I just downloaded and installed the latest 4.x DotNetNuke 2 days ago and then installed the ActiveDirectory authentication.  I followed all of the steps in the PDF (ActiveDirectory Users Guide.01.00.04.pdf) to get it working.  It would not work until I enabled impersonation in the web.config as the user I selected with read access to AD and granted all the same permissions to that user as the ASPNET user has on the server.  I have checked "Syncronize Role" and added several roles that match Pre Windows 2000 AD group names.  

Everything is working fine regardless of user or role/AD group or page-level DNN permissions ... as long as that domain user is also in the web server's local Administrators group.  For other users, even if they are in an AD group with a matching syncronized DNN role where the role is granted view and edit permissions to a page, the user gets one authentication popup dialog per external resource (css, image, FCKEditor, etc) that attempts to load.  If the user hits cancel on every dialog, the page finally displays - but only the bare HTML.  The "Users Online" module does show them as logged in, and the user can even edit text/HTML modules, as long as they use the Basic Text Box editor instead of the Rich Text Editor (which gives an IIS ACL permissions error page when selected).

If I add this user that is having this trouble to the local web server Administrators group, everything works for them.  

What can I do to fix this without adding users as local server administrators?  Why does the user's permissions on the web server enter into it at all - shouldn't it only depend on the user being impersonated being able to access the resources (since it is taking the place of the ASPNET account)?

Why is impersonation required in some cases but not others? The PDF didn't specify, it just said you may have to use impersonation if it doesn't work (and I did).

-- Setup --

In web.config these lines areuncommented:
<add name="Authentication" type="DotNetNuke.Authentication.ActiveDirectory.HttpModules.AuthenticationModule, DotNetNuke.Authentication.ActiveDirectory" />
<identity impersonate="true" userName="Domain\MyUser" password="password" />

The user being impersonated has been granted the following directory permissions on the web-server:
 

• Read & Execute, List Folder Contents, Read to

  c:\WINNT\Microsoft.NET\Framework\v2.0.50727

• Full Control to the

  E:\inetpub\wwwroot\DNN root virtual directory

• Full Control to

  c:\WINNT\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files

More info:

• Microsoft Windows 2000 Advanced Server SP4
• IIS 5.0 
• DotNetNuke Community Edition
• DotNetNuke Version: 04.09.02
• .NET Framework: 2.0.50727.83
• ActiveDirectory
  • ActiveDirectory_01.00.05_install.zip
  • Authentication type: Delegation
  • DesktopModules/AuthenticationServices/ActiveDirectory/Settings.ascx
  • DesktopModules/AuthenticationServices/ActiveDirectory/Login.ascx

All of the permissions were recursed - and as a matter of fact, I found out later that the impersonated user is also in the server's local administrators group anyway.   So permissions on that user shouldn't be factoring into this.  

Does it make sense that permissions of the website visitor accounts should factor into this at all?  I thought ASPNET or the impersonated account would be the only account that would need permissions to the resources so it could serve it to the visitor.  Is there anything else I can check?

The resources in question are all the normal DNN resources coming from skins, containers, FCKEditor, etc - I didn't add any additional ones.  So their source should be whatever the default source location is for those resources.  I'm assuming those are under either the DNN virtual directory root or the temporary asp.net files, both of which the impersonated user has full control over.

In the IIS settings - should both anonymous and integrated windows security be checked (that's the way I currently have it configured).  Authentication is still set to forms in web.config.  Here are all the relevant bits from the web.config I could find:

<section name="authentication" requirePermission="false" type="DotNetNuke.Framework.Providers.ProviderConfigurationHandler, DotNetNuke"   />

<httpModules>
  <!-- add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" / -->
  <add name="Authentication" type="DotNetNuke.Authentication.ActiveDirectory.HttpModules.AuthenticationModule, DotNetNuke.Authentication.ActiveDirectory"   />
</httpModules>

<!-- forms or Windows authentication -->
<authentication mode="forms">
  <forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies"   />
</authentication>

<identity impersonate="true" userName="domain\user" password="password"   />
<!-- <authentication mode="Windows">
</authentication>-->

<authentication defaultProvider="ADSIAuthenticationProvider">
  <providers>
 <clear   />
 <add name="ADSIAuthenticationProvider" type="DotNetNuke.Authentication.ActiveDirectory.ADSI.ADSIProvider, 
     DotNetNuke.Authentication.ActiveDirectory" providerPath="~\Providers\AuthenticationProviders\ADSIProvider\"   />
  </providers>
</authentication>