Hopefully I can clear up the confusion. I have gotten everything to work, including groups. I am not an Active Directory expert by any means but I know enough to be dangerous.
Here's what I did, hopefully this will help someone. This is for a DNN 3.2 fresh setup.
1. Use the Authentication module under the Admin menu. (No need to download and install the old TTT Authentication module)
Depending on your specific AD setup there are two branches to follow, the first is for a standard AD setup, the second is for a setup with legacy mixed mode authentication.
*** Branch #1 ***
2. Log into your site as admin or host and bring up the Authentication module page.
3. Use these settings: Windows Auth = checked, Synchonize Roles = checked, Provider = ADSIAuthenticationProvider, Authentication Type = Delegation, Email Domain = @your_domain. Leave the other settings blank.
4. Hit update, you will probably get OKs on the first three but a FAIL on the last item.
5. Close your browser. Go to the web.config and comment in <identity impersonate="true"/> and comment in <add name="Authentication".../> under <httpModules>.
6. Go into IIS and right click on your DNN virtual directory. Go to Properties and then the Directory Security tab. Click Edit button. Change the user name and password under Anonymous access to a user that you know has access to your AD.
7. Find the WindowsSignin.aspx page under DotNetNuke/admin/security and bring up the Properties on it. Go to File Security tab and click Edit button. Uncheck Anonymous access option.
8. Go back into your DNN site and go to the Authentication module and click Update. You should get OK for everything and AD authentication should now work correctly.
*** Branch #2 ***
2. Log into your site as admin or host and bring up the Authentication module page.
3. Use these settings: Windows Auth = checked, Synchonize Roles = checked, Provider = ADSIAuthenticationProvider, Root Domain = your domain info (i.e. dc=acme, dc=com), Username/Password = user that has access to your domain, Authentication Type = Delegation, Email Domain = @your_domain. Leave the other settings blank.
4. Hit update, you will probably get OKs on the first three but a FAIL on the last item.
5. Close your browser. Go to the web.config and comment in <identity impersonate="true"/> and comment in <add name="Authentication".../> under <httpModules>.
6. Go into IIS and right click on your DNN virtual directory. Go to Properties and then the Directory Security tab. Click Edit button. Change the user name and password under Anonymous access to a user that you know has access to your AD.
7. Find the WindowsSignin.aspx page under DotNetNuke/admin/security and bring up the Properties on it. Go to File Security tab and click Edit button. Uncheck Anonymous access option.
8. For groups to work you need to modify the source code for the ADSI Authentication provider. The file to change is Utilities.vb under Authentication.ADSI project. Change the GetGroupEntryByName and GetGroupEntriesByName method so that the group is found using the default LDAP directory (LDAP://rootDSE). Email me at mgilbert at tavilo dot com for my source or compiled assemblies.
9. Compile the changes and put the two new assemblies (DotNetNuke.Authentication.ADSI.dll and DotNetNuke.Authentication.ADSIProvider.dll) into your DNN bin directory.
10. Go back into your DNN site and go to the Authentication module and click Update. You should get OK for everything and AD authentication should now work correctly.
Step #8 in Branch #2 is a pure hack but works. Hopefully the DNN team will fix this for the next version. Email me for source code changes or compiled assemblies at mgilbert at tavilo dot com.