Overview
Active Directory (AD) is Microsoft's Single-Sign-On platform. Using the Active Directory Authentication module in DNN, you can allow site visitors who have AD credentials on your corporate domain to use those AD credentials on your site as well.
When AD authentication is enabled in DNN, AD users are automatically created in DNN when they first log in; there is no need to manually import your AD Users list.
Prerequisites
- Access to a SuperUser account
Solution
NOTE: The DNN Active Directory Authentication module will only authenticate multiple domain names if each domain is trusted; this could be one or two-way trusted domains.
- If you are looking to implement the Azure Active Directory, follow the Implementing an Azure Active Directory Provider for the DNN Platform article (which was created by a DNN Community member).
- Navigate to Persona Bar Settings > Extensions.
- Go to Available Extensions > Authentication Systems. Install the
DNNPro_ActiveDirectoryAuthentication
extension.
- Go to Settings > Extensions > Installed Extensions > Authentication Systems.
- Click the Edit (pencil) icon at the far right of the
DNNPro_ActiveDirectoryAuthentication
module.
- Go to the Site Settings tab and set the following fields:
- Enabled? - Check the box.
- Hide Login Controls – Will hide the Windows Login tab from the Login screen. This can be useful if you find your users are confused as to which option they should choose or if you’ve provided a direct link to <DNN_INSTALL>/DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx elsewhere on your site for Intranet users.
- Synchronize Roles? - Check the box.
- Do Not Automatically Create Users? - Active Directory users will not be able to log into the portal until their accounts have been manually created.
- Provider - Use the default option:
DNNPRO_ADSIAuthenticationProvider
- Authentication Type - Use the default option:
Delegation
. - Root Domain -
DC=[YOURDOMAIN]
- User Name -
[YOURDOMAIN]\[Domain Controller Admin login username]
- Password and Confirm Password - Enter the valid password for the Domain Controller Admin login username.
- Email Domain - @domain.local
- Default Domain - domain.local
- Auto-login IP Address – If left blank then the provider will try to auto-login all visitors to the site. However, if you know the range of IP addresses or specific IP addresses that you want to be automatically logged in you can enter them here. Multiple IP addresses, ranges, etc. can be used as long as they are separated by a semi-colon (;). An example string would be “192.168.1.100 – 192.168.1.200; 192.168.1.1;” 192.168.1.100 – 192.168.1.200 – Any IP addresses including and between 192.168.1.100 and 192.168.1.200 will be automatically logged in. 192.168.1.1 – Only the computer with that IP address will be automatically logged in.
- Click the Update Authentication Settings button.
- A green box will appear at the top, showing if the provided settings are correct or not.
- Open a Command Prompt window as Administrator:
Execute each of the lines below:
%windir%\system32\inetsrv\appcmd unlock config /section:anonymousAuthentication
%windir%\system32\inetsrv\appcmd unlock config /section:windowsAuthentication
If you are still not able to authenticate against the Active Directory Provider:
- Check the version of the Active Directory Module. Ensure that the module is Active Directory Pro. If on a lower version, find the module package and upgrade it to the latest version.
- Is the server where the website is hosted already joined on the domain? We always suggest the server joins the domain.
- Make sure to set the IIS app pool's user to "network services."
- In the AD auth config page, if all the info input is correct, please change the "authentication type" value to the other options and test the connection.
- Check if Windows Authentication has been installed on the server.
- You can run the ADExplorer tool on the server to connect to the domain. If ADExplorer can connect correctly, then DNN should able to connect as well. Otherwise, you can use the tool to identify the problem.
Testing
By default, auto-login (Integrated Windows Authentication) is already enabled on most browsers (for Firefox users, extra steps may be necessary). Due to a security measure Microsoft has in place for AD, testing AD integration should always be done on a separate computer from the server hosting the site.
To test that Active Directory is set up correctly:
- If Auto-login is enabled in the AD Authentication Provider: As soon as hitting the site, the user is logged in as the Domain user logged into the physical machine or Virtual Machine.
- If Auto-login is not enabled in the AD Authentication Provider: The user is logged in once a legitimate Domain user/password combination is provided.
Comments
0 comments
Please sign in to leave a comment.