Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationAD membership not synced into DNN security rolesAD membership not synced into DNN security roles
Previous
 
Next
New Post
8/1/2008 5:43 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

Zack, can you post a step by step of how to recreate this problem as I can't seem to on my dev systems?
 
New Post
8/1/2008 7:28 PM
 
Zack

Joined: 7/11/2008
Posts: 10

Hi Mike -- thank you for looking into this for us.  Here's the general procedure:

Install AD Module ...04 (only once, of course)
Ensure that Synchronize Roles is enabled
Successfully log in with Windows credentials with selective-admin account (client account for authoring content)
           The edit interface is unavailable for this user at the appropriate page.
Log in with host or admin account
           Note:  Accounts placed in non-AD (for example Administrative) roles retain their roles regardless of login-logout.
Manually add user in question to appropriate role (as the role is not automatically populated as one in which the user is a member)
The next time the user logs in, the roles are wiped back to no longer being a member of the "student services" role.

It seems that the module is at least interacting with AD, because it's certainly getting the users and roles correctly initially, but it seems that it's not associating the users and roles correctly, or that it's just wiping them somewhere along the line.

I have screen shots showing various states (e.g. "Student Services" not showing up under Sherry's roles, and "Student Services" being in the list of "Member Of" in windows AD), but our hardware firewall is not letting me access personal FTP, and I shouldn't host from the client's live site.  If it would help for you to have those images, though, I can find a way to post them here.  I wanted to include them just to narrow the range of silly mistakes like her not being in the correct AD role in Windows, etc.

It does not seem that we are doing anything particularly peculiar, so I'm not sure if this will help too much.  I just wanted to throw it out there in case you might have more of an inkling than I do as to the origin of the issue.  Please let me know if there is any more information I can give you (any settings, values, etc.).

Thank you, Mike,

Zack
 
New Post
8/2/2008 2:26 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

Thanks Zack. Yes, users have to manually be added/removed from the admin role(s). This is by design.

I'll give this a shot tomorrow to see if I can recreate it. If I think I need to see your screenshots I'll post back here with my email address. You may want to take a look at a program called LDAPBrowser (http://www.ldapbrowser.com). It's memberOf will show all the groups that a user belongs to (ie: any groups that Student Services belongs to so then Sherry also belongs to them but it's not shown in the MemberOf object in Windows AD).

The only other thing I can think of before testing is if there's anything showing up in the DNN EventViewer when a user logs in and roles are synched. Oh, and is the site running under impersonation in the web.config?

 
 
New Post
8/4/2008 2:05 PM
 
Zack

Joined: 7/11/2008
Posts: 10
Okay - so here is the web.config section for authentication:
<!-- forms or Windows authentication -->
<authentication mode="forms">
                <forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies"/>
</authentication>
<!--
    <identity impersonate="true"/>
    <authentication mode="Windows">
    </authentication>
-->
It seems that impersonation is disabled via commenting.
As far as the event log, there is nothing notable. There are no exceptions related to role addition, etc. It does notify for “User Role Created,” but it does not notify anything when it wipes the roles.
By the way, if I open parallel browsers, log into one as host and the other as another account that we set up to emulate Sherry’s, then with host manually add the test account to the appropriate AD-based DNN role, the test account has the correct privileges for the duration of its session. I used this observation to help conclude that the actual wiping occurs at login. Also, setting the role with host before the user logs in (and watching the account being allocated in the user list for the role), refreshing to make sure it’s still there 5 minutes later (it is), and then refreshing immediately after user login shows that the role-user relationship is no longer there at that point.
I have found one more piece of potentially interesting information: Although the login for the test account appears in the DNN log as a success, I see nothing in the Event Viewer on the server. I was under the impression that IIS-originated AD logins appeared in the viewer, so does it seem that something may be amiss there? The logins that I do see in that event viewer are the anonymous credentials for our IIS websites and application pools. The configured application pool for this particular site has “Predefined: Network Service” as its identity.
Also, the DNN AD provider is the beta …04 version, but I think you’ve already taken that in. I just wanted to clarify that in case replication proves impossible with …03 or if you think a solution might include jumping back down to …03. I was having timeout issues anytime a user got positive authentication with …03 but …04 fixed that, hence the jump.
Please let me know what additional information I can give.
 
New Post
8/4/2008 2:15 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

I just read back through this post and remembered something (I was posting on the fly from one of our labs last week and didn't think of this, sorry). Is the AD group that isn't synching a Distribution group or a Security group? If it's a Distribution group then I think that my be the problem and will give me a place to start testing.
 
 Page 2 of 7
Previous123...7Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationAD membership not synced into DNN security rolesAD membership not synced into DNN security roles


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out