Turn On Active Directory

Posted by Community Admin on 03-Aug-2018 01:36

Turn On Active Directory

All Replies

Posted by Community Admin on 17-Dec-2010 00:00

I believe I have Active Directory setup correctly...I can see users and roles in the Administration area.

What I can't seem to figure out now is how to turn on pass-through authentication and have Sitefinity recognize it. Obviously in IIS I have to switch to Windows Authentication only, but what do I have to do in Sitefinity to have it accept that authentication and log users in automatically? Thanks.

Posted by Community Admin on 17-Dec-2010 00:00

Hello Philip,

Sitefinity relies on FormsAuthentication and we require generating  FormsAuthenticationTicket. Basically you cannot use directly the way of windows authentication. We have LDAP provider for AD which is just a membership provider that Sitefinity uses as an acceptor to get data for your user and roles. Possible solution would be to authenticate the users through service call once they get logged in by using a console application. You can take a look at this post



Regards,
Ivan Dimitrov
the Telerik team
Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 17-Dec-2010 00:00

Hi Ivan,

Thanks for the reply. So this sounds like a complete departure from the model in 3.7. In our current 3.7 implementation, we're using Windows Authentication and passing the credentials directly to Sitefinity which is using AD as it's membership/role provider. Here is some of the code from the current web.config that implements that solution:

connection string...

<add name="ADService" connectionString="LDAP://windc1/DC=domain,DC=com" />

role manager and membership provider...
<roleManager enabled="true" cacheRolesInCookie="true" defaultProvider="Sitefinity">
  <providers>
    <clear />
    <add name="Sitefinity" applicationName="/" description="Telerik Role Provider for Active Directory" authenticationType="Secure" userSearchFilter="(&(sAMAccountType=805306368)(sAMAccountName=0))" roleSearchFilter="(&(objectClass=group)(sAMAccountName=0))" userDefinitionFilter="sAMAccountType=805306368" groupDefinitionFilter="(objectClass=group)" connectionStringName="ADService" type="Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security" connectionUsername="tagwsadm" connectionPassword="crystal0" groupMaps="Administrators, Domain Admins, EIS, IT_U-TAG, Domain Users" domainName="DOMAIN" searchScope="subtree" />
  </providers>
</roleManager>
<membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType="">
  <providers>
    <clear />
    <add name="Sitefinity" connectionStringName="ADService" enableSearchMethods="true" attributeMapUsername="sAMAccountName" connectionUsername="username" connectionPassword="password" type="Telerik.Security.ActiveDirectory.TelerikADMembershipProvider, Telerik.Security" />
  </providers>
</membership>

and the security provider that sets the membership and role provider to AD and puts a couple AD groups into the unrestricted group
<security defaultProvider="DefaultSecurityProvider" cmsProvidersName="Sitefinity">
  <roles>
    <clear />
    <add name="EIS" permission="Unrestricted" />
    <add name="IT_U-TAG" permission="Unrestricted" />
    <add name="Administrators" permission="Unrestricted" />
  </roles>
  <providers>
    <clear />
    <add name="DefaultSecurityProvider" connectionStringName="DefaultConnection" type="Telerik.Security.Data.DefaultSecurityProvider, Telerik.Security.Data" membershipProvider="Sitefinity" roleProvider="Sitefinity" />
  </providers>
</security>


Is this model not available in Sitefinity 4 for us to use anymore? I hope it is because it would be a complete deal breaker for our company if we can't do this and we'll have to cancel our subscription and find a different solution. Sitefinity is used for our intranet and having pass-through Windows authentication is an absolute requirement that the higher ups will not let us go without. We are a single sign-on company for everything.

Please let me know what our options are...I recommended Sitefinity to my company and we need to know if we are going to be stuck on v3.7 because of this. Thanks.

Posted by Community Admin on 20-Dec-2010 00:00

Hi Philip,

Actually your configuration snippets just show AD setup in Sitefinity 3.x. You can use Active Directory with Sitefinity 4.0 in the same way that this works in 3.x versions. In 3.x and 4.0 we do not provider an option for SSO out of the box.

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 20-Dec-2010 00:00

Hi Ivan,

Thanks for the reply.

If the setup we're currently using in Sitefinity 3.x can be applied to Sitefinity 4.0, can you guide me on where to place the configuration as the web.xml has changed and some of the groupings are no longer available.

This piece of code:

<security defaultProvider="DefaultSecurityProvider" cmsProvidersName="Sitefinity">
  <roles>
    <clear />
    <add name="EIS" permission="Unrestricted" />
    <add name="IT_U-TAG" permission="Unrestricted" />
    <add name="Administrators" permission="Unrestricted" />
  </roles>
  <providers>
    <clear />
    <add name="DefaultSecurityProvider" connectionStringName="DefaultConnection" type="Telerik.Security.Data.DefaultSecurityProvider, Telerik.Security.Data" membershipProvider="Sitefinity" roleProvider="Sitefinity" />
  </providers>
</security>

is currently under <configuration><telerik>, but there is no longer a <telerik> section in web.xml.
should this now go under <securityconfig><securityproviders> in SecurityConfig.xml?

Should I put my Active Directory connection string in DataConfig.xml or should that stay in web.xml?

The role manager and membership providers are currently under system.web in web.xml. I see in 4.0 that the membership provider is still in web.xml under system.web, but the role manager is not present at all. Is it okay to add the role manager to system.web as well as my membership provider?

Thanks for the info...hopefully we can get this working.

Posted by Community Admin on 20-Dec-2010 00:00

Hi Philip,

In Sitefinity 4.0 you have to configure the AD provider from Sitefinity/Administration/Settings/Advanced
 and then go to Security >> LDAP Settings.



Best wishes,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 20-Dec-2010 00:00

I've done that part already...

If you look at ldap1, ldap2, ldap3 images attached, you can see that I've configured the LDAP connection and enabled the role and membership providers. This works as I can assign my AD roles and users to permissions.

I'm assuming that to use AD as my security provider, I have to add an entry into Security Providers as seen in ldap4 image? Is that correct?

So...I'm connecting to me AD server, I just need to make it the default membership and role providers which was in the <configuration><telerik> section of the web.xml before that no longer exists.

Can you help me figure out how to get those settings into 4.0 either through one of the xml files or the Administrative area? Thanks.

Posted by Community Admin on 21-Dec-2010 00:00

Hi Philip,

Sorry for the confusion. It seems there has been some misunderstanding on both sides in the communication.

Windows authentication is not yet supported in v4.0. Since the usage of this feature is quite limited, it is with low priority for the time being. I will try to raise the priority of this task. We are definitely going to support it, but unfortunately I cannot give you a time frame immediately.

Regards,

Bob
the Telerik team

 

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 21-Dec-2010 00:00

Hi

I'm also in desperate need of Windows Authentication, please raise the priority!

/Keivan

Posted by Community Admin on 21-Dec-2010 00:00

Hi Bob,

Thanks for the information...I'm glad I'm not going crazy in trying to figure out how to make that work =)

I know you can't really give me a time frame, but do you know at least if it's something that's going to be included with the official release next year or added as an additional feature at a later time? I have a deadline of 3/31/2011 to launch and if it's going to be a possibility for at least sometime in Q1, I'll continue with my 4.0 development, otherwise I'll have to drop back down to 3.7.

Thanks.

Posted by Community Admin on 22-Dec-2010 00:00

Hello Philip,

Most probably we will have this feature for the official release scheduled in the middle of January. We implemented it locally, but we have to test the implementation and perform some bug fixing if there are any issues.

Regards,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 06-Jan-2011 00:00

Any more info about Windows Authentication, is it in RC2 or will it be available in RTM?

/Keivan

Posted by Community Admin on 06-Jan-2011 00:00

Hello Philip,

The implementation is not completed. I will update the post with some more information when you will be able to try the WindowsAuthentication.

Greetings,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 17-Jan-2011 00:00

Can AnyOne Help me with the Skins. My application is garded by single Sign-On. If I apply SSo to my application the skins for the radcontrols ant applying. Please guid me in this.

Thanks

Posted by Community Admin on 18-Jan-2011 00:00

Hi David,

Could you check whether all resources are loaded? There should not be a problem with SSO.  Can you provide some more details that will help us to narrow down the issue you have?

All the best,
Ivan Dimitrov
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 24-Jan-2011 00:00

I got this issue resolved. That was an IIS Issue and below are the steps for resolving it. Thanks for your reply Ivan.......

Here’s the solution:

http://forums.asp.net/p/1040236/3272631.aspx

This one is a bit old, but it still applies to those who use SiteMinder (CA Netegrity) if you are having this problem. If this is already answered elsewhere in this thread sorry for the repeat in advance.

Our problem manifested not as a "Sys" problem, but just that everything that was AJAX based didn't appear which, in our case, was about 70% of the information provided by our site. Not a good thing. A check of the weblogs showed every single call to an .axd file was returned as a 404 error. We turned off Siteminder and tried again and everything worked fine.

What Blue Coat wrote in the article is correct, but you don't need to add the two empty files. As stated elsewhere it does work but it doesn't address the root of the problem. To make Siteminder stop blocking it:

  1. Go into your IIS Manager and right-click the root of your site and select Properties.
  2. Under Home Directory, click Configuration. 
  3. There should be a Wildcard entry for ISAPI6WebAgentDLL there (we are using CA Siteminder v6.xx so its there for us). Highlight it and click Edit.
  4. Make sure the checkbox for Verify that file exists is unchecked.
  5. Click through on OK.

I was pulling my hair out trying to figure this one out, we were standing up a new server and everything mirrored the old one yet SSO worked on the old and not on the new. After a couple days of working with the helpdesk found out that the updated installation documentation we were provided omitted that fact to ensure you uncheck that checkbox, the older documentation we used to install on the old server had it. By default, when adding a Wildcard Mapping that checkbox is checked.


Thans for you replies.... Thinking this would help others.......

Thanks.

Posted by Community Admin on 08-Apr-2011 00:00

Any news? Is Windows Authentication implemented?

Posted by Community Admin on 10-Apr-2011 00:00

Hi Keivan Kechmiri,

Yes, Windows Authentication has been implemented. 
There are currently issues with the concurrent users though - since you authenticate automatically, once you reach the users limit, all the other users will be authenticated as anonymous. We will improve this with 4.2 (Q2) release - if the users are authenticated but they do not enter the backend, they will not be counted as concurrent.

Kind regards,
Georgi
the Telerik team

Posted by Community Admin on 06-Sep-2011 00:00

Hello,

Has those issues been adressed ?

Zyad

Posted by Community Admin on 12-Sep-2011 00:00

Hello Zyad,

These issues haven't been resolved yet. The technical challenges there turned out to be big, but we are still looking forward in resolving them.

All the best,
Georgi
the Telerik team

Thank you for being the most amazing .NET community! Your unfailing support is what helps us charge forward! We'd appreciate your vote for Telerik in this year's DevProConnections Awards. We are competing in mind-blowing 20 categories and every vote counts! VOTE for Telerik NOW >>

Posted by Community Admin on 04-Jan-2012 00:00

Is this working properly in SF4.4 ?

Posted by Community Admin on 05-Jan-2012 00:00

Hello Stephane,

Our tentative plan is to include this feature in 5.0 in February. 

All the best,
Georgi
the Telerik team

Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

Posted by Community Admin on 13-Apr-2012 00:00

What is the status of this.  I very much would like to interface with Active Directory, ideally windows auth as well.  Is there a tutorial or sample out there I can see?  Thanks.

Posted by Community Admin on 13-Apr-2012 00:00

Sorry, duplicate post.  Please delete this.

Posted by Community Admin on 16-Apr-2012 00:00

Is there documentation or a tutorial for how to do this?  I'm really struggling with this as well.  Is it forms auth that taps into AD or is it truly windows auth?  I am trying to tie the content management to users based on role in Active Directory, but have the site viewable to all.

This thread is closed