Forums (Obsolete)

Member

scott_hancock-urmc.rochester - 2/7/2011 3:11:18 PM

More Detail About Windows Authentication

I'm a little confused about how Windows authentication works. We have public website so only users using the CMSDesk or Site Manager will log in.

As I understand it, when a user tries to log in, the system checks to see if they are authenticated to the domain and if they are, then a user is created for them in Kentico.

Now, what group is that user added to automatically? I'm assuming they won't be given access to the CMSDesk or Site Manager so even though an account is created they will be denied access (which is a good thing.)

Is there any way to control this behavior? It may become a problem if a lot of people on the domain try to log in and end up creating a bunch of accounts.

The users that are created are marked as domain accounts so they are only authenticated against the domain correct?

Any other details you can add would be appreciated the Dev Manual is brief on the subject.

Thanks,
Scott

Kentico Developer

kentico_ivanat - 2/9/2011 5:43:18 AM

RE:More Detail About Windows Authentication

Hi,

As I understand it, when a user tries to log in, the system checks to see if they are authenticated to the domain and if they are, then a user is created for them in Kentico.

It is correct. To the user is automatically added flag UserIsExternal, so the system knows that the user is authenticated to the domain.
Now if the user's account exists in the CMS as well, the administrator can give him additional permissions (IsEditor, etc....)

Is there any way to control this behavior? It may become a problem if a lot of people on the domain try to log in and end up creating a bunch of accounts.

You can create user's accounts in advance using ID Import tool.

The users that are created are marked as domain accounts so they are only authenticated against the domain correct?

It is correct.

Best regards,
Ivana Tomanickova


Member	scott_hancock-urmc.rochester - 3/6/2012 9:42:27 AM RE:More Detail About Windows Authentication Is there any way to prevent the domain users from being created automatically? I only want to create them manually or with the AD Import tool. I don't want any extra users created automatically.


Kentico Developer	kentico_ivanat - 3/12/2012 8:56:47 AM RE:More Detail About Windows Authentication Hi, unfortunately, there is not any global setting for this, but there is a property ImportExternalUsers in the UserInfoProvider class, in case this property is set to false, the users will not be created automatically. Best regards, Ivana Tomanickova


Member	scott_hancock-urmc.rochester - 3/12/2012 9:48:25 AM RE:More Detail About Windows Authentication I searched the site's code for a reference to ImportExternalUsers but I didn't find it. Where in the code should I use "ImportExternalUsers = false"? It's strange that they would have this method but not a setting for it considering they have CMSImportWindowsGroups setting in the web.config.

Kentico Developer

kentico_ivanat - 3/22/2012 9:19:22 AM

RE:More Detail About Windows Authentication

Hi,

you will need to change a default log-in web part. How to do this is described here:
Modifying code of standard web parts

Unfortunately, there is not any setting similar to CMSImportWindowsGroups in a default installation for users. I created a requirement to add it to one of next versions.

Best regards,
Ivana Tomanickova

Member

@davey_lad - 12/7/2012 7:51:31 AM

RE:More Detail About Windows Authentication

Hi, just bumping an old post. I stumbled across this and it kind of relates to a question I have.

Is there anyway to configure how new users are auto created when using Windows Authentication. By that I mean, the mapping of their Full Name, First name & Surname etc to the relevant fields in Kentico.

Doing this with the AD Import utility is a breeze as it gives you the options to map the fields. However, when relying on new users to be automatically created when they land on the site it sets their Full name to the same as their username and doesn't set the First or Surname at all.

Can these field mappings be defined anywhere ?


Kentico Support	kentico_jurajo - 12/12/2012 1:50:15 AM RE:More Detail About Windows Authentication answered in this thread.