New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationServer 2008/IIS 7 IssuesServer 2008/IIS 7 Issues
Previous
 
Next
New Post
7/29/2011 11:45 AM
 
Justin Turco-Gwozdowski


Joined: 4/25/2011
Posts: 5
I spent the better part of half a day setting up AD (5.00.02) on my installation. Instead of letting someone else spend the same amount of time I thought I would put in my results and configuration for Windows 7 .NET Framework 4.0. Two issues threw me in a loop simply because initially I did not take the time to properly look into the error messages that I was receiving, 401.1 can mean a lot more than not authorized. 

    Follow the instructions in the documentation for installing and configuring AD in the DNN settings configuration and IIS settings configuration. I did not have to impersonate a user on the domain in the web config or set a domain user as the application pool identity but the server is on the domain. The .NET framework I am using is 4.0 so when switching the application pool to Classic I had to allow the 4.0 Framework ISAPI modules in the restrictions section of the IIS server. The option is not available in the website's settings (404.2 Error). Once this was complete I received another error (401.1 Error) which appeared to be the AD module not properly authenticating a user when it was actually a fail safe implemented by Microsoft. This problem only applies to websites where the Host Header value is not that of the FQDN for the server. To fix this follow these instructions from Microsoft. After that and setting the site as trusted in IE for all users I was good to go (See Other Settings in the documentation). 
 
New Post
9/23/2011 12:05 PM
 
Mike Sirois


Joined: 9/21/2011
Posts: 38

Mike,

First of all, thank you for what seems to be good support through this forum, and your work on the AD Authentication Provider. I seem to be in desperate need of help here. I followed the documentation and tried to fill in the blank using the fragmented pieces of forum posts by you and others. I am new to DNN so that doesn’t help. At one point I was very close to a solution but now I cannot seem to replicate that success. There could be an issue with various settings becoming affected by my numerous attempts at getting this to work. What I am seeking out is a definitive set of steps I need to take in order to achieve my goal. After 15 hours of trying to piece it together, I have given up. I would require a precise order of steps that include ACL configurations, IIS Authentication settings, DNN module settings and web.config settings if needed. Below is what I am trying to achieve, what I tried and what my current settings look like.

I am using DNN as an intranet. It will be accessible from the outside and secured with SSL. I would like internal users to automatically get logged into the site without prompt for password. If they don’t have an account, I would like them to have one automatically created based on their AD account. If they visit the intranet from the outside, off-domain, I would then like to present a pop-up challenge or a form to log in. Seems simple enough.

I have tried this using a mix of advice from this forum. I have played with ACL’s and various Auth settings at both the web site level and on the WindowsSignin.aspx file. I always see reference to either remarking out, or remarking in a line in web.config but every reference I read on the tipic references a line that does not match mine. This is the line in my web.config:

<!-- add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" / -->

The one that is always mentioned in the forums has Active Directory Authentication in the line. I am also reading that web.config gets adjusted by IIS and tends to work against our efforts. When following instructions in the document provided, ActiveDirectory_Users_Guide.05.00.02.pdf, I cannot seem to get it to work at all.

Can you give me a step-by-step rundown of what I need to do to get this to work according to what I am trying to accomplish?

Thanks,

Michael Sirois
 
New Post
9/27/2011 5:07 PM
 
Mike Sirois


Joined: 9/21/2011
Posts: 38
I would like to reply to my own post so you know how far I got. I still need help but I am very close to an acceptable scenario.

Using:
• DNN6
• Unreal Skin
• Windows Server 2008 R2
• IIS 7.5

Trying to accomplish:
• Intranet site using Integrated Windows Authentication against domain accounts
• Secure access to the intranet from outside of our network using Windows Auth challenge so no one can even see the first page
• Auto login of users internally
• Auto login to the site by way of external access after successful challenge
• Auto account creation both internally and externally

Current Settings:
• App pool set to Classic
• Anonymous Authentication in IIS turned off everywhere.
• Forms and Windows Authentication selected at the site level as well as the \DesktopModules\AuthenticationServices\ActiveDirectory\Windowssignnin.aspx
• Web.config file modified. I had to add the line “
• I left the existing line commented out
• ACL at the site level grants Domain Users read-only

What Works Now:
• Because we are using both Windows and Forms authentication in IIS, I can log out as myself and login as Host directly into the site which is desired because I cannot seem to assign superuser rights to a domain user(me)
• From a workstation logged into the domain with the site entered into the Intranet zone, A user can hit the main URL https://portal.medicushcs.com and have his/her account auto-created and logged in
• Subsequent logins for existing accounts will also auto-log in with no problems.
• From the outside using a non-domain member computer, the user can hit the main page https://portal.medicushcs.com and get presented with a Windows Auth challenge. They can log in as DOMAIN\username and have their account auto-created and auto-logged in.


This is 90% of what I need. I am not sure if this is optimal from a security standpoint but from what I am seeing, it is getting better.


Problems:
• If the user hits the logout button, or if the site logs them out automatically, they cannot log back it using the Windows login option. To recover, I have to delete cookies and access the site again which will log the user in automatically. *I need to solve this problem*
• Related to the above, when I am in as superuser it eventually times out and defaults me to my personal AD based account but it is limited. I can only see two of the 5 tabs I have created for pages. This is frustrating.
• The requirement to supply a domain name before the username still exists due to Windows Authentication. I have the domain assumed in the site settings but I will need to tell IIS to default to my domain name when people are presented with the challenge.

I will be performing more tests this evening as time permits. In the meanwhile, Mike, if you have any suggestions to clean this up, I am all ears. Thanks in advance for everyone’s help.
 
New Post
10/25/2011 4:57 PM
 
Halcylon


Joined: 10/25/2011
Posts: 5
Mike Sirois wrote:
I would like to reply to my own post so you know how far I got. I still need help but I am very close to an acceptable scenario.

Using:
• DNN6
• Unreal Skin
• Windows Server 2008 R2
• IIS 7.5

Trying to accomplish:
• Intranet site using Integrated Windows Authentication against domain accounts
• Secure access to the intranet from outside of our network using Windows Auth challenge so no one can even see the first page
• Auto login of users internally
• Auto login to the site by way of external access after successful challenge
• Auto account creation both internally and externally

Current Settings:
• App pool set to Classic
• Anonymous Authentication in IIS turned off everywhere.
• Forms and Windows Authentication selected at the site level as well as the \DesktopModules\AuthenticationServices\ActiveDirectory\Windowssignnin.aspx
• Web.config file modified. I had to add the line “
• I left the existing line commented out
• ACL at the site level grants Domain Users read-only

What Works Now:
• Because we are using both Windows and Forms authentication in IIS, I can log out as myself and login as Host directly into the site which is desired because I cannot seem to assign superuser rights to a domain user(me)
• From a workstation logged into the domain with the site entered into the Intranet zone, A user can hit the main URL https://portal.medicushcs.com and have his/her account auto-created and logged in
• Subsequent logins for existing accounts will also auto-log in with no problems.
• From the outside using a non-domain member computer, the user can hit the main page https://portal.medicushcs.com and get presented with a Windows Auth challenge. They can log in as DOMAIN\username and have their account auto-created and auto-logged in.


This is 90% of what I need. I am not sure if this is optimal from a security standpoint but from what I am seeing, it is getting better.


Problems:
• If the user hits the logout button, or if the site logs them out automatically, they cannot log back it using the Windows login option. To recover, I have to delete cookies and access the site again which will log the user in automatically. *I need to solve this problem*
• Related to the above, when I am in as superuser it eventually times out and defaults me to my personal AD based account but it is limited. I can only see two of the 5 tabs I have created for pages. This is frustrating.
• The requirement to supply a domain name before the username still exists due to Windows Authentication. I have the domain assumed in the site settings but I will need to tell IIS to default to my domain name when people are presented with the challenge.

I will be performing more tests this evening as time permits. In the meanwhile, Mike, if you have any suggestions to clean this up, I am all ears. Thanks in advance for everyone’s help.

 • Web.config file modified. I had to add the line “

What did you add?
 
New Post
10/26/2011 9:11 AM
 
Mike Sirois


Joined: 9/21/2011
Posts: 38
I added this line.

<add name="Authentication" type="DotNetNuke.Authentication.ActiveDirectory.HttpModules.AuthenticationModule, DotNetNuke.Authentication.ActiveDirectory" />

Place this in web.config just under the remarked out line that looks like....
<!-- add name="Authentication" type="DotNetNuke.HttpModules.AuthenticationModule, DotNetNuke.HttpModules.Authentication" / -->

Don't mess with the one remarked out. Just add this new one in the same section.


For others viewing this post, it might be worth adding that I solved my second and third problems listed above. With the help of DNN support, I was able to make my domain account a super user by way of a SQL script. You can also modify the SQL table directly to change your existing account to "Is superuser". I don't have the specifics on this but I bet it is available in the Wiki. I also designated one other account as superuser as a backup. I now do not need to log in using DNN forms based auth as 'Host' to get host access. This, by default, eliminates the problem of my browser killing my Host session and putting me back in as my domain account with limited access. By logging in as my domain account from the beginning, it stays logged in and I am happy. We still have the logout button which I would like to eliminate.

I also found that I cannot go strictly with Windows Authentication only. If the user exists in DNN, no problem, they get auto-logged in but in this scenario I cannot automatically create DNN accounts for new domain users. I have to keep Forms based auth enabled in IIS for this to work. This is not a huge issue yet but I still may try to find a solution because this is not a supported method in IIS. Can't use both.

We are still required to log in from outside of the network as DOMAIN\Username but as I realized, this is because I am only using Windows Auth. I would need ot use basic auth and supply the domain name to the basic auth config but this is not something that can work with Windows auth. One or the other, and without Windows auth, I don't get integrated authentication for my domain users. It is more secure this way anyhow so they will continue to log in using the domain\username context.

Hope this helps some people. If I learn more through my support sessions with DNN, I will try to remember to share it here.
 
 Page 5 of 12
Previous123456...12Next 
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationServer 2008/IIS 7 IssuesServer 2008/IIS 7 Issues


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.