Gemini Community Support Site

This Gemini community support site can be used to find solutions to product issues. You can log in using Open Id, Google Profile and even Facebook. Feel free to ask a question or browse FAQs and documentation. Product tour videos are also available along with how-to videos demonstrating key Gemini capabilities.




How to make it work: SVN and Windows authentication

add-ons

I thought I would post some information to help other users who may run into the same issues with integrated Windows authentication as I did. A support call with Saar got me most of the way there and a previous post by casagrandeale (http://support.countersoft.com/forums/thread/11708.aspx) was also very helpful. Thanks to both of you!

Some information about my setup
Subversion and Gemini servers are on two different servers in the same domain. They are both Windows 2003 R2 x64 with SP2. We are using VisualSVN server for our subversion server (currently v 2.05)

The IIS site for Gemini and the Apache site for SVN are both configured to use SSL. 

Anonymous access is disabled for the Gemini IIS site (Enable Anomymous Access is unchecked) and Integrated Windows authentication is enabled (checked). The web.config file for Gemini is using Window as the authentication mode. 

  <authentication mode="Windows">
   <forms name=".Gemini35" loginUrl="Default.aspx" timeout="60" path="/">   
   </forms>
  </authentication>

Getting Started with SVN commits
I did a build of the CounterSoft.Gemini.SourceControl.SVN and put the dll's and config file in the hooks folder on the SVN server. The only change I made to the config file was to change the path to the SVN bin files to match the path on our x64 server. For my initial attempts, I was using manager/manager in the CounterSoft.Gemini.SourceControl.SVN.exe.config file.

Troubleshooting Problems
I had serveral problems along the way.

1) I was getting a windows pop-up login box rather than being authenticated directly by the network. The solution to this was to add the Gemini URL to my intranet sites in IE (Internet options > Security tab > Local Intranet Sites > Sites > Advanced > Add). You will also need Enable Integrated Windows authentication checked under the Advanced tab but that should be on by default.

2) Windows authentication credentials weren't getting passed to the Gemini site. In talking with Saar, he said the easiest way to solve that was to create a second IIS site for Gemini and use Forms authentication for that site.

  <authentication mode="Forms">
   <forms name=".Gemini35" loginUrl="Default.aspx" timeout="60" path="/">   
   </forms>
  </authentication>

3) The comment for the issue showed the author as my Windows login but the notification email and the heading in gemini were using the gemini forms login as defined in the CounterSoft.Gemini.SourceControl.SVN.exe.config file. That is, the email said "A comment has been added by Manager Person to the following issue." I wanted the email and Gemini to show the Windows user name at every place.

I modified the code posted by casagrandeale  and now I've got that functionality working also. My modified code is below:

In PostCommitHandler.cs, comment line 135 as shown and replace with call to new helper function GetUserId.

//sourceControlComment.UserID = Program.GeminiServiceManager.UsersService.WhoAmI().UserID;
//Added customized code to extract Windows user name
sourceControlComment.UserID = GetUserId(author);

 

Add the following two helper functions to  PostCommitHandler.cs:

         /// <summary>
        /// Extract the matching Windows User from Gemini users
        /// </summary>
        /// <param name="author">SVN author</param>
        /// <returns>Id of the Gemini user</returns>
        private int GetUserId(string svnAuthor)
        {
            int toReturn = 0;
            string author = svnAuthor.ToLower().Trim();
            DiagnosticsManager.TraceMessage("Searching users...");
            UserEN[] users = Program.GeminiServiceManager.UsersService.GetUsers();
            DiagnosticsManager.TraceMessage("Users: " + users.Length);
            UserEN gemUser = null;
            foreach (UserEN user in users)
            {
                DiagnosticsManager.TraceMessage("USER: " + user.UserName);
                string userName = UserNameWithoutDomain(user.UserName);
               
                if (userName == author)
                {
                    gemUser = user;
                    break;
                }
            }

            if (gemUser != null)
            {
                DiagnosticsManager.TraceMessage("Found Author: " + author + " UserID: " + gemUser.UserID);
                toReturn = gemUser.UserID;
            }
            else
            {
                DiagnosticsManager.TraceMessage("not Found Author: " + author);
                toReturn = Program.GeminiServiceManager.UsersService.WhoAmI().UserID;
            }

            return toReturn;

        }
              

        /// <summary>
        /// Remove the Domain prefix from a Windows user name
        /// Input of "Domain\UserName" returns as "username"
        /// </summary>
        /// <param name="userName"></param>
        /// <returns>Lower-case and trimmed username without a domain prefix</returns>
        private string UserNameWithoutDomain(string userName)
        {
            string toReturn = userName.ToLower().Trim();
            int slashIndex = userName.IndexOf(@"\");

            if (slashIndex > 0)
            {
                toReturn = toReturn.Substring(slashIndex + 1);
            }
           
            return toReturn;
        }

 

I hope this helps some others along the way.

dgsiss
· 1 		dgsiss
Friday, August 21, 2009, 6:27:05 PM
Replies (4)
helpful
0
not helpful

My problem is that Gemini user its own users and the Web server use Domain users.

Your solution will only work with Windows user in both, Gemini and Web 
talbengal
· 1 		talbengal
Wednesday, August 26, 2009, 11:15:53 AM
helpful
0
not helpful

Talbengal, I don't understand your post. This solution will (does) work for a combination of Windows AD users or non-AD users. If the user is to be authenticated against AD, the username in Gemini must include the domain. For example, the username would be mydomain\myusername.

The user would need to login using mydomain\myusername (from outside the network and/or not logged as an ActiveDirectory user) or you could use integrated authentication to do an automatic login while logged in as an AD user.

 

 

 
dgsiss
· 1 		dgsiss
Wednesday, August 26, 2009, 5:04:12 PM
helpful
0
not helpful

Here is our setting:

Web server - using Windows AD users

Gemini - NOT using Windows AD users 

SVN Server - using Windows AD users

The users login to the WEB server using there DOMAIN\Username / password.

When the gemini page display - user log in using Gemini user / password

When the developers commit in SVN they log in using Windows AD users.

This solution will only work if ALL are using Windows AD users - which is NOT the case here!

When SVN try to do its precommit its try to log on to Gemini using Windows AD users - this will NOT work as our Gemini do not use the Windows AD users.

See my post:

http://support.countersoft.com/forums/thread/11994.aspx

 
talbengal
· 1 		talbengal
Thursday, August 27, 2009, 9:53:19 AM
helpful
0
not helpful

talbengal:

First, why are you NOT using Windows AD user names for your Gemini users? It doesn't make sense to me since you are forcing the users to authenticate via AD before they even get to Gemini. What's the business rule or usage case that causes you to do this?

Second, if you look at my post, you'll notice that I setup two Gemini sites. One is using Windows AD authentication, the other is using Forms authentication ("Gemini users"). (Note that this is considered a single instance and legal for licensing purposes because there is only one backend database for both sites.) 

My pre-commit is logging onto Gemini with a Gemini forms user account and  not with a Windows AD account. The account and password are specified in the config file. In your case, it might be a tougher problem to tie the commit back to the actual developer who did the commit if they are using completely different names in Gemini and AD.

I'd start off with my first question and figure out why you are doing your overall authentication scheme with two different methods. If you are doing that so that you can allow for anonymous issue submission, then I'd look at doing the anonymous submissions through a forms authentication site and having your developers do their work via a second site that is using Windows AD authentication.

 
dgsiss
· 1 		dgsiss
Friday, August 28, 2009, 6:58:22 AM