Authenticate Active Directory Users

Posted by Community Admin on 04-Aug-2018 16:56

Authenticate Active Directory Users

Sitefinity - Front- & Back-End Development

All Replies

Posted by Community Admin on 24-Dec-2014 00:00

I'm working on some proof of concept stuff with a Sitefinity trial installation. I'm trying to allow it to authenticate me using my active directory domain account credentials. I've followed this document to set up my connection and have enabled the LDAP Membership and Role providers. I've restarted the app by saving a small change to the web.config after each change. I see my new provider listed on the login control, but I cannot log in with my domain account credentials. When logged in as a Sitefinity admin and navigating to Administration > Users > LDAP Uses, none are listed. Per the suggestion of another thread, I checked the sf_users table but only the sitefinity users are listed. I'm no AD whiz but I can't find a problem with the LDAP connection settings (See attachment). I've tried a couple different user & role filters based on different examples I've found but no luck. Any idea how to troubleshoot this?

Posted by Community Admin on 25-Dec-2014 00:00

Hi,

Have you tried with the default settings for

UserFilter - (&(objectClass=user)(!(objectClass=computer)))

RolesFilter - (objectClass=group)

Can you check if you use the same settings in our UI you are able to connect to the AD with another tool, because it looks like the connection to the AD is done but there is a problem with getting the users from it. Looking at the settings you used  they look very common, so I also suppose that the problem might be related to the connection.
We have a class LdapQueryTranslator which works with the filters and expressions. This class is responsible for the way that queries are sent to the LDAP by LdapQueryProvider
and it would be hard to say what the problem is. If the same connection works with another tool, then something might be wrong with the translator or query data is passed by the LdapMembershipProvider and LdapFacade not correctly.

You can try to manually invoke LdapConnection  (System.DirectoryServices.Protocols). Here is a sample that you can use to debug your Sitefinity connection.

protected LdapConnection connection;
 
    public virtual string LdapConnectionName
    
        get;
        set;
    
 
    protected virtual LdapConnection GetConnection(LdapSettingsConfig settings, string userName, string password)
    
        LdapConnection connect = null;
        string connCacheName = GetConnectionCacheKey();
        if (connection == null)
        
            if (SystemManager.HttpContextItems != null && SystemManager.HttpContextItems[connCacheName] != null)
            
                connection = ((LdapConnection)SystemManager.HttpContextItems[connCacheName]);
                return connection;
            
 
            var identifier = GetLdapDirectoryIdentifier(settings);
 
            NetworkCredential credential = GetNetworkCredential(settings, userName, password);
            if (settings.ConnectWithLogOnCredentials &&
                credential == null)
                return null;
 
            connect = BuildLdapConnection(settings, identifier, credential);
        
        if (connect != null)
        
            if (SystemManager.HttpContextItems != null)
                SystemManager.HttpContextItems[connCacheName] = connect;
            connection = connect;
        
        return connection;
 
    
 
    protected virtual LdapConnection BuildLdapConnection(LdapSettingsConfig settings, LdapDirectoryIdentifier identifier, NetworkCredential credential)
    
        LdapConnection connect = new LdapConnection(identifier, credential);
 
        connect.AuthType = settings.AuthenticationType == AuthType.Ntlm ? AuthType.Negotiate : settings.AuthenticationType;
        connect.Timeout = TimeSpan.FromSeconds(20);
        // need additional check if you use SSL!
        return connect;
    
 
    protected virtual string GetConnectionCacheKey()
    
        return string.Concat("ldapconn_", this.LdapConnectionName);
    
 
    protected virtual LdapDirectoryIdentifier GetLdapDirectoryIdentifier(LdapSettingsConfig settings)
    
        return new LdapDirectoryIdentifier(
                                settings.ServerName.Split(new char[] ';' , StringSplitOptions.RemoveEmptyEntries),
                                settings.Port, true, false);
    
 
    protected virtual NetworkCredential GetNetworkCredential(LdapSettingsConfig settings, string userName, string password)
    
        NetworkCredential credential = null;
        if (settings.ConnectWithLogOnCredentials)
        
            if (settings.AuthenticationType == AuthType.Ntlm)
                credential = CredentialCache.DefaultNetworkCredentials;
            else
            
                if (userName != null)
                    credential = new NetworkCredential(userName, password);
                else
                
                    SitefinityIdentity identity = Thread.CurrentPrincipal.Identity as SitefinityIdentity;
                    if (identity != null)
                    
                        credential = LdapCredentialsCache.GetCredential(identity.Id);
                    
                
            
        
        else
            credential = new NetworkCredential(settings.ConnectionUsername, settings.ConnectionPassword, settings.ConnectionDomain);
 
        return credential;
    


Regards,
Ivan Dimitrov
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 

Posted by Community Admin on 06-Apr-2015 00:00

This is a few months later, but we're having the same problems establishing a working configuration to connect to our LDAP server (OpenLDAP).

 The following works on the same Web site where the Sitefinity instance is installed.

 

Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
        Dim sb As New StringBuilder
        Try
            Dim dEntry As New DirectoryEntry()
            dEntry.Path = "LDAP://[IPaddress]:389/ou=users,dc=web,dc=[domain],dc=com"
            dEntry.AuthenticationType = AuthenticationTypes.None
            dEntry.Username = "cn=[username],ou=services,dc=web,dc=[domain],dc=com"
 
            dEntry.Password = "[password]"
 
            Dim dSearch As New DirectorySearcher(dEntry)
            Dim srchResultColl As SearchResultCollection
            Dim srchResult As SearchResult
 
            srchResultColl = dSearch.FindAll
            Dim propKey As String
 
            For Each srchResult In srchResultColl
                For Each propKey In srchResult.Properties.PropertyNames
                    Dim prop As Object
                    For Each prop In srchResult.Properties(propKey)
                        sb.Append(propKey & ": " & [prop].ToString & "<br />")
                    Next prop
                Next propKey
                sb.Append("--------------------------------------------------------------<br />")
            Next
            lblUsers.Text = sb.ToString
 
        Catch ex As Exception
            lblUsers.Text = "An error occurred: " & ex.Message
        End Try
    End Sub

We get a list of all properties of all items (in this case, users). 

However, when we try to configure the Sitefinity LDAP connection, we consistently fail, getting the error message "The distinguished name contains invalid syntax." 

Could anyone help us with "translating" what works outside of Sitefinity to the Sitefinity configuration?

 Any thoughts or suggestions about ways to test this would be most welcomed.

 

 

Posted by Community Admin on 09-Apr-2015 00:00

Hello Chanan,

In the ticket you have opened related to this issue we have replied that most probably the issue is caused due to an incorrect value entered in the field: The domain used in addition to the user name.

I am pasting the reply from the ticket for your convenience:

Jugging by the error message you are getting and the settings on your side, what we assume is that the issue might be caused by the value entered in the following field:

The domain used in addition to the user name

We have also analyzed the source code and what we expect is that the above field contains the domain of the LDAP server and should not contain characters like the following: , =.

We have compared this to the settings we have on our side to connect to our LDAP server and we have entered in the above field the following: telerik.com

What we can suggest is to enter in The domain used in addition to the user name field the domain of the LDAP server on your side.

Regards,
Sabrie Nedzhip
Telerik
 
Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
 

Posted by Community Admin on 09-Apr-2015 00:00

Thanks a lot for responding.

It is becoming quite obvious that the company's IT guys have badly configured either the LDAP server or the Active Directory domain.

Once they deal with that, we'll try our LDAP connection again.

Thanks again.

This thread is closed