When Active Directory users log into the DNN environment with Active Directory enabled, it synchronizes Active Directory (AD) groups to the Global Security Roles within DNN. This article explains how the synchronization works and how to integrate with it.
Below is a simple illustration showing how the DNN Platform can integrate with Active Directory. In this solution, we are relying on LDAP (Lightweight Directory Access Protocol) to consume information from Active Directory.
- The Active Directory server provides an LDAP protocol that exposes the AD user data store.
- DNN Platform is hosted on the IIS server that is a member of the Active Directory domain.
- Corporate users (employees) are automatically signed in to the DNN Platform.
- Clients using Internet connection can still view DNN website as a Guest or a Registered User (if they manually sign in to the DNN).
To achieve this integration, there is a built-in solution under Available Extensions for AD integration which allows you to synchronize roles in DNN with groups in AD. You can install this module by going to Settings > Extensions > Available Extensions > Showing Authentication Systems.
To configure your Active Directory and DNN to synchronize each other, please check the "Synchronize Role?" on Site Settings for the DNNPro_ActiveDirectoryAuthentication extension by accessing it through Settings > Extensions > Edit DNNPro_ActiveDirectoryAuthentication > Site Settings.
The role synchronization needs to match roles with the same names. Therefore, if you have a role in AD called Marketing, it should also be created in DNN with the same name. Then once the user logs in they will be added to the DNN Role as well.
The default behavior, when the AD Role Synchronization is enabled, is for DNN to synchronize the AD roles to DNN ones. It basically looks for all matching DNN Role Names and adds the user there, it then removes the user from every DNN Role that is not part of the AD Role.
Sometimes, a user would be added to a custom DNN Role after login with their AD account and everything will work as intended, until the next login. The next time the user logs in and the roles are synchronized, the user will be removed from the DNN Role since there is no AD Role for that user that matches the custom DNN one.
For cases like this, the solution is to either add the user to the AD Role with the same name as the DNN one (for the sake of consistency). Or to log in using the regular DNN authentication, which is not recommended since the roles/accesses will no longer be synchronized.
Important: For anyone using a version below 9.2, the default Administrator role is not synchronized. Thus AD Administrators will not become DNN Administrators.
For more information on how to create DNN roles, please check the following KBs:
For more information on how to configure the “AD-Pro Authentication” module, please check the following documentation:
Test that the AD roles have been synced by
- Log into the DNN environment with your Active Directory credentials.
- Then log into SuperUser account, then go to Manage > Users > Search for the AD user > View the role that is assigned for this user.