New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationInstall Active Directory for beginners like me!Install Active Directory for beginners like me!
Previous
 
Next
New Post
8/29/2007 4:21 AM
 

catsnak wrote

 gbrusella wrote
Excellent walk through.

I'ts very easy to understand...

catsnak:

Are you sure the domain is OK??

On my case the domain is:
dc=local,dc=bitbrain,dc=com,dc=ar

I'ts using AD "full" notation not the DNS name.

On one of my tests I've used this to authenticate with a Linux DC and worked fine to me.

 

Yeah I'm sure the domain is ok.

Mine looks like this: dc=eaglecu,dc=org

Odd thing is even though I get that error our domain users get autologged in anyway. Now I'm dealing with the display name issue but the fix listed here to hack the stored procedure isn't working.

catsnak, I too am having problems configuring Authentication (i.e. I experience the "Windows Authentication is currently unavailable" message), and I too am experiencing the same behavior that although configuring Authentication does not pass the three AD tests (test GC, test root domain, access LDAP - not sure if it fails a single test or all three, my guess is based upon event viewer entries the first test fails because there are always three failed events logged immediately after each attempt to config), my users seem to be logging on just fine.  I did not see any follow-up threads that seemed to have addressed your (and my) issues, were you able to fix the problem with having the Authentication page pass all tests?

Fortunately, we've just begun our DNN trek and we're weeks from going live with our corp intranet.  I would appreciate any assistance from the community with the following:

1) I would like configuring the Authentication page to pass all tests. 

2) The first name, last name and display name fields in DNN are not auto populating correctly (first name = SPN?, last name = domain name in caps, display name is blank). 

3) Should a user accidentally log out, clicking login takes them to a login page that does not prompt for a domain name.  Instead users are prompted with only their user name and password.  I've seen other threads that talk about using a different login page, but I've not read anywhere this is configured with step by step instructions (hence my alias dnnnewbie).

Our environment?  AD 2000 (yes, AD is working correctly), WIN2K as member server w/SP4, IIS 5.00.0984, ASP.NET 2.0.50727, SQL 2K MSDE w/SP4, DNN 4.5.5.

Thanks, Dan.

 
New Post
8/31/2007 12:57 AM
 

Dan,

You may have to do the following to get it to pass all three tests (I had to at my workplace). Find the comment line <!-- <identity impersonate="true" /> in your web.config and uncomment that line ONLY. Leave the rest of the lines in that group commented out. Then to that line add the following userName="DOMAIN\Username" password="password" so that it looks like this <identity impersonate="true" userName="Domain\Username" password="password" />. The user account that you use can be any user account it doesn't have to have any special privledges on the domain (we use a generic student test account that has no special rights). Now try doing the Authentication test. If everything passes then you'll have to give that account you used the same permissions on your DNN install as the NETWORK SERVICE/ASPNET account has or you'll get errors when a change is made to one of the log files or a file in your DNN directory.

For #2, I think if you get #1 working you won't see the problem any more (except you'll have to delete the accounts that are currently in the DNN database). I'm going from memory on this one.

#3 There's two ways you could change this. One is to edit Signin.ascx to put a note on there for your users to login with DOMAIN\Username or to use a script that automatically puts the domain in front of their username. I've got a link to a post that has the script in it at work and if I get time (and remember) tomorrow I'll post it.

 
New Post
10/11/2007 2:55 PM
 

Oglethorpe wrote
 

Thank you for putting this information together.  I have a few followup questions, some of which may be addressed in 4.5, others may simply be configuration issues on my end.

I have successfully gotten DNN to recognize and pull basic AD data when a user logs in on my test intranet setup.  My concerns are the following:

  1. How do I get the user's AD groups to populate the matching DNN groups?  For example, if the AD user is in the DOMAIN\SECGROUP1 group and I have a DNN group called DOMAIN\SECGROUP1, shouldn't the user automatically be added to the group when they log in?  I did install the AD FIX code that somebody put together that would double-check and sync a user's settings each time they log in, so I can only assume that's all I needed to do.
  2. I am getting the IIS authentication popup login window whenever a user tries to connect to the site; I would like them to either (a) automatically log in if they're already on the network and connect to the DNN url, or (b) use the DNN login box to log in with instead.  The IIS authentication box DOES log the user into DNN as expected, but I'm trying to avoid that pop up.  Ideally, I would like the home page to be available to all users (authenticated or not), with the DNN login box available for those who need to log in.  If this is related to adding intranet.domain.com to my "local/trusted intranet" settings in my browser, then that option didn't work for me and actually caused me to be unable to connect to the site (has to do with the way our firewall is set, I'm guessing, where certain types of traffic gets routed outside and around the elbow and other traffic isn't -- keeping the site out of the local intranet zone allows me to access the site and log in, but via the IIS popup)
  3. How does changing a users' information in DNN work with AD?  Is it a one-way street, where the DNN database is populated once and any changes thereafter in DNN do not get migrated back into AD?  That's fine with me if so, but I'm sure it will come up as a question from others.
  4. Has somebody written an AD-based phone directory/contact list that pulls the AD info instead of the DNN users database?  This would be helpful to list people who haven't yet logged into DNN and had their user account created.  Similarly, has anybody written a sync job that would remove or disable DNN users if their AD user account was deleted or suspended?
  5. We have two different ways people can log in on our system.  One is using DOMAIN\USERNAME (my preferred method); the other is .  In both cases, the correct information is pulled from AD into DNN, but it is creating two different user accounts in DNN.  Aside from yelling at people about using the correct username to log in with, does anyone have other suggestions on how to deal with this?

Oh, I'm sure I'll have more questions.  TIA.

These are great questions, especially for folks like me just getting started.  Did you get any answers to them that you could post here?  Anyone else care to chime in?

Thanks,

Paul

 
New Post
10/11/2007 4:58 PM
 

Paul Sellers wrote

 Oglethorpe wrote
 

Thank you for putting this information together.  I have a few followup questions, some of which may be addressed in 4.5, others may simply be configuration issues on my end.

I have successfully gotten DNN to recognize and pull basic AD data when a user logs in on my test intranet setup.  My concerns are the following:

  1. How do I get the user's AD groups to populate the matching DNN groups?  For example, if the AD user is in the DOMAIN\SECGROUP1 group and I have a DNN group called DOMAIN\SECGROUP1, shouldn't the user automatically be added to the group when they log in?  I did install the AD FIX code that somebody put together that would double-check and sync a user's settings each time they log in, so I can only assume that's all I needed to do.
     This should happen automatically in DNN 4.6.X. In DNN 4.5.5 and below it required an installation of the DNN AD Fix available at http://dnn.gmss.org.
  2. I am getting the IIS authentication popup login window whenever a user tries to connect to the site; I would like them to either (a) automatically log in if they're already on the network and connect to the DNN url, or (b) use the DNN login box to log in with instead.  The IIS authentication box DOES log the user into DNN as expected, but I'm trying to avoid that pop up.  Ideally, I would like the home page to be available to all users (authenticated or not), with the DNN login box available for those who need to log in.  If this is related to adding intranet.domain.com to my "local/trusted intranet" settings in my browser, then that option didn't work for me and actually caused me to be unable to connect to the site (has to do with the way our firewall is set, I'm guessing, where certain types of traffic gets routed outside and around the elbow and other traffic isn't -- keeping the site out of the local intranet zone allows me to access the site and log in, but via the IIS popup)
    Unfortunately you can't have internal users automatically login and external users hit the standard homepage without specialized modification to the code-behind. To have all users go through the standard login options comment out the <add name="Authentication" /> in the web.config. You can still have AD logins they just won't be automatic.
  3. How does changing a users' information in DNN work with AD?  Is it a one-way street, where the DNN database is populated once and any changes thereafter in DNN do not get migrated back into AD?  That's fine with me if so, but I'm sure it will come up as a question from others.
     It's a one way street (AD->DNN). I would have to really look into the security ramifications of allowing changes in DNN to be written to the AD.
  4. Has somebody written an AD-based phone directory/contact list that pulls the AD info instead of the DNN users database?  This would be helpful to list people who haven't yet logged into DNN and had their user account created.  Similarly, has anybody written a sync job that would remove or disable DNN users if their AD user account was deleted or suspended?
     Not that I know of yet. With the new provider I don't think it would allow a deleted or suspended account to login but I also haven't tested against it.
  5. We have two different ways people can log in on our system.  One is using DOMAIN\USERNAME (my preferred method); the other is .  In both cases, the correct information is pulled from AD into DNN, but it is creating two different user accounts in DNN.  Aside from yelling at people about using the correct username to log in with, does anyone have other suggestions on how to deal with this?
     Errrmmmm I'm not sure if I've accounted for that in the initial 4.6.0 release of the provider (not near the code at the moment). If someone could test this and log it as a bug in Gemini (http://support.dotnetnuke.com) I would appreciate it.

Oh, I'm sure I'll have more questions.  TIA.

These are great questions, especially for folks like me just getting started.  Did you get any answers to them that you could post here?  Anyone else care to chime in?

Thanks,

Paul

 
New Post
10/16/2007 2:36 PM
 

Great write up, this has my setup working almost flawlessly, but what I require is a way to not use the user/domain format.  We have a lot of users with japanese version of windows on japanese laptops.  These units will nto allow for a '\', so with OWA we have to use user@domain.

The ideal way would to simply use the username without domain, but that will not work on my setup.

Thanks,

Justin

 

 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationInstall Active Directory for beginners like me!Install Active Directory for beginners like me!


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.