Products

Solutions

Resources

Partners

Community

Blog

About

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection
Previous
 
Next
New Post
7/18/2008 11:34 AM
 

Have you got Synchronize Role checked under Admin->Authentication? If you do then that's why it's looking for the DNN roles in your AD (though the process has changed in the .04 version). I don't have the code in front of me but it the synchronization process starts under UserController.vb (AddUserRoles). The account credentials that the query is made under is whatever your site is running under (ie: if you're using impersonation in your web.config then it running under that account).

EDIT: I just looked through the previous posts to refresh myself. Are you still running your web.config under Windows authentication? If you are then I don't think my answer was correct as I don't think the section of code I mention will ever get hit. I'll try to set aside some time this weekend to do some testing with a web.config set to Windows authentication to verify.

 
New Post
7/18/2008 2:38 PM
 

Yes, I am running with Windows authentication enabled in web.config and impersonation disabled.  I have removed anonymous access from the entire site and enabled Windows Integrated Authentication for the entire site in IIS.  I have the AD provider enabled in DNN and I do have synchronize roles checked.  I have changed the authentication method to "delegation" since my original post.  It seems like that is what I would want as I believe that will pass along the credentials of the asp.net process account (which I have set up as a domain service account).

What's weird is that you keep saying you think it completely bypasses the AD provider code if Windows authentication is enabled, but I have recorded "null reference" errors from WindowsSignin.aspx when accessing the site from the server (logged in as the local server Administrator account).  I assume this is related to the fact that there is no AD directory entry for the local Administrator account, but it does confirm that WindowsSignin.aspx is being run.  Weirder still is the fact that the first time I attempt to access the DNN app from the server (as Administrator), the site gives an error.  If I just refresh the page then everything works and I am logged in as the DNN user servername\Administrator.

The LDAP queries searching for the DNN group names were being made while in the configuration described above, so somehow this code is being run even if Windows Authentication is enabled.

 
New Post
7/18/2008 3:51 PM
 

Brett Wilson wrote

What's weird is that you keep saying you think it completely bypasses the AD provider code if Windows authentication is enabled, but I have recorded "null reference" errors from WindowsSignin.aspx when accessing the site from the server (logged in as the local server Administrator account).  I assume this is related to the fact that there is no AD directory entry for the local Administrator account, but it does confirm that WindowsSignin.aspx is being run.  Weirder still is the fact that the first time I attempt to access the DNN app from the server (as Administrator), the site gives an error.  If I just refresh the page then everything works and I am logged in as the DNN user servername\Administrator.

Why I say that it completely bypasses the AD Provider code is based on previous testing when I have switched to Windows authentication in the web.config. I pulled this code snippet out of the code the other day for this post (http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/89/threadid/232127/scope/posts/Default.aspx).

If (authStatus = AuthenticationStatus.Undefined) Then  'OrElse (blnWinLogon) Then <---There's three status types (Undefined, Windows, and WinLogoff). If Windows is returned then the user is already logged into the site so all is bypassed (otherwise we'd be in an infinite loop) and WinLogoff is pretty self explanitory.
                    AuthenticationController.SetStatus(_portalSettings.PortalId, AuthenticationStatus.WinProcess)
                    Dim url As String = Request.RawUrl
                    Dim arrAutoIP() = config.AutoIP.Split(";")
                    'ACD-7664
                    Dim strClientIP As String = ADSI.Utilities.GetIP4Address(Request.UserHostAddress)
                    For intCount As Integer = 0 To arrAutoIP.Length - 1
                        Dim strAutoIP As String = arrAutoIP(intCount)
                        If (InStr(strAutoIP, "-")) Then
                            Dim arrIPRange() = strAutoIP.Split("-")
                            Dim lClientIP As Long = IPAddressToLong(strClientIP)
                            If lClientIP >= IPAddressToLong(ADSI.Utilities.GetIP4Address(Trim(arrIPRange(0)))) And lClientIP <= IPAddressToLong(ADSI.Utilities.GetIP4Address(Trim(arrIPRange(1)))) Then
                                url = GetRedirectURL(Request, _portalSettings) <--- Returns the path to WindowsSignin.aspx
                                SetDNNReturnToCookie(Request, Response, _portalSettings)
                                Exit For
                            End If
                        ElseIf (Not InStr(Left(strClientIP.ToString, strAutoIP.Length), strAutoIP) = 0) Or (strAutoIP = "") Then
                            url = GetRedirectURL(Request, _portalSettings) <--- Returns the path to WindowsSignin.aspx
                            SetDNNReturnToCookie(Request, Response, _portalSettings)
                            Exit For
                        End If
                    Next
                    Response.Redirect(url) <---Does the Redirect to WindowsSignin.aspx
 When I tested it previously (and it was about a year ago) when the web.config was set to WIndows Authentication instead of forms Authentication the authentication status always returned a value of "Windows" and the redirect to WindowsSignin.aspx (and hence the rest of the AD Provider code) was bypassed. It's possible I guess that somewhere along the line something changed and I'm going to have to dig deeper into this and hopefully get some time over the weekend.

 
New Post
7/21/2008 8:57 AM
 

I guess that's why it's weird.  It is hitting WindowsSignin.aspx even though Windows Authentication has been enabled in web.config.  If I can find the time, I'll try to get the provider code hooked up into my DNN solution so I can debug what is going on...

 
New Post
7/23/2008 11:57 AM
 

Were you able to do any testing to determine why it appears that DNN is making LDAP requests to resolve the DNN group names?

 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationNon-anonymous secure LDAP connectionNon-anonymous secure LDAP connection


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out