Configuring Windows authentication (Active Directory) |
Kentico CMS supports Windows integrated authentication. It means that when a user signs in to a Windows domain, Kentico CMS automatically recognizes her identity without requiring a user name and password.
Moreover, Kentico CMS is able to automatically import the authenticated users from domain (Active Directory) into the user database, including their roles.
Configuration
- Is global administrator: yes - Is external user: yes - Is domain user: yes
When using the Windows authentication, you also need to have the following settings in your web.config file so that the authentication is required for the live site:
From now on, when an authenticated user comes to the site, her user account is created in Kentico CMS database automatically and her domain groups are imported as roles into Kentico CMS database. It means that the users and roles are not imported on some regular basis, but they are imported when the user comes to Kentico CMS web site.
Securing a web site section using Windows authentication
It is also possible to secure only a certain section of your website using Windows authentication. In the following example, you will learn how to set the Products section of our sample Corporate site to be secured by the Windows authentication:
1. Locate your web project on the disk (typically c:\Inetpub\wwwroot\<web project>). Create a new directory in your web project's folder and give it the same name as the filename in the document's URL. In this case, the filename is Products.aspx, so we will create a folder named Products.
2. Open the IIS and locate the directory in the tree. Right click it and choose Properties.
3. Switch to the Directory security tab and click the Edit button placed in the Anonymous access and authentication control section.
4. Uncheck the Anonymous access check-box and click OK. Check the same setting for the root of the web and make sure that Anonymous access is allowed for it.
5. Open the web.config file of your web project and change value of the mode attribute of the authentication tag to Windows. Also find the section marked with Windows authentication BEGIN and change the path parameter of the location tag to the name of the created directory, which will be Products in our case:
6. The authentication is now configured. If you try to access any of the menu items placed under the Products section, Windows authentication will be required. However, if you also want the authentication to be required for the Products main page (which is obviously not located under itself, hence requires no authentication now), you will have to use the following workaround.
Create a new page under the Products section, give it the same content as the main page has got and redirect the Products link in the menu to this new page. Because the new page is located under the Products section, windows authentication will be required for it.
|