Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection
Previous
 
Next
New Post
7/16/2008 2:01 PM
 
Brett Wilson

Joined: 2/25/2004
Posts: 14

I currently have DNN set up and authenticating against our ADon our corporate intranet.  Our IT department plans to secure all of our LDAP servers in the near future, and they have informed us that our server is making anonymous, clear LDAP queries which will not be accepted in the near future.  How would I go about configuring DNN so that it makes secure, authenticated requests against AD?  As my first attempt, I disabled anonymous access to the entire DNN installation directory in IIS and then enabled impersonation in the web.config file.  I then selected "Secure" for the authentication type and left the username and password blank in the AD authentication settings.  I was hoping that this would cause DNN to make secure LDAP queries using the identity of the user. 

This configuration still auto-logins users against AD and everything appears to be working okay (except that you can't log out and then log in using the host or admin account, but that's okay since I configured my domain account as a superuser).

The problem is that our IT folks are still telling us that we are making unauthenticated (anonymous), clear LDAP queries against their server.  My question is whether I have properly configured DNN so that it will make secure LDAP queries using the identity of the requesting user.  It is possible that another application on our server is making the unauthenticated LDAP queries, I'm just trying to figure out if it is still DNN.
 
New Post
7/17/2008 12:40 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

When you enabled impersonation in the web.config how did you do it? Did you also switch it to Windows Authentication in the web.config? I'm asking because by your post it appears that way when you state that you can no longer log off and log back in using the host or admin account. If that's the case then you're taking the AD provider out of the equation and, I'm guessing on this, I think you're taking DNN out of the equation as well and putting it in the .NET Framework's lap (or possibly IIS's).
 
New Post
7/17/2008 11:18 AM
 
Brett Wilson

Joined: 2/25/2004
Posts: 14

Okay, I was remembering what I did incorrectly.  I did NOT enable impersonation in the web.config.  I am running the asp.net worker process under a network account (configured in the machine.config), and I actually don't want it impersonating the individual user.  I did however enable Windows Authentication in the web.config.

It does not appear that I'm taking DNN out of the equation, as the users get logged in as a DNN user (i.e. it associates my Windows identity to the host account, and other users get associated to their DNN accounts also so I can see them online).

Thanks.
 
New Post
7/17/2008 11:36 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

What I meant when I said you might be taking DNN out of the equation is that it's the .NET Framework that's making the LDAP request. With Windows Authentication turned on in the web.config the AD provider code is completely bypassed so it wouldn't be making any LDAP queries to the AD (With Windows Authentication turned on in the web.config you could basically remove the AD provider).  Yes, your users are getting logged in and their accounts are getting created but that's a simple as doing a Request.ServerVariables call and if the site is trusted the client computer passes that information. There's no need for a trip to the Active Directory for that. That's why I'm thinking that it's either the .NET Framework (querying that the worker process account is valid perhaps) or IIS (querying that the username passed into IIS is valid).

This is something that I need to do more research on as I don't definitely know what happens to an app (any app not just DNN) when Windows Authentication is used in the web.config. I do have an idea though. On my personal site (http://dnn.gmss.org)  I've got a test file for people to use when they're not sure if they're setting their IIS permissions properly. Perhaps running that will help narrow down what's making the LDAP queries. Look for Website Authentication Testing File under the AD Provider Betas page.
 
New Post
7/18/2008 10:15 AM
 
Brett Wilson

Joined: 2/25/2004
Posts: 14

So I've been able to capture a few LDAP packets leaving our server.  It appears that some of the LDAP queries are looking for the configured DNN groups (they don't exist in AD).  What section of code would be doing this type of search and why?  Are these LDAP requests being made over secure channels and under what account credentials are they being made?
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out