This has gotten to be an extremely frustrating issue for us.  I've attempted just about every suggestion in the forums and have followed the documentation but the AD authentication is simply not working properly; nor will it replicate any group memberships or AD objects.  The users initial profile is completed fine (first, last, city, state, etc.) but no extended properties are replicated.  If a users AD password is changed, it works fine on their next login to the site (for the most part... see below) so their base AD info is getting synchronized to DNN.

Using DNN 4.8.4, AD version 1.0.4.   Directory connection configuration OK.  Intranet users ONLY, no extranet access.

When directory authenticated users go to (for example) http://portal.domain.com they constantly get prompted/re-prompted with a Win login. In some cases, they key in their credentials and login to the site. In other cases, the Win prompt pops over and over and over again and eventually they get a partially built page but are still not logged in.  If the users go to the 'short name' of the site "http://portal/" in MOST cases, they are logged in automatically but quite often, they are not.  Part of the issue is due to the FQDN not existing in their local intranet zone in IE6 (locked down/not user changeable).  In IE7, this issue was addressed so either the short name or the FQDN logs them in automatically MOST of the time, but not consistantly.  If they clear their browser settings (cookies, temp files, etc.) then occassionaly, they are able to login again but often experiencing the same Win popup either once or continuously.

Also, if I, using IE7, connect to the site, I get authenticated fine but after browsing around a bit, eventually one of the links on the site will cause the Windows login prompt to pop up again repeatedly.  Only closing all my browser sessions, clearing all settings and going back to the site will fix it. 

Anonymous is off for only the one WindowsSignin.aspx file. Impersonation is set to false.  If set to true and using a working service ID in the web.config (which we don't really want to do anyway), then ALL users get prompted for a Windows login and it will NOT authenticate them to the site.

Someone please shed some light on this issue for me. I've got several folks pestering me to get this fixed for them and there seems to be no one setting that yields consistent results.

Thanks.

I've added several new fields to the user profile such as EmployeeID, ManagerID, etc. that exactly match the AD objects; I assumed these could be replicated in addition to group memberships but I may be mistaken on that.  If there are specific properties that CAN be obtained that are not in the current profile; yes, I'd like to see the list if that wouldn't be too much trouble.

Yes, the security roles exactly match the AD groups.  What I wasn't certain about is whether or not Public Role and/or Auto Assignment needed checking.  In fact, users that ARE members of the AD groups are being REMOVED from the matching DNN role rather than being added...

The odd thing about the Login popup is that it occurs in an inconsistent fashion, most users get logged in fine.  Yes, there is a wildcard listing for both IE6 and IE7 for the local intranet zone but it functions 60-70% in IE6 and about 90% in IE7.  Regardless, the popup is the main irritation for those users who are not getting logged in. Here are some clues for different 'solutions' that work in some cases, that may help:

If user A is getting prompted repeatedly with the login popup (their valid, already in use credentials will NOT authenticate them into DNN), I can go into DNN and reset the users password. They can now go to the site and be auto-logged in  with their domain credentials; however, if I check their account status, it shows the last login days ago, not today.

If user B is getting prompted repeatedly (their valid, already in use credentials will NOT authenticate them into DNN), and they clear the browser settings and restart their browser, they go to the site and are logged in.  At some point however, they get intermittantly prompted for the windows login again.

If user C is getting prompted, they key in their credentials into the login box and it works. They continue on into the DNN site and are logged in.

I used A, B and C as examples because the 'solutions' are not consistent. It varies across the domain.  We have NUMEROUS other web based apps that are referencing the AD that work flawlessly... it is ONLY DNN that is experiencing this behavior.

Any ideas?

Remember login shouldn't make a difference but I'll do some testing to verify that.

The security roles do not need anything special checked. You might want to consider trying the 01.00.05 beta release (http://dnn.gmss.org until it clears the DNN Release Tracker) as there were some problems with role synchronization in the .04 release (the most common complaint was that users weren't being removed from roles when they no longer belonged to the group).

For the differences that users are seeing when trying to get logged into DNN..... I'm at a loss on that. The only thing I can suggest is looking at IIS logs and the DNN Eventviewer to see if you can see any kind of pattern for each group. (BTW the last login date is fixed in the .05 release).

I'm going to paste the code for the properties that are pulled from the AD for the DNN profile. From it you should be able to figure out what fields are populated. The ability to change what's pulled is on the future enhancement list.

Private

.IsSuperUser =