does active directory on a .net core kentico site register as the same ad user in the CMS for authen

lawrence whittemore asked on October 21, 2021 16:16

I have my admin and .net core site both set to use AD and am able to see the user name show on the front end. I am trying to use page level permissions and turned it on in the admin and set it to all pages, now I cannot see anything on the front end. Also I get sent to an error page /Account/AccessDenied?ReturnUrl=%2F that I do not see what is even telling the site to go to that page.

So My questions are, does the front end know that my AD user is the same one I have set in the admin? If not, how do i tie them together so the active user pulls the right permissions.

Also, I have an error controller set up and it works with the 404 error, but for the 403 error it doesn't go to the page I set it goes to this /Account/AccessDenied?ReturnUrl=%2F where is that set?

Recent Answers


Juraj Ondrus answered on October 22, 2021 07:12

If you set the security check to all pages then Kentico expects all pages do have some ACLs set. If a permission is not set, it is the same as deny permission. "Better safe than sorry"

0 votesVote for this answer Mark as a Correct answer

lawrence whittemore answered on October 22, 2021 16:07

our AD users all have a common role, so I used that role and set permissions to allow access to read but it still shows up as no permissions. It does this with the my AD user that has both the role I gave the permission to, as well as being a global admin.

Does the .net core site know that the user logged in is the same user that permissions are set up for in the admin. It doesn't appear to be connected by default. If an AD users visits the .net core site they are not automatically added to the users the way they are added when they visit the admin of the site.

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on October 25, 2021 07:14

I thought you are using the same authentication for both front end as well as backend - I mean that the user also exists in Kentico admin app/database.
From your description is not clear w2hat is the actual setup, what are the ACLs set and how are you checking them in the front end app code. Please, provide a full and detailed description.

0 votesVote for this answer Mark as a Correct answer

lawrence whittemore answered on October 25, 2021 17:26

I am using the same authentication for the front end and the back end. They both use windows authentication (just AD, no mixed mode or anything). The back end works as it did in older versions of Kentico, when a new users hits the back end they are added to the user list.

I am not doing anything to check in the front end, I assume this is where I have gone wrong. I do have the site settings to Check permissions for all pages. In doing this the front end doesn't show for anyone, even global admins.

0 votesVote for this answer Mark as a Correct answer

lawrence whittemore answered on October 25, 2021 21:51

the best way to describe it is, I am authenticating the AD user on the front end, but it is not connecting to the same AD users that sign into the back end. I don't even seem to be hitting any of the page controllers I have create the site just jumps to the no access page.

0 votesVote for this answer Mark as a Correct answer

lawrence whittemore answered on October 25, 2021 21:53

Also, if this helps at all, when viewing page content in the admin it all shows.

0 votesVote for this answer Mark as a Correct answer

lawrence whittemore answered on October 26, 2021 22:30

in the documentation for k12 there is this,

"For sites built using the MVC development model, the Windows authentication approach described on this page is not compatible with the Kentico membership functionality based on ASP.NET Identity (as described in Integrating Kentico membership). In MVC-based projects, Windows authentication can only be configured for the Kentico administration application."

What purpose does having a different authentication in the admin then the live site? If I am assigning AD users and roles to the page level security, but it doesn't do anything on the live site, what is the point?

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on October 27, 2021 06:38

The quote from documentation means that you cannot use the same configuration on the MVC app. In this case for the MVC app it is considered as a custom authentication. Now, it is more clear to me what is going on. You have two apps - both are using the same "identity provider". But the thing is, that the applications act separately and independently on each other. The MVC app is checking the user in the AD and not in Kentico. And you have the ACLs and permissions set in Kentico's DB. So, the MVC app has no idea about the permissions, since they are obviously not in the AD.
So, you will need to configure your MVC app e.g. to authenticate against Kentico and get the users from Kentico to apply the ACLs set in Kentico. Or, use some fully custom code where it will be hardcoded who has access where.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.