Community

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Add authentication for Azure users

arjenblok
Submitted by Contributor on ‎04-08-2020 01:06 AM Status: Implemented

Add authentication for Azure users

More and more users do have hardware that is not domain joined (Windows Active Directory). These users authenticate business applications as an Azure user. It would help if Vault supports Azure users.

Azure Athentication.png

Report
6 Comments (6 New)
POST A COMMENT
6 Comments
ihayesjr
Community Manager
Community Manager
‎04-07-2021 09:02 AM
‎04-07-2021 09:02 AM

@arjenblok 

Have you tried this? I believe this should already work if your Vault Server is part of the domain that authenticates the user to Azure Active Directory, the user selects Windows Authentication and it should give them access.

Report
arjenblok
Contributor
Contributor
‎04-08-2021 02:59 AM
‎04-08-2021 02:59 AM

@ihayesjr 
Using Windows Authentication on a Vault server in Azure is possible as long as the clients are domain joined. I see more and more customers without domain joined machines and in that case Windows Authentication is not possible. Could the new Autodesk ID login solve this?

Report
ihayesjr
Community Manager
Community Manager
‎04-08-2021 06:03 AM
‎04-08-2021 06:03 AM
Status changed to: Implemented

Yes, the Autodesk ID integration in Vault 2022 should solve this request.

Report
rpertusio
Explorer
Explorer
‎02-24-2023 02:54 PM
‎02-24-2023 02:54 PM

Background:

  • PCs are connected to Azure AD (Azure AD Joined)
  • User accounts and groups still live in on-premise Active Directory (AD), synchronized to Azure AD using AzureAD Connect
    • Users still use AD credentials to access on-premise AD apps
    • Users can SSO to servers/shares  (including file shares, printers, 3rd party apps) because PCs still have line-of-sight to domain controllers

Limitation:

  • User/Group management in Vault Administrator fails with an error ("You must be authenticated to a domain in order to perform this operation.")

Expectation:

  • Vault should detect the domain (example .NET command)
    [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()
  • Vault should use the current Windows Authentication credentials/Kerberos in that domain to manage users/groups

 

Supporting documentation:

 

Tags (8)
Report
rpertusio
Explorer
Explorer
‎03-03-2023 05:31 PM
‎03-03-2023 05:31 PM

Additional commentary:

 

AutoDesk Engineers can implement it this way...

 

  1. Detect the proper domain
    [System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()

  2. Pass that domain value to:
    pwzTargetComputer   (a string that's part of DSOP_INIT_INFO)
    https://learn.microsoft.com/en-us/windows/win32/api/objsel/ns-objsel-dsop_init_info

 

If necessary (to avoid risk), maybe add an Option in the settings such as: "[x] Use alternate domain lookup method"

 

I verified that it 'works' by entering a 'target' of my domain ("example.com") in this 3rd party AD Object Picker .NET app: https://github.com/Tulpep/Active-Directory-Object-Picker .  I'm able to pick users/groups from my domain without any additional authentication prompts.

Report
rfenyves
Participant
Participant
‎12-29-2023 06:35 AM
‎12-29-2023 06:35 AM

Vault needs to be able to read users from existing user groups in Microsoft Azure. 

Report

Forums Links

Can't find what you're looking for? Ask the community or share your knowledge.

Submit Idea  

Report a website issue