DNN 4.3.5, brand new installation

In the hope that posting a successful configuration might be valuable for some still feelign frustrated, here is what I was able to do.

First, I am trying to create an Intranet portal for use by domain users only.  I want DNN to recognize who is logged into Windows so that users do not need to login the the portal.  I will be using group membership to restrict viewing of certain pages to certain groups.

Here are the changes to a brand new 4.3.5 installation (unzipped from the Install zip file):

1. Per http://www.dotnetnuke.com/Community/ForumsDotNetNuke/tabid/795/forumid/89/threadid/73435/scope/posts/Default.aspx:
1. Updated four DLL's to fix several AD problems.
2. I cannot speak to the efficacy of these, but it appears that they are a "good thing".
2. Per http://www.dotnetnuke.com/Community/ForumsDotNetNuke/tabid/795/forumid/89/threadid/53005/scope/posts/Default.aspx:
1. Using IIS, changed permissions of WindowsSignIn.aspx to REMOVE anonymous access
2. Modified web.config to UN-comment the <httpModules><add name="Authentication"...> directive
3. Per general instructions for Admin:Authentication
1. Checked "Windows Authentication?"
2. Checked "Synchronize Role?"
3. Set "Root Domain" to "OU=People,dc=mydomain,dc=com" (we have all AD users under the OU named "People")
4. Set "User Name" to <ad user>@mydomain.com (I created a special AD user just for AD authentication)
5. Set password to the password for the user above
6. Set "Email Domain" to "@mydomain.com"

I confirmed that this works for regular users.  However, there are several caveats.

1. Incomplete user profiles in AD cause problems
1. If a user does not have email in AD (many of our users do not have email), the user is still created in DNN, but the email field is blank.
1. This causes an error when listing any users that do not have an email.
2. I do not know how to fix this since I cannot get to the user profile to add an email address.
2. We have some generic training accounts that do not have a first or last name (has one or the other).
1. These users also cause problems in User Manager.
3. I managed to fix one of these bad users by manipulating the tables, but this was a bad thing in general.
4. Perhaps there is a way to provide defaults for these values if they are blank (and let me pick the defaults!).
2. I don't know how to redirect http://myserver to http://myserver/admin/WindowsSignIn.aspx when users first open the page.
1. I know I can set users' home page to the complicated URL, but that is a recipe for disaster.
2. Does anyone know how to force WindowsSignIn to be invoked if the user is not logged in?
3. Logout is still available
1. Generally this is not a problem, but could confuse users
2. It is actually the only way I know to login as the host user--logout as me and login as host user.

I am sure I missed something in my description, but I hope this gives confidence to someone still frustrated with a not-quite-ready-for-prime-time release.

I'm trying to do roughly the same as you - with more or less success depending on which bit you look at.

To make signing in easy for users, I added a "links" module to the home page. It has a single link to http://myserver/admin/WindowsSignIn.aspx. I set the display text for the link to "Sign in as the Current Windows User". Finally I made the links module only visible to unauthenticated users. This gives users a quick and easy way to sign in when web.config is setup to use forms authentication.

To force automatic signin, just change web.config to use windows authentication rather than forms authentication. (See section of web.config at end of this post for how to do this). This somewhat nullifies the above suggestion as the user can no longer sign out to ever see the module. To get around this limitation of not being able to sign out (this stops me gaining access to the portal to effect changes), I had to create a domain account called <domain>\Portalhost. I added a user with the same user name to the superuser accounts. Then, by logging in to windows as portalhost and accessing the portal, I can still make changes to the portal without making edits to the web.config every time. This is a good solution for me as I have access to a WTS box and I just RDP to is as portalhost and make changes from there.

I am still having some issues though.

1. I must be blind because I cannot find the list of changes you referenced in another thread. Consequently I have problems with auto role assignments. Where did you get the changes from? (preferably source and compiled). If someone can point them out to me I'd be very grateful.
2. I have an AD group X whose members are those in AD group Y. I also define roles X and Y in my portal. People who are in AD grout Y are automatically put into role Y. However, AD knows these users are also in group X, but DNN does not appear to put the users into role X. Still puzzling over this one. Hopefully the above problem will resolve this.
3. Since I upgraded to DNN 4.3.5, the concept of "display name" has appeared. This is not populated from the AD and so no user name is displayed to the user to show who is logged in (and to have something to click on to make changes). Consequently, I have to make edits from the host account whenever a new user uses the portal. Mildly annoying.

Thanks

Bill

<!-- Forms or Windows authentication -->

<!-- Forms authentication 

<authentication mode="Forms">

<forms name=".DOTNETNUKE" protection="All" timeout="60" cookieless="UseCookies" />

</authentication> -->

<!-- Windows authentication -->

<identity impersonate="true"/>

<authentication mode="Windows">

</authentication>

Ah, that is an excellent idea.  I attached to the DB file using SQL Server 2005 management tools, but that seemed to screw up DNN while I did so.  I didn't want to mess up my DB.

This is for our corporate Intranet with hundreds of users.  If I create an alias for the server, something like "intranet", I want users to be able to just enter "intranet" in IE and have it log them in.  We would get many Help Desk calls about that URL.  Also, linking back to the Intranet from other web applications becomes problematic.

I want to get it down to just typing "intranet" in IE, which leads to...

I tried this, but I may not have done it right.  I tried to add my server name, say "intranet" as a trusted site.  That did not appear to make any difference--I was not logged in when I went to the root URL (http://intranet).  I still had to go to http://intranet/admin/WindowsSignIn.aspx before I was automatically signed in.

There may be a simple fix for this, but I am not sure what I am missing.

Ah, another good point.

That is an excellent idea.  I did not know one could log in again before logging out.