|
|
Member
|
andrejg
-
11/17/2008 3:57:10 AM
Active Directory users and their username
Hi,
I've been trying out Kentico for our intranet page, so far it's working really good. I've had one problem, however; the user's full name is not read from active directory - it's displayed as domain\username. Is there a way to configure Kentico to pull the user's Display Name from AD?
I'm running KenticoCMS on Windows Server 2008 Enterprise/IIS7.
TIA,
Andrej
|
|
|
|
Kentico Support
|
kentico_jurajo
-
11/17/2008 8:23:54 AM
RE:Active Directory users and their username
Hi,
I am afraid but there is no setting in Kentico CMS right now. We will consider it for some of the next versions.
Now, you can use the security handler - http://www.kentico.com/docs/devguide/security_handler_customsecurit.htm where you will check that the user has name in format domain\username and if yes, you will need to ensure to obtain the display name from AD by some code.
Best Regards,
Juraj Ondrus
|
|
|
|
|
Member
|
andrejg
-
12/12/2008 10:02:41 AM
RE:Active Directory users and their username
(A belated :P) thanks for your answer Juraj.
I've succesfully enabled the custom security handler. However - it only works on forms authentication. If I enable Windows authentication (and disable forms authentication) in IIS it doesn't seem to do anything. I've set a couple of breakpoints and if I use forms authentication they get triggered. It's not so with Windows authentication... Am I missing something?
Here's the OnAuthentication method:
public override object OnAuthentication(object userInfo, string username, string password)
{
// Return the user info
// Check if the user was authenticated by the system
if (userInfo != null)
{
return userInfo;
}
// Sample external user credentials
UserInfo usr = null;
// Not authenticated, authenticate from the external source
if ((username.ToLower() == "pnwin\andrej" ))
{
// Create base user record if user found
usr = new UserInfo();
usr.IsExternal = true;
usr.UserName = username.ToLower();
usr.FullName = "Andrej Guštin";
usr.Enabled = true;
// Init user sites and roles if requested
Hashtable rolesTable = new Hashtable();
string siteName = CMSContext.CurrentSite.SiteName;
// Assign user to the current site
usr.SitesRoles[siteName.ToLower()] = rolesTable;
// Add new role "external role" and assign it to the user
rolesTable["external role"] = 0;
}
// Return the user info
return usr;
}
Thanks,
Andrej
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
12/18/2008 3:53:41 AM
RE:Active Directory users and their username
Hi Andrej,
I am sorry but there is a bug in current version with the Windows authentication. We have already located the problem and it will be fixed in 4.0 version. I am sorry for the inconvenience.
Best Regards,
Juraj Ondrus
|
|
|
|
|
Member
|
webmaster-7layermedia
-
5/19/2010 8:00:13 AM
RE:Active Directory users and their username
Has the display name been added in any of the current versions of Kentico CMS? We have over 500 employees and I would hate to manually update every person's display name from the domain\username. Thanks for your time.
|
|
|
|
|
|
|
Member
|
webmaster-7layermedia
-
5/24/2010 10:55:22 AM
RE:Active Directory users and their username
Thanks, but I am not sure that this answers the question that instead of importing domain\moserh it imports the full name Heath Moser. If I set this to false will it pull in the full name?
|
|
|
|
|
|
|
Member
|
heath@sevenlayermedia.com
-
8/16/2010 3:45:53 PM
RE:Active Directory users and their username
The AD Import tool worked great but when I turn on Windows Authentication and the user logs onto the intranet Kentico creates a new account domain-username.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/17/2010 8:24:05 AM
RE:Active Directory users and their username
Hi, What was the setting for the AD Import tool for the user names? In which format are they imported - with slash or dash between domain and user name? It seems that the users were imported using one format but the CMS is set to use the other one. Could you please add this key into your web.config file: <add key="CMSEnsureSafeUserNames" value="false" /> ( web.config keys). Best regards, Juraj Ondrus
|
|
|
|
|
Member
|
heath@sevenlayermedia.com
-
8/18/2010 4:39:29 PM
RE:Active Directory users and their username
When we turn on windows authentication and users login they have an account created with Domain\username as their username. However, we would like to be able to import a list of our users from active directory to match up with what our users are going to be logging in as. When we try to use the AD Import tool the only three options of usernames we have is Domain\username (which displays as ad-username), username, and username@domain.com (which shows as username-ad). Is there any way to have the Domain\username option actually import the accounts with the username displayed as Domain\username and not ad-username so that we can import a list of our users with all their user specific information (Email, department, etc.) and still maintain the single-sign on capability.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/19/2010 1:05:22 AM
RE:Active Directory users and their username
Hi,
Yes, using that key I mentioned above. Please see also the web.config keys documentation for more details.
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
heath@sevenlayermedia.com
-
8/19/2010 8:28:52 PM
RE:Active Directory users and their username
Thank you. We added the key according to the documentation and this is what happens. When we add the key mentioned above and we use the active directory import tool and select the domain\username option, the import tool adds the users. However, instead of using domain\username like we asked it to, it changes the username to ad-username. It does not even change it to domain-username. Any thoughts? I hope I explained this ok.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/23/2010 7:31:42 AM
RE:Active Directory users and their username
Hi,
I am sorry but I am confused. Could you please let me know the user name settings set during the AD import using the tool? In which format are the user names imported? What is the current value of the key in your web.config file?
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
heath@sevenlayermedia.com
-
8/23/2010 9:50:23 AM
RE:Active Directory users and their username
Sorry for the confusion. AD Import username setting: domain\username Usernames are imported in the following format: ad-username web.config updated values are:<authentication mode="Windows"> <location path=""> <system.web> <authorization> <deny users="?"/> </authorization> </system.web> </location> <add key="CMSEnsureSafeUserNames" value="false" /> What we are trying to achieve is: When the user accesses the intranet they would not be prompted for their login credentials and they can access their profile based on Windows Authentication. What we originally attempted was setting the AD Import username to just username and they were imported perfectly fine but every browser we attempted to access the intranet site with promoted them to enter their username and password. Once they entered the info they could login and see the intranet. I hope this clarifies a little bit more.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
8/24/2010 10:04:56 AM
RE:Active Directory users and their username
Hi,
Thank you.
So event with that key set in web.config file and the setting set in the AD import tool, the user names are created in username-domain format? This is very strange and no one reported this issue before. Could you please describe the exact steps you have made?
Moreover, for example FireFox browser is always asking for the logon credential, event with Windows authentication turned on and the user is logged into the domain on the computer.
Best regards,
Juraj Ondrus
|
|
|
|
|
Member
|
martinagency
-
1/13/2011 10:56:31 AM
RE:Active Directory users and their username
Juraj, this is heath@sevenlayermedia.com, it has been awhile since I last worked on the AD issue we were having because we postponed the intranet site rebuild until recently. We are still experiencing the issue.
I have a screen shot that can help you visualize the issue. If you email me I can send it to you.
The issue is as follows:
- Import users using AD Import Utility>domain\username (i.e. martin\moserh)
- Imports users into Kentico as username (i.e. moserh)
- Turn on Windows Authentication
- Visit site and browser asks for AD credentials
- User enters AD credentials and kentico logs them in successfully but a new account is created, domain-username (i.e. martin-moserh).
- Two accounts are now in Kentico: original imported account as username and now domain-username.
Any thoughts?
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
1/19/2011 3:43:31 AM
RE:Active Directory users and their username
Hi, What are your web.config settings for user names ( web.config parameters)? I mean setting for "CMSEnsureSafeUserNames". It seems that there is a conflict with setting when importing the users and the web.config parameter - so when the user comes to the site, forbidden characters (slash in this case) is replaced and therefore new user created. Best Regards, Juraj Ondrus
|
|
|
|
|
Member
|
martinagency
-
1/21/2011 10:57:51 AM
RE:Active Directory users and their username
Thank you. I made this change and it did import the user as domain\username but when I attempt to modify the user account (i.e. change them to a Global Administrator I receive the following warning:
Please enter valid user name. The user name can contain only alphanumeric characters and some of special characters (_, -, ., @).
|
|
|
|
|
Member
|
martinagency
-
1/21/2011 2:34:13 PM
RE:Active Directory users and their username
The problem I had was some configuration issues on my part. I do not get the above message anymore. Here is our current issue after adding the following to the web.config: <add key="CMSEnsureSafeUserNames" value="false" /> <add key="CMSEnsureSafeRoleNames" value="false" /> When using the import tool with the option domain\username the user is imported as username without the domain. When the user goes to the intranet, Kentico creates a user account as domain\username and it does not match up with the imported account. When we test the connection we get the following message: Authentication:The application pool identity is valid. Authorization:The server is configured to use pass-through authentication with a built-in account to access the specified physical path. However, IIS Manager cannot verify whether the built-in account has access. Make sure that the application pool identity has Read access to the physical path. If this server is joined to a domain, and the application pool identity is NetworkService or LocalSystem, verify that <domain>\<computer_name>$ has Read access to the physical path. Then test these settings again. NetworkServices is the identify used by the application pool.
|
|
|
|
|
Member
|
martinagency
-
1/21/2011 2:44:49 PM
RE:Active Directory users and their username
One other note, IE is asking for a username and password and then it logs us in.
|
|
|
|
|
Member
|
andrejg
-
1/23/2011 7:18:54 AM
RE:Active Directory users and their username
martinagency wrote: One other note, IE is asking for a username and password and then it logs us in.
i think that's because you don't have windows authentication enabled for your website in iis.
|
|
|
|
|
Member
|
martinagency
-
1/24/2011 8:04:29 AM
RE:Active Directory users and their username
Windows Authentication is turned on. Our issues are really odd. As I mentioned previously, when using AD Import domain\username it imports the user with only the username. When the user goes to the site it creates a new account domain-username.
Ultimately, I want the user to either be automatically logged through AD or they should only have to enter their AD credentials once and the session remains active until they delete their cookies. I don't like how if they exit any browser that they have to re-enter their AD credentials. I cannot go live until this issue is fixed, or our employees will not be thrilled.
|
|
|
|
|
Kentico Support
|
kentico_jurajo
-
1/25/2011 3:11:01 PM
RE:Active Directory users and their username
Hi, It is strange - my IE works always if I am logged on the computer to the domain, I do not have to enter the AD credentials when accessing site with windows authentication. And in FireFox you can use this workaround. Best regards, Juraj Ondrus
|
|
|
|
|
Member
|
martinagency
-
1/25/2011 3:23:00 PM
RE:Active Directory users and their username
Any trouble shooting tips? This is driving me crazy. It is really holding up our progress.
|
|