Ok, I finally got AD working on my intranet and I thought I'd post my solution.
My Senerio
Our Domain is a child domain of a Parent, so our fully qualified domain name is childdomain.parentdomain.local
We are running on windows 2003 servers, however for my test env. I'm using IIS on xp pro and SQL DB 2005 on w2k3 server. I am working with DNN 4.3.4
1. After setting up and installing dnn, login as the admin user.
2. Next, in IIS--Make sure "Anonymous access" is disabled for the entire site. (mine was be default). And make sure Windows Authentication is checked for the entire site.
3. In the web.config---UNcomment the Authentication line.
<
add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" />
3. In the web.config---UNcomment the Identity impersonate line.
<
identity impersonate="true"/>
4. Back on the DNN Web site--Click the home page to reload it.
5. Navigate to the Authentication tab (under the Admin Tab).
6. Key the following
| Windows Authentication |
Checked |
| Synchronize Role |
Checked |
| Provider |
ADSIAuthenticationProvider |
| Authentication Type |
Delegation |
| Root Domain |
ChildDomain.ParentDomain.Local |
| UserName |
ChildDomain\Domainuser |
| Password |
***** |
| Confirm Password |
***** |
| Email Domain |
@ChildDomain.com |
CLICK UPDATE--You should see something like this
Accessing Global Catalog:
OK
Checking Root Domain:
OK
Accessing LDAP:
OK
Find all domains in network:
Here it will display the number of domain's found as well as a listing.
Example:
1 Domain(s):
childdomain.parentdomain.local (childdomain)
That's it. ------------------------------------------------------------
Quarks
1. The first user to visit the site after IIS is reset or the web.config has been modified AUTO-LOGIN will happen, BUT NOT ON THE SECOND USER...... weird.
2. You must login using childdomain\username. Both the domain name and user name are case sensitive, but not the way you think.
3. In order for the Display Name (ie first name and last name) to be displayed beside the login/logout link the users MUST login with the domainname\username that exactly matches that in AD (case sensitive). However I created a trigger that works around this problem.
Create TRIGGER [t_Users_InsteadOf_Insert] ON [dbo].[Users]
Instead Of INSERT
AS
BEGIN
SET NOCOUNT ON;
Insert Into Users(UserName, FirstName, LastName, IsSuperUser, AffiliateID, Email, DisplayName, UpdatePassword)
Select UserName, FirstName, LastName, IsSuperUser, AffiliateID, Email, FirstName + ' ' + LastName, UpdatePassword
From Inserted
END
End of Quarks ----------------------------------------
What I didn't do:
In the web.config I didn't change from Forms Authentication to Windows Authentication. If I changed this, any user who hasn't yet created an account will not be able to reach the site.... the page loads and loads and loads.....
Leaving Forms Authenication on will also allow the administrator/developer to log off as themselves and login as an administrator or another user.
I also didn't Uncomment the <trust line (<trust level="Full" originUrl="http://localhost/.*" />)
I didn't make any changes to IIS except for setting asp.net to 2.0 instead of 1.1.
HOW IT WORKS-----
When a user visits the site they will have to login using childdomain\username.
Their DNN account is automaticlly created. Their username, FirstName, LastName and e-mail address are pulled. The Display Name may not have been updated (depends on how they logged in and weather or not the trigger was used). Unless the user checks "remember me", they WILL NOT be automatically logged in. The only execption to this is the first user that visits the site after IIS has been restarted or changes to the web.config are made.
This solution works for me because I can log off and log back on as an administrator or a test user. It also allows our users to log out so others can't use their pc to make changes to the site.
Just one more thing.... thanks to everyone who posted their problems/solutions without this forum I would have gotten no where. Also thanks to TAM for the AD Module.
matchbx