Issue enabling NTLM SSO with LDAP filtering
LDAP was working fine. I wanted to set that up first since that is not trivial. For that I set teamcity.users.login.filter to the group(s) I wanted to be allowed access, I set "Allow creating new users on the first login" to true so any users that may not have been in before get created (as long as they are in the allowed groups) and I set teamcity.users.syncOnlyTeamcityUsers to true, since we have a lot of users in the active directory. When I added the NTLM module it started to let everyone in, even those previously not allowed with LDAP. I set it to force NTLM and while it was doing what it needed to do, not show the login screen, but go straight in, it should not let some users in. I checked the documentation and I read the following:
When using LDAP authentication, it is possible to deny login for some users. The NTLM HTTP authentication module (as well as the Windows domain credentials authentication module) does not have such functionality, so it can be possible for some users to log in using Windows domain account even if they are not allowed to log in via LDAP. To solve this problem, you should enable the Allow creating new users on the first login option for the corresponding authentication module.
With this property set, a user will be able to log in via their NT domain account only if he/she already has an existing account in TeamCity (i.e. if he/she has already logged into TeamCity earlier via LDAP) with a TeamCity username which equals the Windows domain username or a custom NT domain username specified on the user's profile page.
That was the setting it currently had on as LDAP and the default in the NTLM module. I have played with various variations of enable and disabling the pair's new user creation property. They either let anyone in, or I get a message that it successfully authenticated, but could not create a user. What did work for me, was disabling teamcity.users.syncOnlyTeamcityUsers and adding the same login.filter group to the user.filter setting so they get created before anyone tries logging in and also disabling the "Allow creating new users on the first login" on both modules. The issue I am having now, is that while I got past one hurdle, now SSO is gone. The "Force protocols" option for the NTLM module is ignored. I have to either direct to the appropriate ntlmLogin page or click the link underneath the login prompt. It's like one step forward, two steps back. Am I getting something wrong?
Please sign in to leave a comment.
Issue solved...somehow. I rebooted the entire server I have TC installed on. Not sure why that did anything to fix it. I had gotten a fresh version of the ldap-config file and redited to make sure I didn't mess something up. Now that it is working, I compared the new one, to the old one that was not forcing NTLM protocols, and they are the same, minus some commented out lines in the old one. Since NTLM is a windows feature, I'm guessing it had to do with Windows the OS, not TC the web server. BTW I did restarted the services before trying a reboot, but it is wise to note that if you have NTLM issues, try rebooting.