault, then the AD integration would be broken.

Here's one thing you could try.
1) Start with one user account that you will try a test with, or it could be your account.
2) Change that user's authentication to Vault authentication.
3) Change the user's password in the Vault admin web page.
4) Have the user close all instances of Vault and Visual Studio.
5) Have the user open a Vault GUI client and login with the new password.
  • 5a) If that works close Vault again and go to step 6.
    5b) If it doesn't work, close Vault, then have the admin recycle the Vault AppPool on the Vault server. That is done by going into the IIS Manager, expand Application Pools, then right-click the VaultAppPool and select Recycle. This will disconnect all users, so you may need to perform this action at a convenient time when people are not uploading and downloading data.
    5c) Then have the user try logging in again. If it continues to fail, stop here and let me know.
6) Return to the Vault admin web page and switch the user to AD integrated login.
7) Repeat section 5, except the user will now use their Windows login.
8_) If section 5 appears to work ok, then if you want to go a step further, have the user change their Windows password, but not their Vault password, then repeat section 5 again. The user should make sure to close and reopen the client during these tests so that it updates its cached information.
Beth Kieler
SourceGear Technical Support

jstarbird
Posts: 146
Joined: Wed Jul 22, 2009 11:49 am

Re: Feature Request - Integrated Windows Authentication

Post by jstarbird » Tue Jan 04, 2011 3:42 pm

I just had my password change just before xmas. I changed it when I first logged in, then logged out and back in again - to Windows. I was not logged into Vault at anytime during that process.
After logging back into Windows with the new login info I launched Vault and it could not log me in with an error saying my login or password was not valid. I had to Edit my Vault profile, update the password there and then Save that. Once I did that I could get logged in. I have never used the Change password option from within Vault as I knew that was only for non-AD Vault logins.
I think maybe we are talking about two different things here. Vault has my password saved in the Vault user profile and does validate it correctly with Windows. So once the credentials are valid within that it does validate it all correctly with Windows. The profile is saved locally, correct? So it would need to be updated.
I think maybe that's where we have a disconnect here.
I think what people are looking for is the ability to log into Windows and as long as I have a valid Windows log in that has the correct permissions within Vault I would be automatically authenticated when I launched Vault without using any saved profile credentials. I believe that is called Single Sign On. So once I launched Vault I would only be prompted to select a repository and it would take the username used to authenticate based on who I was logged into Windows as.

Thanks,
J

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Feature Request - Integrated Windows Authentication

Post by Beth » Tue Jan 04, 2011 4:05 pm

Thanks for the explanation. I misunderstood the original issue. After changing your Windows password, you would have to update your profile you made in the Vault client since that will just save whatever was typed in.

I have a feature request for Single Sign On and it looks like I added your vote to it previously. I will add an additional note to it.

F: 11228
Beth Kieler
SourceGear Technical Support

jstarbird
Posts: 146
Joined: Wed Jul 22, 2009 11:49 am

Re: Feature Request - Integrated Windows Authentication

Post by jstarbird » Tue Jan 04, 2011 6:51 pm

Thanks for the clarification. Thought maybe we had something configured wrong here!



Thanks,
J

Post Reply