Use Accounts from trusted domain for rights assignment

I’ve managed to get ProGet running using an existing SQL Server and IIS on Win Server 2012. I also was able to switch to LDAP Authentication.

There seems to be a problem which may be "by design" but it's really critical for us. Our environment looks like that:

We have a corporate domain, let’s say company.com and a local development domain, let’s assume it dev.local. There is a one-way trust between the domains and the development machines with the visual studios and all the stuff are located in dev.local (lets say devmachine.dev.local). The developers log in to devmachine.dev.local with their company account (e.g. John@company.com or company\John).

That’s the scenario. What I need now is to assign the developers rights in ProGet that lives in the dev.local domain. Question now is if ProGet supports to assign rights to the user John@company.com via a domain trust while ProGet lives dev.local.

Using dev\John for assignment works without any problem but using company\John results in nothing (no error message, no function, just silently nothing). What I've also done is to create a group in dev.local (Security Group / Domain local) and I've added company\John to this group. I was able to use the group for assignment in ProGet but it still seems that company\John is not recognized by ProGet.

Would be great if you could let me know if that’s a scenario that I can expect to be supported by ProGet. I hope so since that’s not a completely uncommon scenario in big companies to have separated account- and resource domains.

Product: ProGet
Version: 2.2.10

We have been thinking of ways to make AD/LDAP integration work better; how have you seen this handled in other tools/products? How would you like to see ProGet handle this scenario?

I will copy my answer to another question "PROGET ALLOWS LOGIN ONCE USING LDAP AUTH, THEN CRASHES UNTIL IISRESET" here since i'm pretty sure they're tightly related:

--- snip -----------------------------------------------------------------

Thinking about your answer, i'm pretty sure that this is not a problem with the .Net API. I guess that is tightly related to the second question, I've filed here (see "USE ACCOUNTS FROM TRUSTED DOMAIN FOR RIGHTS ASSIGNMENT"). Whenever i open a browser on machine.dev.local and go to the ProGet Server (located in dev.local - see explanation of the infrastructure in above mentioned question), I'm authenticated as company\John (which is a user of a different domain but dev.local has a trust with company.com). As long as the ProGet implementation assumes the accounts used for authentication to be members of the domain where proget is located in (and i guess that's the case!), you will get null back from the .Net API.

So for scenario like mine,

this would fail (principal = null):

var ctx = new PrincipalContext(ContextType.Domain);
var principal = UserPrincipal.FindByIdentity(ctx, @"company\John");

and this would work (principal has the expected value):

var ctx = new PrincipalContext(ContextType.Domain, null, "company.com", @"AnAccountFromCompanyDomain", "TheAccountsPassword"));
var principal = UserPrincipal.FindByIdentity(ctx, @"company\John");

I guess you need, you just have to make the account domain configurable for cases, it differs from the domain where ProGet is located in and let the user apply credentials fro Account- Queries in the Account- Domain and then use the example above to query and you're done. Right? ;-)

So big question for me now is if and when can i expect a version that supports our scenario. As i told Karl last week, we're looking for a commercial solution to replace our Inhouse- Solution to reduce our maintenance efforts for package management tools. Unfortunately we run out of time for the decision to go with an external tool or to keep our internal stuff running. Would be great to get some info about if and if yes, when we can expect a ProGet version that fits our needs.

Best Regards,
Joachim

--- snap -----------------------------------------------------------------