-
Notifications
You must be signed in to change notification settings - Fork 23
Home
The Active Directory Provider is a DNN (formerly DotNetNuke) login control that communicates with a company’s Active Directory to allow company employees to login to a DNN intranet installation using their Windows login credentials.
This document is targeted towards DNN administrators who are interested in installing and using AD Provider on their company’s DNN intranet/extranet web site.
To fully benefit from this document, you should have an understanding of DNN platform (https://dnncommunity.org/) including DNN security concepts and have basic knowledge of topics such as installing and configuring DNN modules and Administrative functions such as the File Manager, User Accounts and Security Roles.
- Log into your portal using an account with Host credentials.
- Select Extensions from the Host menu items.
- Select Install Extension Wizard.
- Browse to the location on your computer that you saved the AD Provider .zip file and click “Next”.
- Read the accompanying license and check “Accept License” if you agree with it.
- Click “Next”. This will start the DNN Package Assembly Installer process.
- The DNN Package Assembly Installer will display a list of messages to indicate success or any failures as it uploads and installs the provider. If you encounter any errors during the installation process please check the Active Directory Provider forum on the DNN site. It’s possible that the error is already known to exist and remedies for the error will be listed. If the error does not exist then please post the error on the forum and someone will reply to you as soon as possible.
- Log into your portal using an account with Admin credentials.
- Select Extensions from the Admin menu items, expand the Authentication Systems section, and click the pencil beside DNN_ActiveDirectoryAuthentication.
- Fill out the pertinent domain information
- Enabled – Enables the provider on the portal when checked.
- Hide Login Controls – Will hide the Windows Login tab from the Login screen. This can be useful if you find your users are confused as to which option they should chose or if you’ve provided a direct link to <DNN_INSTALL>/DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx elsewhere on your site for Intranet users.
- Synchronize Role – Synchronizes a user’s DNN Security Roles with their Active Directory roles when they login.
- Synchronize Photo - Active Directory stores a binary thumbnail photo of each user. Enabling this option will sync this photo to DNN and use it for the profile picture
- Enable Auto-Login - Enable this option if you want users to automatically be logged in to the portal with their current active directory credentials. This feature can be limited by IP using the Auto Login IP Address field.
- Do Not Automatically Create Users – Active Directory users will not be able to log into the portal until their accounts have been manually created.
- Provider – Currently only ADSIAuthenticationProvider is available for Active Directory.
- Authentication Type - Default is delegation and works for most setups.
- Root Domain - Enter your domain in either of the two formats; dc=domain, dc=com or LDAP://domain.com.
- User Name - Enter a user that has read access to the Active Directory. NOTE: The user does not have to have administrative rights on the domain.
- Password and Confirm Password - Enter the password for the user you entered under User Name.
- Default Domain – Enter the default domain that the users will belong to. This way they can log in with just their username rather than having to use DOMAIN\Username when manually logging in.
- Email Domain - Enter the email domain to be used for users that do not have email addresses listed in the Active Directory.
- Use Group Membership (version 8 and above) - Turns on the ability to allow or deny users log in based on AD group membership.
-
- No, do not use group membership - Disabled. The provider will not look at group membership during log in. Any groups in list will be ignored.
-
- Allow only members of the listed groups to log in - If a user's credentials are successful, the provider will then look to see if the user is a member of any group listed in the Group List field. If they are, they will be authenticated and allowed to log in.
-
- Do not allow members of the listed groups to log in - If a user's credentials are successful, the provider will then look to see if the user is a member of any group listed in the Group List field. If they are, they will be denied authentication and not allowed to log in.
- Group List (version 8 and above) - Group list used by the Use Group Membership setting. If Use Group Membership is disabled, any groups listed here are ignored. Groups should be listed by name exactly as they are in AD and multiple groups should be separated by a semi-colon.
- Auto-login IP Address – Only used if Enable Auto-Login is checked. If left blank then the provider will try to auto login all visitors to the site. However, if you know the range of IP addresses or specific IP addresses that you want to be automatically logged in you can enter them here. Multiple IP address, ranges, etc. can be used as long as they are separated by a semi-colon (;). An example string would be “192.168.1.100 – 192.168.1.200; 192.168.1.1;” 192.168.1.100 – 192.168.1.200 – Any IP addresses including and between 192.168.1.100 and 192.168.1.200 will be automatically logged in. 192.168.1.1 – Only the computer with that IP address will be automatically logged in. **Please note under gotchas if trying to use auto-login on the local server!
Click on the Update Setting link. The results of your settings will appear above the Enabled checkbox
If you get an error you may have to use impersonation in your web.config Find the commented out section in your web.config that starts and uncomment that line only. Change the line so that it reads Give the user account you use for impersonation the same permissions to your DNN install that the NETWORK SERVICE or ASPNET account has. The user account may also need the same permissions that the NETWORK SERVICE or APSNET account has on the website directory in the Temporary ASP.NET Files (usually found under the :\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files directory).
- Open up the Internet Information Services Manager on your webserver.
- Find your DNN install and browse to DesktopModules\AuthenticationServices\ActiveDirectory.
- Right-click on WindowsSignin.aspx and view the properties
- Click the File Security tab.
- Click on the Edit button.
- Make sure all checkboxes are unchecked except for “Integrated Windows Authentication”.
- Click “OK” until you are out of the properties window
- Close IIS Manager
This can be done either when setting up the site or by clicking on Basic Settings after the site has been created.
The other consideration is turning on Windows Authentication for the WindowsSignin.aspx file. The changes in IIS7 make this a little bit difficult to find and achieve.
These steps will get you there:
-
Switch the IIS Console to Content View and browse to DesktopModules/AuthenticationServices/ActiveDirectory. Right-Click on WindowsSignin.aspx and select “Switch to Features View”. clip_image004
-
You should end up back in the Features View but for the WindowsSignin.aspx file specifically (see below). clip_image006
-
Double click on Authentication and Disable Anonymous and Enable Windows Authentication. clip_image008
If Windows Authentication is not one of your choices then you need to enable it through Control Panel->Programs and Features->Turn Windows Features On or Off and select Windows Authentication under Internet Information Services->World Wide Web Services->Security.
Setting up the provider to run under the Integrated pipeline is the same as the Classic mode above but also requires two additional commands to be run from a command prompt on the server. Open a command prompt using “Run as administrator” and type the following: %windir%\system32\inetsrv\appcmd unlock config /section:anonymousAuthentication %windir%\system32\inetsrv\appcmd unlock config /section:windowsAuthentication More information on why these commands are needed can be found here.
When running Server 2008 it appears that the user account you use for impersonation also needs to be an administrator on the server. Some have found that disabling UAC on the server negates this requirement but you mileage may vary. This requirement doesn’t appear in Server 2008 R2. Some additional links from the forum: Server 2008/IIS 7 Issues, Using DNN with Windows Server 2008 R2 w/AD Authentication. And from the DNN Wiki: Setting up mixed authentication****
When using auto-login, if you experience 401 not authorized or an authentication popup box when browsing to the site from the local server. Microsoft has a security check for loopbacks. This happens when you browse to a site from the server in which the site resides using a host name other than the original host name. Fixing this is outside the scope of this module but you can find the workaround here. This affects a lot of users that may be testing/developing from their local machine. This problem should not be present if browsing to a site on a remote server.
When editing the Site Settings for this module (Persona Bar, extensions, authentication providers, edit Active Directory provider) if you the page does not load correctly or includes the header and footer of the site, you need to enable popups for the site by going to the Persona Bar, site settings, site behavior, more, enable popups.