Active directory group permissions

The procedure is as follows:

1. set the key EnableMembershipIntegration to true in web.config
2. enter your AD information into the web.config, using the 2 links I provided you as a guide. Pay attention to the attribute: attributeMapUsername="SAMAccountName"

That's it. There is no additional step and you can test it by going to the login page and input your username and password to test.

Once the forum is loaded, you should see a default forum created for you. Now, log in with the admin account you created when you set up the forum, and you should be able to access the forum admin CP (additional menu item will appear at the top).

You can then resume step 4 under

Full installation for Version 3

in the readme.htm file bundled with the software.

Is there a way for the application to check if the Windows user is in a particular AD group and authenticate that way, bypassing the login screen altogther?

I was reading through other posts here and saw mention of some kind of plugin, but those posts were several years old.

    -Thanks

Yes, but you will need to perform authentication at the server level (you gotta log in at some point to be recognized, right?). I mentioned it in post #14 in this thread.

To do this,

1. disable anonymous access, and
2. enable Windows Authentication for the Forum application at the IIS level (inside directory security tab for the forum application).

Then, you will use permission setting in Windows Explorer to set the allowed users / group to access the forum's folder.

When configured correctly, your users will be prompted for username/password (a browser popup will show if not already logged in at the server level) without having to go through our forum's login page.

My installation...
I started by putting the aspnet code in my server's wwwroot folder.
I set the following in IIS
    designated the the website as an application
    Added to a pool that utilizes .Net3.5
    Disabled anonymous access
    Checked Integrated Windows authentication
I set the following in the web.config (in their respective locations)
    <add key="DBName" value="Forums"/>
    <add key="DBOwnerPrefix" value="dbo."/>
    <add key="EnableMembershipIntegration" value="true"/>
    <add name="ForumSoftwareConnection" connectionString="Initial Catalog=Forums; data source=fcoddev2;User ID=mySqlUser;Password=mySqlPwd" />
    <add name="ADConnStr" connectionString="LDAP://myLDAPServername:389/ou=people,dc=test,dc=test2" />
    <deny users="?" />
 
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <providers>
            <add     name="AspNetActiveDirectoryMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="ADConnStr"
    enableSearchMethods="true"
    attributeMapUsername="sAMAccountName" />
        </providers>
    </membership>
Our LDAP server utilizes anonymous access so no connectionUsername or connectionPassword credentials are passed.
I am logged into the company network and am a member of a group allowed to access this application (and this servers entire wwwroot).
I invision...
I expect at the default.aspx page to see Welcome domain\User ! but I only get Welcome !  I presume this means it did not recognize me.  It did allow me to run the application though so AD lets me this far.
The error message I get is not on the default.aspx but when I navigate to the login.aspx page.  At this point I get "Unable to establish secure connection with the server" on my provider/connection line of the DLL. 

Maybe this is a function of trying to utlize anonymous LDAP connection via web.config.  (I know i can access LDAP because in another app I connect successfully using DirectoryEntry and passing "Nothing, Nothing, AuthenticationTypes.None" as credentials)
Here is where I am stuck...
When my users touch this forum on my server, I was thinking they would be allowed in and recognized for their network UserID.  So they would see Welcome domain\User ! and be allowed to start posting as User rather than Guest.

I can verify that cgi.Auth_User (Request.ServerVariables("Auth_User")) contains my user's login User name.
Can you give any input on whether the integration I invision is the way it should work or what you see I might need to do to fix my installation?

you are correct regarding your invision about how it would work. Perhaps this will help (Microsoft's answer)?

http://www.derkeiler.com/.../2006-06/msg00166.html

It has to do with the trust level of your forum app.

According to MSDN

Attempting to trust an assembly in 2.0 gives an error message (about cannot generate hash) if no strong name assigned.

I have tried using caspol and still no success. 

Specifically I am having trouble with ASPPGCustomControls.dll and ASPPGForumLogic.dll (where I think authentication occurs).

Can you tell me if these are strong named?

no they aren't. it is not talking about trusting an assembly, but make the forum Full trust meaning you add <trust level="Full" /> inside web.config.

Are there any example web.config sections that show how to get AD working with this forum software?  I keep seeing links that post back to microsoft blogs, I'd like for this to be dumbed down a little bit since I'm new with this stuff. 
Is there any reason that the info on setting up AD with ASP Playground is not included in the setup help documentation? 

Hi,

Thanks for your message.

What we do support in the software is the membership provider interface (an ASP.NET feature).

To enable support for a provider in the software, what you only need is a switch in the web.config (the <add key="EnableMembershipIntegration" value="true" /> key) PLUS the necessary provider information you need to enter yourself into the web.config file, which is not forum software specific but rather, specific to your provider of choice.

The reason we reference the Microsoft web site is that it is very comprehensive for the AD membership provider (again, this is not forum software specific). We could have copy and paste the information in, but it is really outside the scope of the setup document for the software.

Maybe someone can help then.  My Machine ASP.Net account has full access as does the network service account.  They actually have full control for everything while I'm testing this out. 

[UnauthorizedAccessException: General access denied error
]
   System.DirectoryServices.Interop.IAds.SetInfo() +0
   System.DirectoryServices.DirectoryEntry.CommitChanges() +158
   System.Web.Security.ActiveDirectoryMembershipProvider.UnlockUser(String username) +590
   System.Web.Security.MembershipUser.UnlockUser() +85
   App_Templates_Classic_UC_Login.handleAuthentication(String loginUsername, String loginPassword) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:56
   App_Templates_Classic_UC_Login.Login1_Authenticate(Object sender, AuthenticateEventArgs e) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:34
   System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +108
   System.Web.UI.WebControls.Login.AttemptLogin() +115
   System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
   System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
   System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e) +118
   System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +135
   System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +175
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

Hi,

Did you put connectionUsername and connectionPassword attribute in the membershipprovider entry?

Yes I do have that info in the membership provider. 

Here's a little bit more detail. 
I can access the site, (anonymously of course). 
I click log in and am presented with the sites log in page, where I type the username of a member in AD, and the password as well as the verification code. 

This is the full error. 

Server Error in '/ASPPlayground' Application.
--------------------------------------------------------------------------------
General access denied error
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: General access denied error
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Source Error:
Line 54:         If Authentication.EnableMemberhipIntegration Then
Line 55:             Dim mu As MembershipUser = Membership.GetUser(loginUsername)
Line 56:             If mu IsNot Nothing Then mu.UnlockUser()
Line 57:         End If
Line 58:
 
Source File: C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb    Line: 56
Stack Trace:
 
[UnauthorizedAccessException: General access denied error
]
   System.DirectoryServices.Interop.IAds.SetInfo() +0
   System.DirectoryServices.DirectoryEntry.CommitChanges() +158
   System.Web.Security.ActiveDirectoryMembershipProvider.UnlockUser(String username) +590
   System.Web.Security.MembershipUser.UnlockUser() +85
   App_Templates_Classic_UC_Login.handleAuthentication(String loginUsername, String loginPassword) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:56
   App_Templates_Classic_UC_Login.Login1_Authenticate(Object sender, AuthenticateEventArgs e) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:34
   System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +108
   System.Web.UI.WebControls.Login.AttemptLogin() +115
   System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
   System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
   System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e) +118
   System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +135
   System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +175
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

It looks like that it fails on the UnlockUser line... hmm..

Ok, 2 things to try:

1. Put IP address instead of domain name or server name in your LDAP connection string.. Is your SAM store on the same machine where you install the forum software?
2. If it doesn't help, please open the file in question and comment out line 56. See if it works.

neither worked, Commenting out line 56 caused another error which I can post if you'd like. 
I'm pretty sure that the AD connection is working, because if I type an invalid username (one that doesn't exist in AD) the software does tell me that there is no user of that name in the database. 

Please post the other error, thanks.

So, you are saying the login page does work when you put an invalid name on the login form?