Hello,
I have a DNN 4.7 host running with Windows Authentication (an Intranet portal), linked to a forest of 5 Active Directory domains. Only users of the local AD Domain can access the portal: users from the other 4 domains get loaded in DNN at first logon, but their roles are not properly synchronized (in DNN their belonging to a certain group, "Intranet_Usr", is not acquired, so that their account is created, but missing that role they cannot access the portal). I find errors in the eventlog like this, when they try to login:

AssemblyVersion: 04.07.00
PortalID: 0
PortalName: JBox
UserID: -1
UserName:
ActiveTabID: 54
ActiveTabName: Login
RawURL: /Login/tabid/54/Default.aspx?returnurl=%2fHome%2ftabid%2f36%2fDefault.aspx
AbsoluteURL: /Default.aspx
AbsoluteURLReferrer: http://jbox/Login/tabid/54/Default.aspx?returnurl=%2fHome%2ftabid%2f36%2fDefault.aspx
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
DefaultDataProvider: DotNetNuke.Data.SqlDataProvider, DotNetNuke.SqlDataProvider
ExceptionGUID: 7107962c-47a2-46f6-9eee-ce7857bc8a2c
InnerException: Object reference not set to an instance of an object.
FileName:
FileLineNumber: 0
FileColumnNumber: 0
Method: DotNetNuke.Authentication.ActiveDirectory.ADSI.ADSIProvider.GetUser
StackTrace:
Message: System.NullReferenceException: Object reference not set to an instance of an object. at DotNetNuke.Authentication.ActiveDirectory.ADSI.ADSIProvider.GetUser(String LoggedOnUserName, String LoggedOnPassword)

The strange thing is that if I manually add that role, in DNN, they can work! And at next logon, even having SynchronizeRoles enabled, they can continue accessing the portal.
Seems like there's something wrong at first logon, due to some synchronization problems I cannot understand. Setup is IDENTICAL to the development server, and on that server first logon synchronization DOES work (synch is not complete, for example display name is not acquired from AD, but first I have to solve this).... cannot find what the hell is causing the problem ;(

My setup: under Admin/Auth.Settings I specified ADSIAuthenticationProvider with Delegation as Auth. type, and did not specify any root domain. When I check the setup, I get a successfull response and all 5 domains are visible:

Accessing Global Catalog:
OK
Checking Root Domain:
OK
Accessing LDAP:
OK
Find all domains in network:
5 Domain(s):
dom1.internal.XXXXXX.com (DOM1)
dom2.internal.XXXXXX.com (DOM2)
dom3.internal.XXXXXX.com (DOM3)
dom4.internal.XXXXXX.com (DOM4)
dom5.internal.XXXXXX.com (DOM5)

The user I specified to be used for AD authentication does have permissions to "talk" to all of the LDAP servers - otherwise, I believe, I could not see this result when checking setup -.
However, only members of the local domain are successfully synchronized at first (and subsequent) logon.
The role group "Intranet_Usr" is a universal group, and all users that must access the site are members of this group in all AD Domains. But, as told before, only members of the local domain can successfully access.

Am I doing something wrong in my setup? Or is there some fix available for the AD Provider that could help me? Desperatly seeking for a solution: I don't want to manually add 400 users to that group ;)

Thank you very much for any help,
Alberto.

Thank you Mike: if I come to something useful, I'll share my code. Now facing with strange problems: cannot logout users!

If I use a standard skin (say DNNGray or Blue), the logout button is available to host users only - not even to administrators: cannot understand why! And this using your dll, not my modified one.

If I use a skin of mine, it seems users are not logged out: they are sent to the login page, but are shown as on line in user manager (scheduled task to purge online users is active). Then I cannot login anymore with AD users, if I don't delete cookies.

As with authenticating towards different domains in the forest, I can do that at first logon successfully (call another AD server instead of the one configured in DNN, depending on user login - domain part actually -; this way I can see user profile gets filled correctly with ad data), but after that I've got problems and errors on subsequent accesses - still to understand if related to cookies.

Will report results, if you're interested.

Thanks,

al.

Hello,

I'm facing the same problem: I'm trying to sync AD groups with DNN roles for 20 AD domains but it only sync the users from AD local domains. My users can log in with their AD accounts and their domain\username are added to Users table all with all the user's profile and everything but the roles just wouldn't sync'd. Any update or direction on this would be highly appreciated.

Thanks,

Eric