Contents

Part 1: Overview

What is the Active Directory Provider?

Who should read this document?

Prerequisites

Part 2: Installation

Installing the Active Directory Provider

Part 3: Configuration

Setting Up the Active Directory Provider in DotNetNuke

IIS Settings 6.x and below

IIS Settings IIS 7.x Classic Pipeline Mode Setup

IIS Settings IIS 7.x Integrated Pipeline Mode Setup

Part 4: Additional Information And Gotchas

Part 1: Overview

What is the Active Directory Provider?

The Active Directory Provider is a DotNetNuke login control that communicates with a company’s Active Directory to allow company employees to login to a DotNetNuke intranet installation using their Windows login credentials.

Who should read this document?

This document is targeted towards DotNetNuke administrators who are interested in installing and using AD Provider on their company’s DotNetNuke intranet/extranet web site.

Prerequisites

To fully benefit from this document, you should have an understanding of the DotNetNuke portal product (http://www.dotnetnuke.com) including DNN security concepts and have basic knowledge of topics such as installing and configuring DNN modules and Administrative functions such as the File Manager, User Accounts and Security Roles.

Part 2: Installation

Installing the Active Directory Provider

  1. Log into your portal using an account with Host credentials.
  2. Select Extensions from the Host menu items.
  3. Select Install Extension Wizard.
  4. Browse to the location on your computer that you saved the AD Provider .zip fileand click “Next”.
  5. Read the accompanying license and check “Accept License” if you agree with it.
  6. Click “Next”. This will start the DotNetNuke Package Assembly Installer process.

The DotNetNuke Package Assembly Installer will display a list of messages to indicate success or any failures as it uploads and installs the provider. If you encounter any errors during the installation process please check the Active Directory Provider forum on the DNN site. It’s possible that the error is already known to exist and remedies for the error will be listed. If the error does not exist then please post the error on the forum and someone will reply to you as soon as possible.

Part 3: Configuration

Setting Up the Active Directory Provider in DotNetNuke

  1. Log into your portal using an account with Admin credentials.
  2. Select Extensions from the Admin menu items, expand the Authentication Systems section, and click the pencil beside DNN_ActiveDirectoryAuthentication.
  3. Fill out the pertinent domain information

clip_image002

  • Enabled – Enables the provider on the portal when checked.
  • Hide Login Controls – Will hide the Windows Login tab from the Login screen. This can be useful if you find your users are confused as to which option they should chose or if you’ve provided a direct link to <DNN_INSTALL>/DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx elsewhere on your site for Intranet users.
  • Synchronize Role – Synchronizes a user’s DotNetNuke Security Roles with their Active Directory roles when they login.
  • Do Not Automatically Create Users – Active Directory users will not be able to log into the portal until their accounts have been manually created.
  • Provider – Currently only ADSIAuthenticationProvider is available for Active Directory.
  • Authentication Type - Default is delegation and works for most setups.
  • Root Domain - Enter your domain in either of the two formats; dc=domain, dc=com or LDAP://domain.com.
  • User Name - Enter a user that has read access to the Active Directory. NOTE: The user does not have to have administrative rights on the domain.
  • Password and Confirm Password - Enter the password for the user you entered under User Name.
  • Default Domain – Enter the default domain that the users will belong to. This way they can log in with just their username rather than having to use DOMAIN\Username when manually logging in.
  • Email Domain - Enter the email domain to be used for users that do not have email addresses listed in the Active Directory.
  • Auto-login IP Address – If left blank then the provider will try to login all visitors to the site. However, if you know the range of IP addresses or specific IP addresses that you want to be automatically logged in you can enter them here. Multiple IP address, ranges, etc. can be used as long as they are separated by a semi-colon (;). An example string would be “192.168.1.100 – 192.168.1.200; 192.168.1.1;”
    1. 192.168.1.100 – 192.168.1.200 – Any IP addresses including and between 192.168.1.100 and 192.168.1.200 will be automatically logged in.
    2. 192.168.1.1 – Only the computer with that IP address will be automatically logged in.
  • Click on the Update Setting link.
  • The results of your settings will appear above the Enabled checkbox

clip_image002[7]

    1. If you get an error you may have to use impersonation in your web.config
      1. Find the commented out section in your web.config that starts <identity impersonate=”true”/> and uncomment that line only.
      2. Change the line so that it reads <identity impersonate=”true” userName=”domain\user” password=”password” />
  • Give the user account you use for impersonation the same permissions to your DNN install that the NETWORK SERVICE or ASPNET account has.
  • The user account may also need the same permissions that the NETWORK SERVICE or APSNET account has on the website directory in the Temporary ASP.NET Files (usually found under the <SystemDrive>:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files directory).

IIS Settings 6.x and below

  1. Open up the Internet Information Services Manager on your webserver.
  2. Find your DNN install and browse to DesktopModules\AuthenticationServices\ActiveDirectory.
  3. Right-click on WindowsSignin.aspx and view the properties
  4. Click the File Security tab.
  5. Click on the Edit button.
  6. Make sure all checkboxes are unchecked except for “Integrated Windows Authentication”.
  7. Click “OK” until you are out of the properties window
  8. Close IIS Manager

IIS Settings IIS 7.x Classic Pipeline Mode Setup

This can be done either when setting up the site or by clicking on Basic Settings after the site has been created.

clip_image002[9]

The other consideration is turning on Windows Authentication for the WindowsSignin.aspx file. The changes in IIS7 make this a little bit difficult to find and achieve.

These steps will get you there:

  1. Switch the IIS Console to Content View and browse to DesktopModules/AuthenticationServices/ActiveDirectory.
  2. Right-Click on WindowsSignin.aspx and select “Switch to Features View”.

    clip_image004

  3. You should end up back in the Features View but for the WindowsSignin.aspx file specifically (see below).

    clip_image006

  4. Double click on Authentication and Disable Anonymous and Enable Windows Authentication.

    clip_image008

  5. If Windows Authentication is not one of your choices then you need to enable it through Control Panel->Programs and Features->Turn Windows Features On or Off and select Windows Authentication under Internet Information Services->World Wide Web Services->Security.

    clip_image009

 

IIS Settings IIS 7.x Integrated Pipeline Mode Setup

  1. Setting up the provider to run under the Integrated pipeline is the same as the Classic mode above but also requires two additional commands to be run from a command prompt on the server. Open a command prompt using “Run as administrator” and type the following:
    • %windir%\system32\inetsrv\appcmd unlock config /section:anonymousAuthentication
    • %windir%\system32\inetsrv\appcmd unlock config /section:windowsAuthentication

More information on why these commands are needed can be found here.

Part 4: Additional Information And Gotchas

  1. When running Server 2008 it appears that the user account you use for impersonation also needs to be an administrator on the server. Some have found that disabling UAC on the server negates this requirement but you mileage may vary. This requirement doesn’t appear in Server 2008 R2.
  2. Some additional links from the forum: Server 2008/IIS 7 Issues, Using DNN with Windows Server 2008 R2 w/AD Authentication. And from the DotNetNuke Wiki: Setting up mixed authentication

Last edited Apr 10, 2012 at 4:25 AM by mikeh36, version 13

Comments

ufoloko Aug 21, 2014 at 12:46 PM 
It is possible to enable AD just for administrators and keep the site public for internet visitors ???

Please help

arashdeljoo Mar 15, 2014 at 1:58 PM 
hi

I have installed active directory provider in dnn 6.

it works well when i run my project in visual studio as local host and logs in the current user of the domain to the dnn.

but when i open my portal as an iis location, it returns nothing.

please help me to resolve this problem.

Tanx

jtorresleon Feb 12, 2014 at 1:58 PM 
I installed cleanly 7.0.5 with the AD Auth 5.0.6 and then upgraded to 7.2.1 and worked sweetly!

Windows Server 2012
SQL Server Express 2012
IIS 7.5

I DID this:
%windir%\system32\inetsrv\appcmd unlock config /section:anonymousAuthentication
%windir%\system32\inetsrv\appcmd unlock config /section:windowsAuthentication

jtorresleon Feb 12, 2014 at 1:57 PM 
I installed cleanly 7.0.5 with the AD Auth 5.0.6 and then upgrded to 7.2.1 and worked sweetly!

mohitkukreja13 Sep 13, 2012 at 11:53 PM 
Specify username as defaultdomain\username

vagrawal Sep 4, 2012 at 10:36 AM 
Hi,

I am getting following error while integrating Auth AD with DNN ->

Accessing Global Catalog:
OK
Checking Root Domain:
FAIL
Accessing LDAP:
OK
Find all domains in network:
Could not access LDAP to obtain domains info

Can anyone help me in resolving the same...

Thanks.

teosinh Aug 5, 2012 at 4:10 AM 
I had the same problem with "henritayim "...
I connect to my domain controller by Administrator of Domain and have full control on forest...
I don't understand ???? Please help me fix it ....
Many thanks !!!

klob1100 Jul 11, 2012 at 11:56 PM 
Hi I have successfully run the module following this documentation. such a great article. Just want to know further since I am interested in learning more about Active Directory. Just want to know why there is a need to add a user account that has read access to Active Directory? Or you can email me at prondypurpose@gmail.com if information you are to expose is somewhat confidential. Again, I appreciate the information provided so much more on the detailed info. thank you very much. :)

mikeh36 Jun 25, 2012 at 7:25 PM 
Please post any questions/problems in the authentication forums on http://www.dotnetnuke.com. I don't get notifications for comments here and I don't regularly check.

Pranav001 May 25, 2012 at 9:17 AM 
I am getting the same error message as henritayim. please help.

henritayim May 7, 2012 at 4:38 PM 
Hi once more
I finally succeded the installation process but after validation I got this message:
Error while processing Windows Authentication
Check your IIS settings. DesktopModules/AuthenticationServices/ActiveDirectory/WindowsSignin.aspx should NOT allow anonymous access.

thanks for help again

henritayim May 3, 2012 at 6:59 PM 
I have followed these instructions but not success
this is the error message I have
Error: is currently unavailable. DotNetNuke.Services.Exceptions.ModuleLoadException: Object reference not set to an instance of an object. ---> System.NullReferenceException: Object reference not set to an instance of an object. at DotNetNuke.Authentication.ActiveDirectory.ADSI.Utilities.AddADSIPath(String Path, Path ADSIPath) at DotNetNuke.Authentication.ActiveDirectory.ADSI.Utilities.GetRootEntry(Path ADSIPath) at DotNetNuke.Authentication.ActiveDirectory.ADSI.ADSIProvider.GetNetworkStatus() at DotNetNuke.Authentication.ActiveDirectory.Settings.UpdateSettings() --- End of inner exception stack trace ---
thanks
henritayim@yahoo.fr