Mike O'Brien \ Blog

Thursday, September 03, 2009

Installing ThoughtWorks Cruise with Active Directory Authentication on Windows

This post is pretty much a carbon copy of my last post on file based authentication except for the AD specific instructions.

ThoughtWorks Cruise is a compelling option for continuous integration. Even more compelling is that they offer a free version (Although their recent marketing has been somewhat ambiguous on this, see here for more info). Setting up Cruise with Active Directory authentication is fairly simple but hopefully this post will expand on the AD setup.

1) Download the latest version of the Cruise Server and Cruise Agent here. Fill out the form and you will be redirected to a download page. You will also be emailed a license that is good for a year. You will have to renew this license every year. From what I have been told, your Cruise server will not stop working after a year, but you will not be able to make any changes to your pipelines until you have an updated license. Kind of a pain but I think it’s worth it for a free product.

2) Install both the Cruise Server and Cruise Agent. The Cruise server coordinates the builds and the Cruise Agent actually performs tasks. So you could potentially have multiple agents on multiple servers which are handling build tasks in parallel. The free version only allows you to install agents on the same machine as the Cruise Server. The simplest Cruise install is Cruise Server and 1 Cruise Agent.

3) Enter your license key. Browse to the administrative control pane (http://localhost:8153) or by double clicking the icon on your desktop. The control panel can also be accessed over ssl by using port 8154: https://localhost:8154. This will redirect to the about page where you will need to enter your license information. You should have received a user name and license key by email. Enter the user name (Called “Licensee” in the email) and paste in the license key in appropriate box and press “Save license”.

5) Set the Active Directory information in the Cruise configuration. Now you will need to click on the “ADMINISTRATION” tab in the Cruise control panel then the “Source XML” sub tab. Here you will see the xml configuration for Cruise. Click the “Edit” button at the top of the file to make the textbox editable. Now add the following “security” section to the configuration:

<?xml version="1.0" encoding="utf-8"?>
<cruise ... >
  <server artifactsdir="logs">
    ...
    <security>
      <ldap         
        uri="ldap://MyADServer"         
        managerDn="MyDomain\MyADUser"         
        managerPassword="P@$$W0rd"         
        searchBase="CN=Users, DC=intranet, DC=mycompany, DC=com"         
        searchFilter="(sAMAccountName={0})" />
    </security>
    ...
  </server>
  ...
</cruise>

The following is an explanation of the settings:

uri: This is simply a server running AD specified as an ldap url. So if your AD server is “AD1” then it would be “ldap://AD1”.

managerDn and managerPassword: This is an AD account that is able to query the AD server. You can create a domain account that is in the “Domain Users” group (Which is the default for new domain users) and this will do the trick, no special permissions needed.

searchBase: This is the starting point in Active Directory to look for users to authenticate. It reads from right to left (The opposite of a URI). If your domain is “intranet.mycompany.com” then each sub domain will be specified separately as shown above (Reading from left to right). If you have a really simple domain setup, all of your users will probably be in the “Users” container identified by “CN”. If your setup is more organized, then users will be placed in organizational units. So for example lets say we have an organization unit under the domain in our example called “MyCompanyInc” and another organization unit under that called “Developers” and you only want users in that organization unit to access Cruise. In that case the searchBase would be “OU=Developers, OU=MyCompanyInc, DC=intranet, DC=mycompany, DC=com”.

searchFilter: This is the search criteria, the simplest matching the username (As shown in above and in the docs).

Click the save button and browse to another page in the admin. At this point you should be greeted with a login page.

Active Directory | ThoughtWorks Cruise

Thursday, September 03, 2009 10:46:55 PM (GMT Daylight Time, UTC+01:00)

| Comments [0] | Trackback

Sunday, November 09, 2008

Assigining Rights to an Account to Stop/Start a Windows Service

Our build AD account needed the ability stop/start Windows services so that it can deploy them. I looked all around and found a simple solution using the subinacl utility from Microsoft (For more info see "Method 3" on this page.) The following command will give an AD user full rights to the service specified. I tried to only give it stop and start permissions but couldn't figure out the right combination of flags to make this happen (And no its not 'TO').

SUBINACL /SERVICE \\MyServer\MyServiceName /GRANT=MyDomain\MyUser=F

Active Directory | Windows Server 2003

Sunday, November 09, 2008 12:56:02 AM (GMT Standard Time, UTC+00:00)

| Comments [0] | Trackback

Wednesday, June 11, 2008

Installing OpenFire on Windows 2003 as a Service with Active Directory using the Pidgin Client

The following steps outline how to install OpenFire on Windows Server 2003 as a service with Active Directory using the Pidgin client. These steps apply to Openfire 3.5.1 and may change with later versions.

Download the OpenFire Windows installer and run it. Once the install is complete there should be a checkbox that says "Run OpenFire", make sure this is checked and click Finish.
The OpenFire GUI should now appear, once the server is started the LaunchAdmin button will be enabled, click it. This will open the configuration wizard in a browser.
Configure the server as follows:
1. Language Selection: Choose your speak
2. Server Settings: Accept the defaults unless you need to change these.
3. Database Settings: This tutorial assumes an embedded database. If you need to run OpenFire in a demanding environment you will probably want to use an external database.
4. Profile Settings: Choose the Directory Server (LDAP) option and click Continue.
  1. Connection Settings: Set the Host to an Active Directory server and accept the default port. Set the distinguished name (DN) to the base location of your users. All users in this and child objects will be available to Openfire. The first portion of the DN is the base object name. To reference a built in object like Users you would use the canonical name identifier; cn=Users. For a custom organization unit object you would use the OU identifier; ou=MyOrgUnit. The following domain objects use the domain class identifier, dc=. So for the domain denver.mycompany.int the second portion of the DN would be dc=denver,dc=mycompany,dc=int. Next specify a user that has rights to access the Active Directory store. This account only needs to be in the Domain Users group (Unless you want to be able to write back to AD). The DN of this user can be specified as a fully qualified username; MyDomain\Username. One a side note, the password field has a limit of 30 characters so if you are using a password that exceeds this length it will be truncated and your account will not authenticate. Press Test Settings to verify your settings and press Save & Continue if they test successfully.
  2. User Mapping: Accept the defaults and press Save & Continue.
  3. Group Mapping: Accept the defaults and press Save & Continue.
5. Administrator Account: Enter the username (This username is not fully qualified; just use the username without the domain) of the user who will administer the OpenFire server. You can add as many administrators as you wish. Press Continue.
6. Once the setup is complete press Login to the admin console and login with an admin account you specified in the last step. If you run into any issues (Like not being able to add admins or a server error on the last page in the wizard) try uninstalling and reinstalling.
In the admin you can set a number of settings, here are a few that I was interested in:
1. Server Settings
  1. Server to Server Settings
    1. Service Enabled = False
  2. Registration Settings
    1. Inband Account Registration = Disabled
    2. Change Password = Disabled
    3. Anonymous Login = Disabled
  3. Offline Messages
    1. Store\Always Store
  4. Security Settings
    1. Client Connection Security = Required
Now close out the OpenFire GUI, press Quit.
Open a command prompt and set your working directory as C:\Program Files\Openfire\bin or whatever your OpenFire install directory is.
Run the following two commands to install the OpenFire service and to start it:
openfire-service /install
openfire-service /start

The following steps demonstrate how to setup Pidgin to connect to the OpenFire server you just installed.

Download and install Pidgin here.
Once Pidgin is running right-click the icon in the systray and select Accounts.
Add a new account.

Under the Basic tab enter the following information:

Protocol: XMPP
Screen Name: Your domain username (This username is not fully qualified; just use the username without the domain).
Domain: The name of the server OpenFire is running on.
Resource: Doesn't matter.
Password: Guess....
Local Alias: Whatever you want.

Under the Advanced tab enter the following information:

Require SSL/TLS: Unchecked
Force old (port 5223) SSL: Checked
Allow plaintext auth...: Unchecked
Connect port: 5223
Connect server: Blank
File transfer proxies: The name of the server with port 7777 specified (IE MyOpenFireServer:7777).
Proxy type: Use the default.

Click Save

To browse for users goto Accounts|{username}@{servername}/{resource} (XMPP)|Search for users....
In the Enter a User Directory dialog accept the default and click Search Directory.
In the Advanced User Search dialog enter an asterisk (Or a search string) and click ok. This will return a list of users that you can now add as buddies.

Active Directory | Jabber | OpenFire | Windows Server 2003

Wednesday, June 11, 2008 3:37:12 AM (GMT Daylight Time, UTC+01:00)

| Comments [0] | Trackback

Friday, April 25, 2008

"User xxxxxx failed to log on, could not access the home directory /." Error in IIS 6 FTP Using User Isolation with Active Directory

So I had FTP setup on a Server '03 box with an FTP site configured to use user isolation mode with active directory. Everything was working great then all of a sudden users cant login and this error appears in the System events in the event log:

This error, while true, doesn't really pinpoint the problem... But I found this wonderful article that suggested that the account used by the FTP site to access AD was changed. "Oh yeah!", I said, "I did change that, D'OH!". Easy enough to fix; just open a command prompt and use the adsutil.vbs to update the AD account in the IIS metabase.

c:\Inetpub\Adminscripts\adsutil.vbs set msftpsvc/{FTP_SITE_ID}/ADConnectionsUserName MyDomain\MyFTPADUsername

c:\Inetpub\Adminscripts\adsutil.vbs set msftpsvc/{FTP_SITE_ID}/ADConnectionsPassword S0m3P@$$W0rd

Remember to include the domain name with the username.

Active Directory | FTP | IIS 6 | Security

Friday, April 25, 2008 7:37:51 PM (GMT Daylight Time, UTC+01:00)

| Comments [0] | Trackback

Thursday, December 27, 2007

Step by Step Installation Of Subversion Over Apache/SSL Authenticating through Active Directory (SSPI)

The following is a step by step installation of Subversion over Apache and SSL authenticating through an Active Directory server or local server accounts. BTW, I'm by no means an Apache guru so please leave a comment if I'm missing anything. And thanks to a bunch of people who I cant remember who posted info on the web that helped in compiling these steps! :)

Install the latest CollabNet Win32 distribution found here.
1. Make sure that only the Apache (MOD_DAV_SVN) component is checked.
2. Set the Apache configuration. You can set an arbitrary http port for now; it will change when SSL is setup. Also remember to check the “Install Apache … as a Windows Service” checkbox. The other two options should be set accordingly.
Create a test repository
1. Open a command prompt and run the following command from the CollabNet installation folder (C:\Program Files\CollabNet Subversion Server\) to create a test repository:
  svnadmin create d:\temp\Repos\mysweetapp
Test Connectivity
1. Start the Apache service; it should be called Apache2.
2. Browse to the test repository at http://localhost:1984/mysweetapp with a Subversion client and create a folder to verify that everything is setup correctly.
Install and Configure the SSPI module
1. Download the SSPI module from here. You will want to match the major and minor Apache build with the version number trailing the SSPI module version number. For example mod_auth_sspi-1.0.4-2.0.58.zip would be for Apache 2.0.x and mod_auth_sspi-1.0.4-2.2.2.zip would be for Apache 2.2.x (Thanks to Dan Switzer for pointing this out, I totally missed that!). After unzipping the contents if the zip, copy the mod_auth_sspi.so (In the bin folder) into the Apache modules folder (C:\Program Files\CollabNet Subversion Server\httpd\modules).
2. Open the httpd.conf file in the Apache configuration folder (C:\Program Files\CollabNet Subversion Server\httpd\conf)
3. Add the following line to (Or uncomment it in) the Apache configuration file (httpd.conf) in the LoadModule section:
  LoadModule sspi_auth_module modules/mod_auth_sspi.so
4. Add the following settings, under “# Active Directory Auth”, to the location section. Be sure to specify the SSPIDomain which can be an AD domain or the local server name. If it is the local server name the local user accounts will be used to authenticate. You can use this option if there is no AD server.
       <Location />
            DAV svn
            SVNParentPath D:/Temp/Repos
  
            # Active Directory Auth
            AuthName "SVN Server"
            AuthType SSPI
            SSPIAuth On
            SSPIAuthoritative On
            SSPIDomain localhost
            SSPIOfferBasic on
            Require valid-user
       </Location>
5. Restart the Apache2 service after the httpd.conf file has been saved.
6. Perform the test noted in step #3 to test connectivity, this time logging in with a user from the domain specified above.
7. Note that in TortoiseSVN you can check the “Save Authentication” checkbox to avoid having to repeatedly enter your credentials:
Configure SSL
1. Create the Certificate
  1. Create an OpenSSL configuration file under the Apache bin folder (C:\Program Files\CollabNet Subversion Server\httpd\bin) called openssl.conf and set its contents as follows:
         [ v3_ca ]
         subjectKeyIdentifier = hash
         authorityKeyIdentifier = keyid:always,issuer:always
         basicConstraints = CA:true
         [ req ]
         default_bits = 1024
         default_keyfile = svnserver.key
         distinguished_name = req_distinguished_name
         attributes = req_attributes
         x509_extensions = v3_ca
         string_mask = nombstr
         [ req_distinguished_name ]
         commonName = Common Name
         commonName_default = My Server Name
         [ req_attributes ]
  2. Open up a command prompt in the Apache bin folder (C:\Program Files\CollabNet Subversion Server\httpd\bin).
  3. Run the following command to generate the private key and certificate request files. Be sure to enter the ip address or DNS name of the server when prompted for the common name. Also remember the pass phrase you entered as it will be required for the following step. This will create a svnserver.csr and svnserver.key file in the Apache bin folder.
    openssl req -config openssl.conf -new -out svnserver.csr
  4. Remove the passphrase from the private key with the following command. Enter the passphrase you specified in the last step.
    openssl rsa -in svnserver.key -out svnserver.key
  5. Create the self signed certificate with the following command. The following command sets the certificate expiration to 20 years.
    openssl x509 -in svnserver.csr -out svnserver.cert -req -signkey svnserver.key -days 7300
  6. Delete the svnserver.csr in the Apache bin folder.
  7. Copy the svnserver.key and svnserver.cert from the Apache bin folder to the Apache conf folder.
2. Open the httpd.conf file in the Apache configuration folder (C:\Program Files\CollabNet Subversion Server\httpd\conf).
3. Change the listen port to 443:
  Listen 443
4. Change the server name to include the SSL port, 443:
  ServerName localhost:443
5. Uncomment or add the load module directive for mod_ssl:
  LoadModule ssl_module modules/mod_ssl.so
6. Create or overwrite the following IfModule section so that it appears as follows:
       <IfModule mod_ssl.c>
              SSLEngine on
  
              SSLRandomSeed startup   builtin
              SSLRandomSeed connect   builtin
              SSLPassPhraseDialog     builtin
              SSLSessionCache         dbm:logs/ssl_scache
              SSLSessionCacheTimeout 300
              SSLMutex                default
              SSLCertificateFile      conf\svnserver.cert
              SSLCertificateKeyFile   conf\svnserver.key
        </IfModule>
7. Restart the Apache2 service.
8. Browse to https://localhost/mysweetapp and create a folder to test the configuration.
9. Note that in TortoiseSVN you can permanently accept the certificate when this dialog appears. It is warning you that the issuer is not a trusted root authority.