Okay, to start off, this is pretty much my first experience with both dotnetnuke and active directory. So please pretend that I know little about either. I tried to put the important stuff in bold.
SETUP
I'm using dotnetnuke 5.1 and active directory extension 5.00.02 <http://dnnauthad.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=28601#DownloadId=71335> and active directory on windows server 2003.
I've followed the steps in the user guide <http://www.dotnetnuke.com/LinkClick.aspx?fileticket=MvL3RlAh8k8%3d&tabid=852&mid=2418> nearly word-for-word / picture-for-picture. I am trying to set this up for an intranet. I'm using impersonation. I do not have the following line in the web.config commented out: <add name="Authentication" type="DotNetNuke.Authentication.ActiveDirectory.HttpModules.AuthenticationModule, DotNetNuke.Authentication.ActiveDirectory" />
Also, I am trying to work with firefox as my main browser here. I believe that I dodged all trust issues with it by adding my list of local sites to the list in the about:config under xpinstall.whitelist.add and network.automatic-ntlm-auth.trusted-uris.
I have enable auto-authentication and sync roles checked in the admin->extensions->DNN_ActiveDirectoryAuthentication. I left the other boxes unchecked. The automatically create users seems to affect my role synchronization directly. so it's off. I'm using ASDIAuthenticationProvider and Delegation as my Authentication Type. My root domain and email domain are both filled in with dc=domain,dc=com and @domain.com relatively. Everything else is left blank. (please let me know if this is bad)
About the almost-to-the-tee following of the guide, I didn't do the following: the steps listed under IIS on page 12. However, I did do the steps listed under Configuring IIS 7 starting on page 17. (Is this the same thing?)
INTERESTING QUESTION
Even though, I am using this for an intranet, I'm finding that I need to use the link: <http://<DotNetNuke_Install>/DesktopModules/AuthenticationServices/Active
Directory/WindowsSignin.aspx> because whenever the users close firefox or log-off, they have to login again (and it doesn't occur automatically). So it seems like I have something between the intranet problem (which i solved by firefox trusting) and the extranet problem (which I'm using this link for). (Did I make a great mistake somewhere?)
THE PROBLEM!!!
Despite the seeming chaos above, this seems to work ... sort of. I have 4 AD groups that I'm testing on. (Let's call them groupA, groupB, groupC, groupD). I have 7 users dispersed through these groups. 4 are there to stay (manA, manB, manC, manD: also a 5th called manA2) After that, I have 2 others that are there to practice moving from group to group: test1 and test2. I think test1 is in groupB, but that's not really important. test2 is in groupD.
Now, I added the test2 user to the Active Directory yesterday (and haven't made any changes to the dnn site's settings since, just some to active directory). But, unfortunately, the I came across this problem: My role synchronization would work correctly if I logged in manually (the windows login). However, if I clicked the link (i added) for the autologin, my role synchronization would not work (test2 would not be given the role of groupD which I could tell by the lack of permission to view a particular page on the website), and I would be treated as nothing more than a registered user. What was really interesting was that when I accessed the role groupD (I know that AD groups and DNN roles are 2 different things, but the whole point of the active directory authentication is to treat them as the same thing anyway; so, i'm going to use the same name), I could find the test2 user in that role. But if I went to the users and checked the roles that test2 had as a user groupD was not one of the roles listed (only subscribers and registered users).
This occurred with three users. The first two eventually validated entirely and worked correctly with both the manual and auto login. Also, I could move these users back and forth between groups with some delay but no real problems. However the third (test2) didn't validate correctly until about half of the way through my typing this up (well that's about when I noticed it).
SLAPSTICK SOLUTION
So, the one difference which between the first two users and test2 was that the other two had both been in the AD group Domain Admins. When I put the 3rd user in this group, (after waiting a while for AD replication and such) the test2 user also auto-logged in and received the correct role synchronization. This seems to me to be a really high security profile to have to put every user in. And, I find it really interesting that my roles continue to synchronize correctly despite the fact that I have deleted them from that group. (Am I priming some permissions that are necessary for the full role sync?)
DISCLAIMER
I realize that I'm being a little verbose, but I really want to avoid any misunderstandings with my website and want to be really explanatory to anyone who happens to come by and look at this post.
PLEA
Please help understand what the problem is here. I would absolutely love to see this working perfectly.