Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationHELP: problem with AD synchronization while using Windows AuthenticationHELP: problem with AD synchronization while using Windows Authentication
Previous
 
Next
New Post
10/25/2007 9:00 AM
 
HrvojeTK

sgh
Joined: 8/2/2006
Posts: 21

Hello, people,

I just decided to use Windows Authentication with my 4.5.5 DotNetNuke intranet, after using Mixed authentication with auto login for a year. So I did the following:

1. Set IIS Authentication to "Integrated Security" for the whole web site.
2. Changed DotNetNuke web.config to use <Authentication mode="Windows" /> instead of Forms.
3. Commented out HttpModule.Authentication: <!--add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" /-->

And, voila! I entered the address in my browser and there I was, logged on automatically! I tried to log out, but I couldn't - just as expected.

But when I created a new user in Active Directory, logged on to windows as that user and tried to visit DNN website. BAM! I was being redirected from Default.aspx to Default.aspx, all the time, the loading progress bar of IE was flickering and nothing was happening. When I created new user in DotNetNuke with the same username, I logged on immediately.

So I came to conclusion: "If I use Windows authentication with my DotNetNuke, new users created in AD won't be able to log on DotNetNuke until I add them manually". Is this correct?

Also, if I use Windows Authentication, any users won't have their role membership snychronized with Active Directory! Is that also correct?

If you wonder why I switched from Mixed to Windows authentication: Mixed authentication with auto login worked well most of the times, but sometimes, users would got kicked out of DotNetNuke. For no reasons whatsoever. They would have to log in manually and then it would all work nicely for a couple of days/weeks/months, until they got kicked out again. My boss didn't find that amusing. :-(

I would really appreciate any feedback from you, guys.

Thanks!
 
New Post
10/25/2007 11:27 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

I haven't used the AD Provider with Windows Authentication vs. Forms Authentication other than when we first started using it with DNN 3.3.5 but I have heard of people going through the redirect hell before. Usually the fix was to switch back to Forms Authentication but that's not an option for you it sounds like. I haven't heard about being kicked out like you mentioned. At least to the degree that you are. There's a setting in the code that's supposed to set the cookie to a persistent level but with .NET 2.0 it only gets set to 30 minutes so I have heard of people getting logged out and logged back in at that time but not logged out completely. When you were using Forms Authentication were you using impersonation at all? That might solve the getting kicked out problem.
 
New Post
10/26/2007 3:33 AM
 
HrvojeTK

sgh
Joined: 8/2/2006
Posts: 21

When I used Forms Authentication I did not use impersonation at all. Do you think that could've been the reason for kicking out my users? What is the reason I should use impersonation? AFAIK, impersonation means that logged on user's credentials would've been used to access file system (specifically, I believe we're  talking about admin/security/windowssignin.aspx, right?) instead od NETWORK SERVICE's credentials?
 
When I was using Forms Authentication, I did a little experiment: I scheduled a request to my http://intranet.mycompany.com/Default.aspx webpage every 1 minute. I was getting the following responses 99% of the time:
 
--- REQUEST BEGIN ---
Resolving intranet.mycompany.com... 10.100.100.123
Connecting to intranet.mycompany.com|10.100.100.123|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://intranet.mycompany.com/Admin/Security/WindowsSignin.aspx?tabid=36
Reusing existing connection to intranet.mycompany.com:80.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to intranet.mycompany.com:80.
HTTP request sent, awaiting response... 401 Unauthorized
Reusing existing connection to intranet.mycompany.com:80.
HTTP request sent, awaiting response... 302 Found
Location: http://intranet.mycompany.com/Home/tabid/36/logon/windows/Default.aspx
Reusing existing connection to intranet.mycompany.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 45.350 (44K) [text/html]
--- REQUEST END ---
 
And that is fine. But at 1% of requests ended up with "500 Internal Server Error" instead of "200 OK" - and that's when users got logged off. I think those 500 errors were actually request time-outs because windowssignin.aspx did not respond.
 
Does that make any sense to you?
 
New Post
10/26/2007 3:30 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

It might be because of that but I can't say for sure.

As far as Windows Authentication vs. Form Authentication with impersonation: My understanding is that with Windows Authentication access to the file system would be using the users credentials and Forms with impersonation just set to true would also be. However <impersonation="true" userName="domain\user" password="password" /> uses just that user. That's how we've been doing it here where I work. We needed to use impersonation to get all the information out of the AD to fill the profile and synchronize the roles so just used a generic "has no special rights" user account and also gave that user the same rights on the DNN install that NETWORK SERVICE has. Because our site is an intranet/extranet site there was no automatic login but this morning I decided to test the next version of the AD provider in a larger production environment than I can in my dev environment. It has a "mixed-mode" enhancement so that intranet users login automatically but the code is bypassed for extranet users. If what is happening to your users is a wide range problem then I should see it or hear about it soon.
 
New Post
11/20/2007 6:54 PM
 
william clark

Joined: 8/3/2005
Posts: 36

I'm getting the same thing with impersonation and windows authentication on 4.07.  If I switch the web.config back to forms authentication I can get in (i guess that would be obvious).  Also in the obvious category--no user account is created.

I thought this impersonation setting had solved most of my problems until I found out that most users were getting a flickering progress bar.  I deleted my account and now get the same thing they do.  The only way I can get in now is with forms authentication.  The solution you mention above is not workable in our network environment because of security concerns.

I should also say that this does not seem to be unique to your new provider.  I've gotten this in older versions of DNN but I don't remember how I resolved it.
 
 Page 1 of 2
12Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationHELP: problem with AD synchronization while using Windows AuthenticationHELP: problem with AD synchronization while using Windows Authentication


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out