|
Member
|
edwincwong-gmail
-
3/23/2013 10:14:17 PM
Using AD authentication for editors
Hi,
Is there a easy way to add users as editors who are authenticated by AD but keeping the site for anonymous visit?
I am using the latest version 7.
Thank you so much!
Regards,
Edwin
|
|
|
Kentico Support
|
kentico_jurajo
-
3/24/2013 12:20:20 PM
RE:Using AD authentication for editors
Hi, In this case you need to use the mixed mode authentication to allow users to use forms and Windows authentication at the same time. Best regards, Juraj Ondrus
|
|
|
Member
|
edwincwong-gmail
-
3/24/2013 6:47:28 PM
RE:Using AD authentication for editors
I see. Let me try it. BTW, I don't need to change it to windows authentication, correct? (<authentication mode="Windows"> in web.config )
|
|
|
Member
|
egarrison-wte
-
3/24/2013 7:52:06 PM
RE:Using AD authentication for editors
You don't want to do that. Just do the steps in his link. If you change to that mode in Web.config, it will give you a Pop Up to authenticate, then require you to authenticate a second time.
|
|
|
Kentico Support
|
kentico_jurajo
-
3/24/2013 11:08:47 PM
RE:Using AD authentication for editors
Hi,
Just follow the steps in the documentation (or, you can find on the Internet general steps how to configure mixed mode authentication).
If you change the method to Windows - this means Windows authentication is turned on - so only AD users will be able to logon.
Best regards, Juraj Ondrus
|
|
|
Member
|
edwincwong-gmail
-
3/26/2013 12:15:15 AM
RE:Using AD authentication for editors
I followed the instructions and modified the web.config file. Once I enter my AD username and password, I got the following error. Any idea? ( I tried to use the old "Administrator" username and I got same error. ) Thanks again! Regards, Edwin Server Error in '/' Application. Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: Logon failure: unknown user name or bad password.
Source Error:
Line 59: <clear/> Line 60: <add name="CMSProvider" type="CMS.MembershipProvider.CMSMembershipProvider" connectionStringName="CMSConnectionString" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed"/> Line 61: <add name="CMSADProvider" type="CMS.MembershipProvider.CMSADMembershipProvider" connectionStringName="CMSADConnectionString" connectionUsername="username" connectionPassword="password" /> Line 62: </providers> Line 63: </membership>
Source File: e:\Kentico7\web.config Line: 61
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1
|
|
|
Kentico Support
|
kentico_jurajo
-
3/26/2013 10:34:01 AM
RE:Using AD authentication for editors
Hi,
The user name and password must be the account in the AD that has appropriate permissions to access the AD information. Could you please confirm that?
What format of user name are you using?
Best regards, Juraj Ondrus
|
|
|
Member
|
edwincwong-gmail
-
3/26/2013 11:30:24 AM
RE:Using AD authentication for editors
Right. I confirmed that the AD username and password are both correct and valid in AD. However, I got the same error with or without "domain\" .
My questions are -
1. If I can login to the network using the same AD username / password, does it mean it has appropriate permissions to access the AD info? ( as it stated in your question) 2. Do I need special permission on the Kentico system service account in order for it to query LDAP? 3. Do I need special settings on AD side in order to support LDAP queries? 4. Without custom build, can it be config so that the login process will behaves the same as the form login, meaning that it just shows "fail to login" message on the login form instead of giving me this system error page?
I understand lots of questions here, but I believe this exercise will benefit people who wants to implement the same features.
Thanks again!
Regards,
Edwin
|
|
|
Kentico Support
|
kentico_jurajo
-
3/26/2013 12:32:48 PM
RE:Using AD authentication for editors
Hi,
I am using this format of the AD connection string user name and it is working fine: domain\username
1. You need to ask your network administrator whether the user in AD has the permissions or not. 2. No, Kentico is using the AD connection string with the user name and apssword you are specifying in it. 3. The user account has to have rights to read the AD information about all the users. 4. I am not following this one - the failed login is displayed by default. You are getting the exception due to the fact that the application is not able to connect to AD.
Best regards, Juraj Ondrus
|
|
|
Member
|
edwincwong-gmail
-
3/26/2013 2:25:58 PM
RE:Using AD authentication for editors
Good information! Thank you!
I will check with the network admin on the permissions.
For #3, are you referring to the Kentico "service user account" ( defined in the IIS App Pools ) or the user account that I am trying to login with? Sounds like to me that the service account needs to be able to read the AD info for all users.
it makes sense for #4, that means I saw the exception error only because either the connection string is not working or the service account has no permission to read AD.
Thanks a lot! I will post update after I confirm with network team.
Regards,
Edwin
|
|
|
Kentico Support
|
kentico_jurajo
-
3/26/2013 4:03:07 PM
RE:Using AD authentication for editors
Hi,
#3 - Kentico is using the user name and password provided for the AD connection string in the web.config - which is not working for you right now. That's why it is necessary to specify it there. The application pool identity has nothing to do with this.
Best regards, Juraj Ondrus
|
|
|
Member
|
edwincwong-gmail
-
3/27/2013 2:25:39 AM
RE:Using AD authentication for editors
Success! I figure out the correct connection string and the correct username / password on the "CMSADProvider" and "CMSADRoleProvider"!
Thank you so much for the help! You Rock!
Regards,
Edwin
|
|