Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How much can Active Directory do???How much can Active Directory do???
Previous
 
Next
New Post
8/4/2016 2:38 PM
 
Lucas Shanley


Joined: 8/4/2016
Posts: 2

Hey Everyone!

I have an active directory related question that I am really hoping someone can help me with ill give a Tl;Dr; first then more details below please let me know anything you think might be helpful.

TL;DR;-------

Can DNN articulate what user is trying to access a file on a network to the file system?

So rather than:

AD[ allows user access to portal ] -> user requests a file on the portal -> DNN grabs this through its AD permissions -> DNN determines if the file can be served to the user through its permissions

I would like:

 User is logged into portal through AD -> user requests a file on the portal -> the portal articulates to the file system "I am making this request on behalf of this AD user" -> file system can deny the request because the AD user does not have access to the file despite the fact that DNN as an AD user may have access.

Reasoning: certain files on our network NEED to be managed through the AD permissions for data privacy reasons but I would like for our portal to be able to allow access or deny access to certain confidential resources at the file system level so that even an administrator or someone cannot manipulate DNN to access files that they cannot access.

- Detailed Info --------

The way I understand AD to work is that AD manages groups and users within those groups and within the file system you can articulate what users/groups are allowed to access a resources through those group assignments. 

So "If I belong to a group that has access to a file/folder on a network -> I have access to that resource" (Kind of a truism).

I would like to setup some folders on our DNN servers that have the ability to have read/write access to them that is managed by the file system and not by DNN permissions. 

The way that I currently understand a request flow to work is:

1. AD determines if I [the user] have access to the DNN portal
2. When loading a page DNN requests files from the file server [through the "DNN User" (not my permissions but the sites permissions)]
3. DNN makes the determination if it will serve a file or not based on the permission I [the user] have been given within the DNN permission structure.

What I would like is:

1. AD determines if I [the end user] have access to the DNN portal
2. When loading a page DNN requests files from the file server but communicates to the file system that its requesting these on behalf of me [the end user]
3. If I [the end user] do NOT have access to a particular file even though DNN [the "user" in AD] would, it will deny DNN the file because I [the end user] am not permitted access to the file within the AD structure/file system.

I would like to be able to setup certain files/folders to which the site permission structure cannot grant ANYONE access to if it is denied to a user/group on the file system/AD level.

Please let me know if i can clarify any of this it's all a bit confusing and thank you ahead of time for any help I might receive!!!
 
New Post
8/6/2016 4:52 AM
Accepted Answer 
Barry Waluszko


glanton.com
Joined: 5/5/2008
Posts: 152

The way how I understood this scenario is:

Assumptions:

  • we have DNN website,

  • we have AD user, let’s say username: ‘bob’, corresponding DNN user id: 11,

  • DNN website is configured with Active Directory,

  • users are automatically signed-in to DNN on behalf of their AD identity (aka SSO);

  • we have DNN page with a ‘Digital Asset Management’ module (aka File Explorer) that can list DNN folder/file structure, (this module will help us to determine the user file permissions),

  • ‘Digital Asset Management’ module is visible for all registered users,

  • we have a file ‘Denied.txt’ located in DNN user ‘bob’ home directory, which is: ‘\Portals\0\Users\011\11\11\Disallow.txt’

  • AD user ‘bob’ has set following attributes for that file: Read -> Deny

  • at the end of web.config file are following lines, this snippet instruct IIS to check file permissions before file will be displayed:

<location path="Portals/0/Users/011/11/11/Disallow.txt">

<!-- Disable Forms Authentication -->

<formsAuthenticationWrapper enabled="false" />

<system.webServer>

<security>

<authentication>

<anonymousAuthentication enabled="false" />

<windowsAuthentication enabled="true" useKernelMode="false" />

</authentication>

</security>

</system.webServer>

</location>

Test scenario

User “bob” is signed-in to DNN. He is able to see DNN files through “Digital Asset Management” module, even the \Portals\0\Users\011\11\11\Disallow.txt file. But when he want to see the content of this file he get a ‘Windows Security’ popup, then browser receive HTTP Error 401.3 - Unauthorized,

“You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.”



This scenario I’m able to reproduce using “AD-Pro Authentication v3” module, I’m wasn’t tested the free plugin "DNN Auth".
 
New Post
8/6/2016 11:09 AM
 
Lucas Shanley


Joined: 8/4/2016
Posts: 2
Hey thank you very much for the reply! I would say you both understand my problem AND have offered a perfect solution! Thank you very much, now that I'm now this is possible we can (hopefully) move forward.

 

Thank you again!
 
 Page 1 of 1
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How much can Active Directory do???How much can Active Directory do???


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out