Turn On Active Directory
I believe I have Active Directory setup correctly...I can see users and roles in the Administration area.
What I can't seem to figure out now is how to turn on pass-through authentication and have Sitefinity recognize it. Obviously in IIS I have to switch to Windows Authentication only, but what do I have to do in Sitefinity to have it accept that authentication and log users in automatically? Thanks.
Hello Philip,
Sitefinity relies on FormsAuthentication and we require generating FormsAuthenticationTicket. Basically you cannot use directly the way of windows authentication. We have LDAP provider for AD which is just a membership provider that Sitefinity uses as an acceptor to get data for your user and roles. Possible solution would be to authenticate the users through service call once they get logged in by using a console application. You can take a look at this post
Hi Ivan,
Thanks for the reply. So this sounds like a complete departure from the model in 3.7. In our current 3.7 implementation, we're using Windows Authentication and passing the credentials directly to Sitefinity which is using AD as it's membership/role provider. Here is some of the code from the current web.config that implements that solution:
connection string...
<
add
name
=
"ADService"
connectionString
=
"LDAP://windc1/DC=domain,DC=com"
/>
<
roleManager
enabled
=
"true"
cacheRolesInCookie
=
"true"
defaultProvider
=
"Sitefinity"
>
<
providers
>
<
clear
/>
<
add
name
=
"Sitefinity"
applicationName
=
"/"
description
=
"Telerik Role Provider for Active Directory"
authenticationType
=
"Secure"
userSearchFilter
=
"(&(sAMAccountType=805306368)(sAMAccountName=0))"
roleSearchFilter
=
"(&(objectClass=group)(sAMAccountName=0))"
userDefinitionFilter
=
"sAMAccountType=805306368"
groupDefinitionFilter
=
"(objectClass=group)"
connectionStringName
=
"ADService"
type
=
"Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security"
connectionUsername
=
"tagwsadm"
connectionPassword
=
"crystal0"
groupMaps
=
"Administrators, Domain Admins, EIS, IT_U-TAG, Domain Users"
domainName
=
"DOMAIN"
searchScope
=
"subtree"
/>
</
providers
>
</
roleManager
>
<
membership
defaultProvider
=
"Sitefinity"
userIsOnlineTimeWindow
=
"15"
hashAlgorithmType
=
""
>
<
providers
>
<
clear
/>
<
add
name
=
"Sitefinity"
connectionStringName
=
"ADService"
enableSearchMethods
=
"true"
attributeMapUsername
=
"sAMAccountName"
connectionUsername
=
"username"
connectionPassword
=
"password"
type
=
"Telerik.Security.ActiveDirectory.TelerikADMembershipProvider, Telerik.Security"
/>
</
providers
>
</
membership
>
<
security
defaultProvider
=
"DefaultSecurityProvider"
cmsProvidersName
=
"Sitefinity"
>
<
roles
>
<
clear
/>
<
add
name
=
"EIS"
permission
=
"Unrestricted"
/>
<
add
name
=
"IT_U-TAG"
permission
=
"Unrestricted"
/>
<
add
name
=
"Administrators"
permission
=
"Unrestricted"
/>
</
roles
>
<
providers
>
<
clear
/>
<
add
name
=
"DefaultSecurityProvider"
connectionStringName
=
"DefaultConnection"
type
=
"Telerik.Security.Data.DefaultSecurityProvider, Telerik.Security.Data"
membershipProvider
=
"Sitefinity"
roleProvider
=
"Sitefinity"
/>
</
providers
>
</
security
>
Hi Philip,
Actually your configuration snippets just show AD setup in Sitefinity 3.x. You can use Active Directory with Sitefinity 4.0 in the same way that this works in 3.x versions. In 3.x and 4.0 we do not provider an option for SSO out of the box.
Regards,
Ivan Dimitrov
the Telerik team
Hi Ivan,
Thanks for the reply.
If the setup we're currently using in Sitefinity 3.x can be applied to Sitefinity 4.0, can you guide me on where to place the configuration as the web.xml has changed and some of the groupings are no longer available.
This piece of code:
<
security
defaultProvider
=
"DefaultSecurityProvider"
cmsProvidersName
=
"Sitefinity"
>
<
roles
>
<
clear
/>
<
add
name
=
"EIS"
permission
=
"Unrestricted"
/>
<
add
name
=
"IT_U-TAG"
permission
=
"Unrestricted"
/>
<
add
name
=
"Administrators"
permission
=
"Unrestricted"
/>
</
roles
>
<
providers
>
<
clear
/>
<
add
name
=
"DefaultSecurityProvider"
connectionStringName
=
"DefaultConnection"
type
=
"Telerik.Security.Data.DefaultSecurityProvider, Telerik.Security.Data"
membershipProvider
=
"Sitefinity"
roleProvider
=
"Sitefinity"
/>
</
providers
>
</
security
>
Hi Philip,
In Sitefinity 4.0 you have to configure the AD provider from Sitefinity/Administration/Settings/Advanced
and then go to Security >> LDAP Settings.
Best wishes,
Ivan Dimitrov
the Telerik team
I've done that part already...
If you look at ldap1, ldap2, ldap3 images attached, you can see that I've configured the LDAP connection and enabled the role and membership providers. This works as I can assign my AD roles and users to permissions.
I'm assuming that to use AD as my security provider, I have to add an entry into Security Providers as seen in ldap4 image? Is that correct?
So...I'm connecting to me AD server, I just need to make it the default membership and role providers which was in the <configuration><telerik> section of the web.xml before that no longer exists.
Can you help me figure out how to get those settings into 4.0 either through one of the xml files or the Administrative area? Thanks.
Hi Philip,
Sorry for the confusion. It seems there has been some misunderstanding on both sides in the communication.
Windows authentication is not yet supported in v4.0. Since the usage of this feature is quite limited, it is with low priority for the time being. I will try to raise the priority of this task. We are definitely going to support it, but unfortunately I cannot give you a time frame immediately.
Regards,
Hi
I'm also in desperate need of Windows Authentication, please raise the priority!
/Keivan
Hi Bob,
Thanks for the information...I'm glad I'm not going crazy in trying to figure out how to make that work =)
I know you can't really give me a time frame, but do you know at least if it's something that's going to be included with the official release next year or added as an additional feature at a later time? I have a deadline of 3/31/2011 to launch and if it's going to be a possibility for at least sometime in Q1, I'll continue with my 4.0 development, otherwise I'll have to drop back down to 3.7.
Thanks.
Hello Philip,
Most probably we will have this feature for the official release scheduled in the middle of January. We implemented it locally, but we have to test the implementation and perform some bug fixing if there are any issues.
Regards,
Ivan Dimitrov
the Telerik team
Any more info about Windows Authentication, is it in RC2 or will it be available in RTM?
/Keivan
Hello Philip,
The implementation is not completed. I will update the post with some more information when you will be able to try the WindowsAuthentication.
Greetings,
Ivan Dimitrov
the Telerik team
Can AnyOne Help me with the Skins. My application is garded by single Sign-On. If I apply SSo to my application the skins for the radcontrols ant applying. Please guid me in this.
Thanks
Hi David,
Could you check whether all resources are loaded? There should not be a problem with SSO. Can you provide some more details that will help us to narrow down the issue you have?
All the best,
Ivan Dimitrov
the Telerik team
Here’s the solution:
http://forums.asp.net/p/1040236/3272631.aspx
This one is a bit old, but it still applies to those who use SiteMinder (CA Netegrity) if you are having this problem. If this is already answered elsewhere in this thread sorry for the repeat in advance.
Our problem manifested not as a "Sys" problem, but just that everything that was AJAX based didn't appear which, in our case, was about 70% of the information provided by our site. Not a good thing. A check of the weblogs showed every single call to an .axd file was returned as a 404 error. We turned off Siteminder and tried again and everything worked fine.
What Blue Coat wrote in the article is correct, but you don't need to add the two empty files. As stated elsewhere it does work but it doesn't address the root of the problem. To make Siteminder stop blocking it:
I was pulling my hair out trying to figure this one out, we were standing up a new server and everything mirrored the old one yet SSO worked on the old and not on the new. After a couple days of working with the helpdesk found out that the updated installation documentation we were provided omitted that fact to ensure you uncheck that checkbox, the older documentation we used to install on the old server had it. By default, when adding a Wildcard Mapping that checkbox is checked.
Thans for you replies.... Thinking this would help others.......
Thanks.
Any news? Is Windows Authentication implemented?
Hi Keivan Kechmiri,
Yes, Windows Authentication has been implemented.
There are currently issues with the concurrent users though - since you authenticate automatically, once you reach the users limit, all the other users will be authenticated as anonymous. We will improve this with 4.2 (Q2) release - if the users are authenticated but they do not enter the backend, they will not be counted as concurrent.
Hello,
Has those issues been adressed ?
Zyad
Hello Zyad,
These issues haven't been resolved yet. The technical challenges there turned out to be big, but we are still looking forward in resolving them.
All the best,Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>
Is this working properly in SF4.4 ?
Hello Stephane,
Our tentative plan is to include this feature in 5.0 in February.
All the best,
Georgi
the Telerik team
What is the status of this. I very much would like to interface with Active Directory, ideally windows auth as well. Is there a tutorial or sample out there I can see? Thanks.
Sorry, duplicate post. Please delete this.
Is there documentation or a tutorial for how to do this? I'm really struggling with this as well. Is it forms auth that taps into AD or is it truly windows auth? I am trying to tie the content management to users based on role in Active Directory, but have the site viewable to all.