Question about Active Directory

Tom Troughton asked on March 13, 2015 18:54

Hi, I'm trying to fully understand how Kentico supports Active Directory. In particular I'm trying to understand the purpose of the AD Import Tool.

My assumption is that the import tool is designed to import user accounts for the purpose of setting them up as Kentico users. I presume (with mixed mode auth) that actual authentication must still use an LDAP connection to the domain controller?

Correct Answer

Virgil Carroll answered on March 14, 2015 16:41

The AD sync tool let's you bring in all or a subset of users and AD groups that you want to give access to your Kentico system (or site). Once you've done the initial import, you can use the tool to setup regular syncs to add new users or remove.

To authenticate these AD users in Kentico, it integrates with Windows Authentication in IOS vs you needing to store an LDAP connection somewhere (like in the Web.config)...so an assumption is your Kentico system is sitting in the same network as your domain controller.

Hope that helps clarify.

1 votesVote for this answer Unmark Correct answer

Recent Answers

Brenden Kehren answered on March 14, 2015 16:49

There are a couple scenarios for this process. Say a AD user is logging into the site, assume their username is not stored in the Kentico db at all. When they authenticate, it goes to AD and authenticates them and creates a user in Kentico. If you choose to have the AD roles auto imported, it will also create and assign the user to those roles if the roles don't exist.

Now assume you have a user who already authenticated but used Forms, so their username was created manually in Kentico. Directly from Kentico documentation:

If an existing forms user has the same user name as a domain user that is logging in, the system signs in the forms user. As a result, the system cannot create an account for the domain user. You can avoid this behavior by renaming the existing forms user.

The purpose of the import tool will allow a one-time dump of users from AD (unless you use a command line and automate it later) into Kentico. So when the user authenticates from AD, they will use this imported user. So long story short is, if mixed mode authentication is setup, AD is tried first, then Forms.

1 votesVote for this answer Mark as a Correct answer

Tom Troughton answered on March 16, 2015 10:26

Thanks both. Virgil's answer was closest to what I was looking for but excellent insight also from Brenden as always.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.