ProGet Documentation

LDAP and Active Directory

Integrated Authentication

When using either the LDAP or Domain Forest user directories, ProGet allows the use of Windows Integrated Authentication. This allows users to implicitly use their domain user profile to log in without seeing a login prompt in ProGet. Certain tools such as nuget.exe also support Windows Authentication and may be usable without explicit credentials.

Prerequisites

If ProGet is hosted in IIS, Windows Authentication must be enabled for the ProGet web site. If using the integrated web server, no additional configuration is required.

LDAP Directory

An LDAP directory uses the Lightweight Directory Access Protocol to query the users and groups of an external database. By default, this option will connect to the Active Directory domain that the ProGet server is a member of. For advanced or non-Active Directory scenarios, some additional configuration may be required; please contact us if this is the case, and we will work with you to get things configured.

LDAP Users

Like the built in user directory, LDAP users must also have unique names. Note that when connected to an Active Directory Domain, the user name will not include the actual domain name for this directory.

LDAP Groups

Groups in LDAP may contain users or other groups. ProGet will attempt to determine group membership recursively, but may not always recognize every type of group. For example, certain computed groups in Active Directory such as Domain Users may not work in ProGet.

Domain Forest Directory

This directory is similar to the LDAP directory, but is designed exclusively for Active Directories that include multiple domains. Because an explicit domain is required for every principal name, this adds a fair amount of complexity and performance overhead, and should only be used if the LDAP/Single Domain directory is inadequate for your organization.

Active Directory Users

Users in this directory have unique names across the entire domain forest. As such, they are specified in the format: user@my.full.domain

Aside from the name, multi-domain AD users function identically to any other type of user in ProGet.

Active Directory Groups

Like the LDAP directory, AD groups in may contain users or other groups. ProGet will attempt to determine group membership recursively, but may not always recognize every type of group. For example, certain computed groups in Active Directory such as Domain Users may not work in ProGet.

Like users, groups must be fully qualified. For example: Developers@my.full.domain