Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationAD membership not synced into DNN security rolesAD membership not synced into DNN security roles
Previous
 
Next
New Post
8/5/2008 7:30 PM
 

Never mind that post -- I didn't find any documentation online regarding the functionality of that particular setting, but checking out some hard-copy reference made it clear that Auto Assignment was not the solution to this problem.  I should say that my gut feeling is that AD is properly set up.  Their IT department takes care of the whole thing, and I'm fairly confident it is not an oversight on that point.  Also, I undertook a pseudo-recursive double-click-after-double-click exploration through AD to see of what groups StudentServices was a member, but it indicated that it did not have any parents.

If LDAP will still provide further functionality or you feel it's an important area into which to look, I can start looking up the chain to get it installed.

 
New Post
8/5/2008 11:07 PM
 

Auto-Assignment means every user gets assigned to the role which you don't want.

LDAPBrowser doesn't have to be installed on the web-server (though it would help to see exactly what the webserver sees). It can be installed on any computer on the domain. The only reason I'm leaning towards using it is that it's what I use when I'm testing what properties the provider is pulling in and the memberOf field has always been bang on for the groups.

Another possibility that I think another user ran into and could possibly be the case here is... How many domain controllers does your client have? Is it possible that one of the domain controllers isn't synching properly with the other ones and it's not registering the staff member is part of Student Services (this is where running LDAPBrowser on the server is beneficial)? I know we've occasionally had flakey domain controllers at work that wouldn't show computers in the proper OU until they were rebooted.

 
New Post
8/6/2008 2:09 PM
 

Hey Mike -- skirting the LDAPBrowser issue one more time, we've had somewhat of a breakthrough.  We discovered the source for the role-wiping, but we have one problem remaining.

The original problem and its solution:

We're running two separate instances of the same portal via two separate websites and application pools.  One of the sites is intended for public end-users, the other is for intranet users.  They point to different domains, and we made a little fix that checks for the domain (instead of using an ip range) to force Windows auth when a user is on the admin.* site.

The problem seems to have been with the credentials/identity of the application pools.  One application pool (that intended for the admin site) has a domain account with Active Directory access.  The other application pool (for the public site) is using the Network Service account (local to the server, with no AD access).  Whereas we did not specify a username and password in the Admin > Authentication settings in DNN, it seems to be relying on the Application Pool credentials for accessing AD.  Because I’m working off-network, I’ve been testing on the www site, and we were having the clients test on the www site also, so when a user logs in the www site, the application pool Network Service identity tries to access AD to no avail and it wipes the roles for all the users.  Trying on the admin site, though, proves successful in that it does NOT wipe the roles that already exist, most likely because the admin site’s application pool identity has access to AD.

The remaining problem:

That said, though, we do have one problem:  although the roles are no longer wiped when users login through the admin site, they still are not allocated for the users unless we add them manually to the corresponding groups via DNN.  (Also, as a side note – if we manually add a user by the DNN interface to an AD-linked DNN role to which they do NOT belong in AD, at the next DNN login they are still in that role.  I do not know if this is desired behavior or not, but it seems given the previous issue we were tangling with, it might not be.)

Do you have any ideas on that problem (the main one—the side note is just an extra bite), or do you think it’s of the same/a similar origin?  Our solution at this point, as the "drop-dead deadline" is in 36 hours, is to manually add all of the users to DNN (those who have not yet logged on) and then manually add all of the users to their respective roles.

Thanks again for all of your help so far,

Zack

 
New Post
8/6/2008 6:43 PM
 

Okay -- we installed LDAPBrowser.  When I navigate to Sherry and to our test account intended to emulate Sherry in the browser, both show up with "memberOf      CN=Zap-Student Services,OU=................." which I think is correct.  (That follows the same nomenclature as in DNN, by the way--the groups are all Zap-Group Name (and that is the same for the pre-Windows 2000 name))

This seems to point to AD groups being set up correctly, at least in this context.  If there is more I can do with LDAPBrowser, please let me know.

Thank you,

Zack

 
New Post
8/6/2008 11:28 PM
 

Without setting up a test environment similar to how yours is setup I'm not sure why roles wouldn't be getting assigned though what was happening on the public site sort of makes sense. I'll have to check to see just how much information NETWORK SERVICE can pull from an AD. IE: If it can get the groups but not see who's in them then it makes sense that users would be removed from the roles though I didn't think NETWORK SERVICE could pull any information from the AD (it should error out).

I'm not sure when I'll be able to get a test environment setup (work is nuts getting ready for students coming back in a few weeks) so I think your solution, while a real pain, may be the best one to use over the next 36 hours. If you look in the AD Fixes post one of the users did create a module that will bulk add/remove AD users and manage their roles (it's the 2nd or 3rd post in the thread). I don't know if his link is active anymore but it might make things easier for you.

 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationAD membership not synced into DNN security rolesAD membership not synced into DNN security roles


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out