I've finally got my users auto logging on without redirect problems and the names are being populated from Active Directory.
My set ups:
DNN 4.3.4. Windows Server 2000 IIS5 (ASPNET), SQL Server 2000 (Intranet Server)
DNN 4.3.4. Windows XP Pro 64Bit IIS6 (Network Service), SQL Server 2000 (Development/Test Server)
I've tried various combinations of settings, and I can only get the thing to work if I set the Anonymous User to a Domain User or Service Account. It seems that, although all servers and users have been set to use Kerberos, it is failing and falling back to NTLM (Our Domain Controller and AD server are on Windows 2000, maybe things will work properly once we upgrade to Windows 2003)
Please bear in mind that the following changes were made after a successful install using forms authentication with hardcoded sql user and password in the database connection string (no access to database by Network Service or ASPNET).
IIS - DotNetNuke Folder
- Check Anonymous Access ONLY
- Edit the Anonymous User and password to be a Domain User with AD access (mydomain_1\myuser)
IIS - Dotnetnuke/Admin/Security/windowssignin.aspx
- Check Integrated Windows Authentication ONLY
File Explorer - DotNetNuke Folder
- Add Domain Users - default permissions (or whatever group is suitable for your situation)
- Add IUSR account - default permisions
File Explorer - Dotnetnuke/Admin/Security/windowssignin.aspx
- Add Domain Users - default permissions (or whatever group is suitable for your situation)
- Remove IUSR Account
In web config:
- Uncomment Forms Authentication block (if it isn't already)
- Uncomment impersonation = True
- Uncomment Authentication httpmodule
- Comment Windows Authentication block
In services manager:
- Restart IIS (The following section failed until i did this)
Go to Admin -> Authentication
- Authentication: Check
- Synchronize Roles: Check
- Provider: ADSI Authentication Provider
- Authentication Type: Delegation (although it worked no matter what i set this too!)
- I left all the other fields blank too.
- Hit Update - I got all four tests to pass, the final test also listed my domain in the form of: mydomain.gov.uk (mydomain_1)
Finally
- log off
- clear cookies
- close browser
- open browser
- Point browser at dotetnuke or dotnetnuke/admin/security/windowssignin.aspx
- hit CTRL+F5 if it don't work first time.
Hey presto no looping/redirecting, My Domain Users are auto logged on, and Other non domain users can register and login in the old fashioned way.
The User table has all the values except DisplayName pulled from Active Directory. I modified the addUser sql stored procedure to get around this: set @DisplayName = @FirstName + ' ' @LastName
I've Still not got Role Synching working though. According to other posts, I think I've set them up right. My AD Groups are not set to Universal, they are only one word long (no spaces) and in DNN I've set the Roles up with the exact same spellings as in AD e.g A bunch of us are in: Groups --> mydomain_1\Programmers so I called the DNN group mydomain_1\Programmers. Also tried with Programmers and mydomain.gov.uk\Programmers. Yet when logging on for the very first time, our accounts are auto created but we are not put into the DNN Roles.
Anyways enough rambling. I hope this helps someone, and I hope someone can help me with role synch in return ;)
Regards,
Si