Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationLooking for DanBallLooking for DanBall
Previous
 
Next
New Post
10/11/2007 1:39 PM
 
Paul Sellers

Joined: 9/28/2005
Posts: 277

Hi DanBall,

I know from several of your post that you have some involvement with administering websites for schools.  I have been running a dnn install at my school for a year now and would like to implement the AD component.  I was wondering if you could offer some planning suggestions as to the best way to proceed since my environment is probably much like yours - students, parents, board, faculty/staff, accessing the site internally (within the domain) and externally (regularly and as VPN users).  What have you settled on as far as your authentication model? How do your users authenticate with your site from within and from without?  What's done automatically and what requires a manual log in? Do you use a form for authentication?

No need for you to explain any of the technical difficulties you encountered along the way, I'll ask those questions later:-)

Thanks for any feedback.

Paul
 
New Post
10/11/2007 2:32 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

I'm not Dan obviously but my major usage of the AD Provider and what led to my involvement with the project is a website for the college department that I work for (http://www.bus.nait.ca). We started using the AD Provider just over a year ago (summer of 2006) after having used DNN for the site for a year or so prior (I've personally been using DNN since DNN 1.06 or so).

My planning was pretty much making a copy of the site and db on a local computer, adding the provider, and seeing what broke. Then coming to the forum to find out how to fix it. Surprisingly there wasn't a lot to fix. I don't mean to say that it worked exactly how I wanted (and it still doesn't) but there weren't any showstoppers. The following are the issues I saw with the provider then:

  1. Synchronzation didn't work properly but Stuart Hilbert had already created a fix for that and I updated it for DNN 4.
  2. Usernames didn't display properly but Stuart also fixed that and someone on the core fixed it in a later version.
  3. Users had to use the domain name when they log in manually but I used a script that someone else posted to get around that (http://www.dotnetnuke.com/Community/ForumsDotNetNuke/tabid/795/forumid/89/threadid/60815/scope/posts/Default.aspx)
  4. There was no way for internal users to log in automatically while leaving the option for external users to manually log in. This still isn't working to my satisfaction but I'll post more on it below.

RE: #4: To have users internally log in automatically the <add name="Authentication... /> has to be uncomment in the web.config and permissions applied through IIS to windowssignin.aspx. This works great except then any external users will get an Windows login prompt generated by IIS and if they cancel they get an error page. They can then retype the URL and manually login but it's unprofessional and not intuitive (Grandma isn't going to know to do that). The only option then was to leave the line commented and force everyone to manually login. Dan posted that he setup a link that pointed to WindowsSignin.aspx and I borrowed that (you can see it on http://www.bus.nait.ca/main/Resources/IDrive/tabid/58/Default.aspx and on http://www.bus.nait.ca/main/Resources/ComputerProblems/tabid/59/Default.aspx). After that it's pretty much like running any other DNN site.
 
New Post
10/11/2007 3:28 PM
 
Paul Sellers

Joined: 9/28/2005
Posts: 277

Hi Mike,

Thanks for responding.  This is exactly the info I was looking for. Kudos to you for taking time to post so thoroughly.  I got a good laugh going to your site and seeing all the lab rules posted.  We're living in the same world:-) I manage several labs and students will be the death of me yet!

I too am following this same planning method - making a local copy, doing the install and seeing what breaks.  It looks like my best choice at this time is to follow what you've done and comment out the < add name="Authentication.../> line of the web config and let my dnn login link function as it has been doing.  I'm still a little confused on how the link to the windowsSignin.aspx still automatically logs the user in within the network if you had to comment out the < add name="Authentication.../> in the web.config to stop external users from getting the prompt.  I thought that line is what actually caused dnn to talk to AD and do the auto login? Please clarify. 

Some other things I'm seeing and still confused about:

When I have the < add name="Authentication.../> uncommented, my login module now has a Windows Signin option along with the standard option.  How is this intended to be used?

As far as syncing roles.  I have role groups and then roles within those groups.  The roles within those role groups correspond to my AD OU's.  Example - I have a role group in DNN called All School Faculty with roles within this group called Part-time Faulty and Full-time Faculty.  These roles are what actually correspond to my OU's in AD.  Is this the correct way to do this so that the roles sync properly?

Once again...thanks for all your help and hard work on the AD provider.

Paul
 
New Post
10/11/2007 4:35 PM
 
Paul Sellers

Joined: 9/28/2005
Posts: 277

Paul Sellers wrote

As far as syncing roles.  I have role groups and then roles within those groups.  The roles within those role groups correspond to my AD OU's.  Example - I have a role group in DNN called All School Faculty with roles within this group called Part-time Faulty and Full-time Faculty.  These roles are what actually correspond to my OU's in AD.  Is this the correct way to do this so that the roles sync properly?

Well this part must be right because my test user from my faculty OU, once logged in to the site,  got added to my DNN role called faculty. One problem solved...ah, it's a good day.

Paul
 
New Post
10/11/2007 4:44 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

Paul Sellers wrote

Hi Mike,

Thanks for responding.  This is exactly the info I was looking for. Kudos to you for taking time to post so thoroughly.  I got a good laugh going to your site and seeing all the lab rules posted.  We're living in the same world:-) I manage several labs and students will be the death of me yet!

I too am following this same planning method - making a local copy, doing the install and seeing what breaks.  It looks like my best choice at this time is to follow what you've done and comment out the < add name="Authentication.../> line of the web config and let my dnn login link function as it has been doing.  I'm still a little confused on how the link to the windowsSignin.aspx still automatically logs the user in within the network if you had to comment out the < add name="Authentication.../> in the web.config to stop external users from getting the prompt.  I thought that line is what actually caused dnn to talk to AD and do the auto login? Please clarify. 

With that line uncommented the <httpModule> basically redirects the site to hit WindowsSignin.aspx automatically. When it's commented out and you visit the WindowsSignin.aspx manually you go through the same process. If anyone external hits WindowsSignin.aspx they're going to get the ugly IIS Windows Login prompt.

Some other things I'm seeing and still confused about:

When I have the < add name="Authentication.../> uncommented, my login module now has a Windows Signin option along with the standard option.  How is this intended to be used?

In 4.6.0 and up that should show up whether the line is commented out or not if you've enabled Windows Authentication under Host->Authentication. It's part of the separation of the provider from the core code. If you had LiveID and OpenID enabled you'd get options for those as well. The intention would be that if they're a domain users wanting to login they'd click on Windows Signin and enter their credentials. If they're a DNN user they'd click on Standard (default) to enter their credentials. I've contacted Charles about adding an enhancement to the provicer wrapper so that an admin could chose a default but I don't know when it'll be added to the core. This is where I didn't have to do any special planning when I roled out DNN 4.6.X as all of my users are going to be domain users. I just made my user account a superuser and disabled the standard login. That's why you don't see the choice on my site.

As far as syncing roles.  I have role groups and then roles within those groups.  The roles within those role groups correspond to my AD OU's.  Example - I have a role group in DNN called All School Faculty with roles within this group called Part-time Faulty and Full-time Faculty.  These roles are what actually correspond to my OU's in AD.  Is this the correct way to do this so that the roles sync properly?

Different role groups is something I haven't really tested. What I've been doing so far is just adding Part-Time Faculty and Full-time Faculty to the General group. One of the bugs/enhancements listed in Gemini is that the code doesn't drill down through security groups (ie: You've got a security group called SalesGroupA and SalesGroupB in the AD. SalesGroupB is also a member of SalesGroupA. In DNN you've only got SalesGroupA. The provider currently won't automatically add SalesGroupB AD users to SalesGroupA DNN Role automatically. This is something that I need to fix in the future along with handling different role groups such as you've setup (I honestly don't know if Tam accounted for that or if Role Groups was even an option when he last updated the code that I inherited). Our (Charles and mine) initial intention was to release the code so that it worked as close to the original integrated code as possible. Once we knew it was "bug" free (didn't break any old functionality) I could then look at adding enhancements.

Once again...thanks for all your help and hard work on the AD provider.

Paul
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationLooking for DanBallLooking for DanBall


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out