Overview
When Active Directory users log into a DNN environment with Active Directory enabled, it synchronizes Active Directory (AD) groups to the Global Security Roles within DNN. This article explains how synchronization works and how to enable it.
Prerequisites
- Access to a SuperUser Account
- Set up Active Directory
Solution
Below is a simple illustration showing how the DNN Platform can integrate with Active Directory. In this solution, we are relying on LDAP (Lightweight Directory Access Protocol) to consume information from Active Directory.
- The Active Directory server provides an LDAP protocol that exposes the AD user data store.
- DNN Platform is hosted on the IIS server that is a member of the Active Directory domain.
- Corporate users (employees) are automatically signed in to the DNN Platform.
- Clients can still view the DNN website as a Guest or a Registered User (if they manually sign in to the site).
To achieve this integration, there is a built-in solution under Available Extensions for AD integration which allows you to synchronize roles in DNN with groups in AD. You can install this module by going to Settings > Extensions > Available Extensions > Showing Authentication Systems.
To configure your Active Directory and DNN to synchronize each other, please check the "Synchronize Role?" on Site Settings for the DNNPro_ActiveDirectoryAuthentication extension by accessing it through Settings > Extensions > Edit DNNPro_ActiveDirectoryAuthentication > Site Settings.
The role synchronization matches DNN global roles with AD roles with the same names. Therefore, if you have a role in AD called Marketing, it should also be created in DNN with the same name. Then once the user logs in they will be added to the DNN Role as well.
Troubleshooting Note: Clients automatically removed from DNN Custom Roles
When the AD Role Synchronization is enabled, the default behavior is for DNN to synchronize the AD roles to DNN ones. DNN looks for all matching DNN Role Names and adds the user there, then removes the user from every DNN Role that is not part of the AD Role.
If a user is added to a custom DNN Role after login with their AD account, everything will work as intended until the next login. The next time the user logs in and the roles are synchronized, the user will be removed from the DNN Role since there is no AD Role for that user that matches the custom DNN one.
For cases like this, the solution is to either to:
- Add the user to an AD Role with the same name as the custom DNN Role (for the sake of consistency)
- To log in using the regular DNN authentication (which is not recommended since the roles/accesses will no longer be synchronized).
Important: For anyone using a version below 9.2, the default Administrator role is not synchronized. Thus AD Administrators will not become DNN Administrators.
For more information on how to create DNN roles, please check the following KBs:
For more information on how to configure the “AD-Pro Authentication” module, please check the following documentation:
Testing
Test that the AD roles have been synced by
- Log into the DNN environment with your Active Directory credentials.
- Then log into SuperUser account, then go to Manage > Users > Search for the AD user > View the role that is assigned for this user.
Comments
1 comment
This article
is referencing a Dnn store module which can confuse our customers. https://store.dnnsoftware.com/home/product-details/active-directory-authentication-v36
Please sign in to leave a comment.