Single sign on
Make it so that I can add an AD group to the settings, then enable AD Auth in IIS and not be prompted for username and password.
LDAP settings should not be needed.
Support (at) red-gate.com can provide you with instructions how to disable SQL Monitor authentication in order to fall back on IIS authentication, which supports Single Sign On.
Kevin B commented
We are going to implement this for now, but everyone who has commented that this isn't working for them or inadequate, please vote (x) here: https://sqlmonitor.uservoice.com/forums/91743-suggestions/suggestions/36962482-support-saml-for-web-single-sign-on-sso
Agree with @Kenny: this is not completed. We are looking for out-of-the-box behavior identical to how it is done in DLM Dashboard, should be pretty easy actually.
Kenney Hill commented
Here are the instructions that I received and since this is a currently unsupported configuration and is really a hack and needs multiple web instances to support multiple levels of access and the newly added ability to limit certain AD groups to only certain servers I feel that this is not a good solution and definitely doesn't warrant this enhancement to be marked as completed because it is a backwards step and not an improvement of functionality.
I have found the instructions on how to make those changes. However I must emphasize that this is a unsupported workaround and I would highly recommend that you backup your Date Repository before attempting this. That is because in case this doesn't work, you might need to do an uninstall and reinstall.
If you run SQL Monitor from IIS, you can disable SQL Monitor’s own authentication via a configuration setting, and use IIS’s AD integration for authentication instead. This way, users can use their username/password from AD to access SQL Monitor.
In the more complex case, where there are different groups of people requiring access to different groups of servers, the best way to do this is via multiple installation of SQL Monitor, each responsible for one group of SQL Servers, and assign access rights for the relevant people.
There’s two steps to the procedure:
1. Enable Basic Authentication in IIS. A default domain and realm can be specified. Access rights are given to users who have access rights to SQL Monitor’s web folder
a. Official instructions: https://technet.microsoft.com/en-us/library/cc772009(WS.10).aspx
b. Personally, I find this set of instructions more helpful than the official one: http://manual.aspdotnetstorefront.com/p-1614-enabling-windows-authentication-in-iis7.aspx
c. It’s very important to configure the site to use SSL. (See second link above)
2. Disable SQL Monitor’s internal authentication .
a. Change the Web.config in the root of SQL Monitor’s web files folder to include the following App.config key:
<add key="AutoLoginUserName" value="standard"/>
The value can be “admin”, “standard” or “readonly”. The only difference between “admin” and “standard” is that “standard” can’t create custom metrics, so I recommend using “standard” in normal operation
Upgrades override the configuration so step 2 would have to be repeated
@Don: Fair point, I'm going to track an enhancement to add this to the product documentation but briefly the way to do it is to to uncomment the row
<add key="AutoLoginUserName" value="admin" />
in the web.config of the SQL Monitor webapp. This will cause any user to be automatically authenticated as an admin user of the SQL Monitor webapp - this can then be gated by an IIS authentication mechanism
SSO is not supported by SQL Monitor itself but you can enable a mode where SQL Monitor doesn't authenticate you (e.g. monitor.red-gate.com uses that mode). Pair this with IIS authentication and you're good to go.
Morten Nilsen commented
support at red-gate.com told me this was not supported at all.
Don Ferguson commented
Can't you just post the instructions? To be clear, you are saying it is possible to now log in directly to SQL Monitor without it prompting you for credentials and the permissions will be available based on what has been set up by the SQL Monitor administrator?
Luke L commented
I agree. To be honest I thought that is what was implemented when allowing users to log in via AD authentication was added to 5.0.