Active directory group permissions

Can we control forum access using local server groups?  Or do the users have to be set up inside the forum software? 
If the users must be controlled inside the forum software, then what do you mean when you say that you integrate with active directory? 

Group permission has to be done inside the forum software, we we don't provide integration with "role providers".

Integration with AD means once a user is logged on to AD, he is automatically recognized by the forum software, without having to 1) register 2) log in. We provide authentication support for AD users/groups, but not "forum post/reply/read etc. permission" support with AD groups directly.

ASPPlayground.net Developer

What if I don't want everyone in our active directory to see the forum? 
If I have a large group of people wanting to view our forum, must I enter them all one at a time?  Or could I enter a local server group into the forum software? 
Can I disallow other people from attempting to register or login? 

1. if you don't want someone to see the forum, do not grant them access to the forum directory from the permission section in AD. When I referred to permission in my previous post, I was talking about forum specific permission -> whether person A has Read permission or "Post new message" permission on a specific forum.
2. no, you don't have to. You just grant that group of users permission to access the "forum folder", and they will be able to see the forum. I was just saying that AD groups will not be created automatically in the forum as User Groups, which allows you to assign different "forum permission" in the software. So, if a user / AD group is granted access to the forum, he can see the forum.
3. And yes, you can turn off registration. Login is not necessary as the software recognizes AD.

AD integration controls the access to the forum software in general. It can be individual users / AD groups. We just cannot grant different "forum permission" (read/post new/vote etc.) based on your existing AD groups. Forum's user groups are independent from the AD's groups.

ASPPlayground.net Developer

After reading your reply, we interpreted it two different ways.  Please help us to understand. 
1) I thought your comments said we could use a local server group to determine who has access to read/see our forum.  Any additional permissions (post/vote, etc) would need to be controlled within the forum software. 
2)  Someone else thought your comments said we could use different local directory groups for the different permission levels.  EX: use a SafetyPost group to grant the people in our safery group post permissions to post.  Use a SafetyVote group to grant the people in that group to vote, etc... 

Also, you mention Active Directory.  Does the software need to integrate with groups at the active directory level, or can theu use local server groups on the server where the forum software is installed. 

Thanks with all the answers and clarification.

Hi,

Your first point is correct. The Active Directory integration is a "Yes / No", "On / Off" type of integration. If you allow a group / user to access the forum folder from AD, he will see the forum. But once he is in the forum, he is treated as a regular user, who does not have any higher / lower permission on forums than anyone else. If your company CEO wish to have a private forum which only company board members can enter, you will have to set those up explicitly in the forum's admin CP.

AD groups membership cannot be used to assign forum based privilege. AD integration controls only who can enter the forum in general, and nothing else. This takes away the need to register again for your users, and they don't need to log in on the forum's login form either.

Does the software need to integrate with groups at the active directory level?

No, it does not have to. The software utilizes the membership provider that comes with ASP.NET, so you decide on which level the software integrates to by specifying the configuration options for the AD membership provider. It can integrate with local group/users too. You just need to specify the connection string in web.config.

ASPPlayground.net Developer

How exactly do you enable Active Directory integration?

ASPPlayground.net Developer

Your installation instructions direct me to include a connectionString in web.config containing the database name, server, User ID, and password.

We are not able to add the user and password in our web config due to security policy.

Can you provide an alternative secure method for connecting the forum to the database?

Your refer to "Add your active directory information. See the following guide: http://blogs.msdn.com/gdu...2005/08/17/452905.aspx "

This article describes a non-trivial implementation.  Am I to assume that I must add the directories and login pages to implement AD integration?  I thought I would set a web.config setting.  Or at least integrate "without any programming effort!"

I am confused and not sure how to move forward.  Thanks

you can easily "encrypt" the connection string in web.config. See

http://odetocode.com/Articles/418.aspx

Scroll down to "Using Encryption" to get the code.

ASPPlayground.net Developer

No, you don't have to add any page - our software has all the pages you need. This article is directly from Microsoft and maybe you will find it a little easier to understand:

http://channel9.msdn.com/wiki/howtousemembership/
 
See Step 2 about adding the provider info into the forum's web.config

ASPPlayground.net Developer

I am still having trouble understanding.

Will my users be directed to a page where they type in credentials and get authenticated against AD?

These articles are obscure when trying to relate to your implementation.  Thanks 

It depends on how you want it set up. If your users are already logged on to AD before they have a chance to see the forum, then no, our software will automatically recognize them (no registration, no login).

If you wish to redirect guests (not logged on yet) to the login form, you can do so by checking No Action - Must Register First under section Site Wide Options -> User Features 1/2 -> Guest Permission in the admin CP.

ASPPlayground.net Developer

I am still having trouble.  I need to provide a summary soon on this tool (and its ability to integrate with AD) and cannot successfully make it happen.

Do you have detailed procedures?
Can you tell me what feedback I will get when integration is successful?

With the changes supplied in the various links, I get to the main page with "Welcome !" and no ability to add messages.

What is the next step?  Is there any chance we can have a discussion on the phone?  Thanks...k

ASPPlayground.net Developer

Is there a way for the application to check if the Windows user is in a particular AD group and authenticate that way, bypassing the login screen altogther?

I was reading through other posts here and saw mention of some kind of plugin, but those posts were several years old.

    -Thanks

Yes, but you will need to perform authentication at the server level (you gotta log in at some point to be recognized, right?). I mentioned it in post #14 in this thread.

To do this,

1. disable anonymous access, and
2. enable Windows Authentication for the Forum application at the IIS level (inside directory security tab for the forum application).

Then, you will use permission setting in Windows Explorer to set the allowed users / group to access the forum's folder.

When configured correctly, your users will be prompted for username/password (a browser popup will show if not already logged in at the server level) without having to go through our forum's login page.

ASPPlayground.net Developer

My installation...
I started by putting the aspnet code in my server's wwwroot folder.
I set the following in IIS
    designated the the website as an application
    Added to a pool that utilizes .Net3.5
    Disabled anonymous access
    Checked Integrated Windows authentication
I set the following in the web.config (in their respective locations)
    <add key="DBName" value="Forums"/>
    <add key="DBOwnerPrefix" value="dbo."/>
    <add key="EnableMembershipIntegration" value="true"/>
    <add name="ForumSoftwareConnection" connectionString="Initial Catalog=Forums; data source=fcoddev2;User ID=mySqlUser;Password=mySqlPwd" />
    <add name="ADConnStr" connectionString="LDAP://myLDAPServername:389/ou=people,dc=test,dc=test2" />
    <deny users="?" />
 
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
        <providers>
            <add     name="AspNetActiveDirectoryMembershipProvider"
    type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
    connectionStringName="ADConnStr"
    enableSearchMethods="true"
    attributeMapUsername="sAMAccountName" />
        </providers>
    </membership>
Our LDAP server utilizes anonymous access so no connectionUsername or connectionPassword credentials are passed.
I am logged into the company network and am a member of a group allowed to access this application (and this servers entire wwwroot).
I invision...
I expect at the default.aspx page to see Welcome domain\User ! but I only get Welcome !  I presume this means it did not recognize me.  It did allow me to run the application though so AD lets me this far.
The error message I get is not on the default.aspx but when I navigate to the login.aspx page.  At this point I get "Unable to establish secure connection with the server" on my provider/connection line of the DLL. 

Maybe this is a function of trying to utlize anonymous LDAP connection via web.config.  (I know i can access LDAP because in another app I connect successfully using DirectoryEntry and passing "Nothing, Nothing, AuthenticationTypes.None" as credentials)
Here is where I am stuck...
When my users touch this forum on my server, I was thinking they would be allowed in and recognized for their network UserID.  So they would see Welcome domain\User ! and be allowed to start posting as User rather than Guest.

I can verify that cgi.Auth_User (Request.ServerVariables("Auth_User")) contains my user's login User name.
Can you give any input on whether the integration I invision is the way it should work or what you see I might need to do to fix my installation?

you are correct regarding your invision about how it would work. Perhaps this will help (Microsoft's answer)?

http://www.derkeiler.com/.../2006-06/msg00166.html

It has to do with the trust level of your forum app.

ASPPlayground.net Developer

According to MSDN

Attempting to trust an assembly in 2.0 gives an error message (about cannot generate hash) if no strong name assigned.

I have tried using caspol and still no success. 

Specifically I am having trouble with ASPPGCustomControls.dll and ASPPGForumLogic.dll (where I think authentication occurs).

Can you tell me if these are strong named?

no they aren't. it is not talking about trusting an assembly, but make the forum Full trust meaning you add <trust level="Full" /> inside web.config.

ASPPlayground.net Developer

Are there any example web.config sections that show how to get AD working with this forum software?  I keep seeing links that post back to microsoft blogs, I'd like for this to be dumbed down a little bit since I'm new with this stuff. 
Is there any reason that the info on setting up AD with ASP Playground is not included in the setup help documentation? 

Hi,

Thanks for your message.

What we do support in the software is the membership provider interface (an ASP.NET feature).

To enable support for a provider in the software, what you only need is a switch in the web.config (the <add key="EnableMembershipIntegration" value="true" /> key) PLUS the necessary provider information you need to enter yourself into the web.config file, which is not forum software specific but rather, specific to your provider of choice.

The reason we reference the Microsoft web site is that it is very comprehensive for the AD membership provider (again, this is not forum software specific). We could have copy and paste the information in, but it is really outside the scope of the setup document for the software.

ASPPlayground.net Developer

Maybe someone can help then.  My Machine ASP.Net account has full access as does the network service account.  They actually have full control for everything while I'm testing this out. 

[UnauthorizedAccessException: General access denied error
]
   System.DirectoryServices.Interop.IAds.SetInfo() +0
   System.DirectoryServices.DirectoryEntry.CommitChanges() +158
   System.Web.Security.ActiveDirectoryMembershipProvider.UnlockUser(String username) +590
   System.Web.Security.MembershipUser.UnlockUser() +85
   App_Templates_Classic_UC_Login.handleAuthentication(String loginUsername, String loginPassword) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:56
   App_Templates_Classic_UC_Login.Login1_Authenticate(Object sender, AuthenticateEventArgs e) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:34
   System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +108
   System.Web.UI.WebControls.Login.AttemptLogin() +115
   System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
   System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
   System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e) +118
   System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +135
   System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +175
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

Hi,

Did you put connectionUsername and connectionPassword attribute in the membershipprovider entry?

ASPPlayground.net Developer

Yes I do have that info in the membership provider. 

Here's a little bit more detail. 
I can access the site, (anonymously of course). 
I click log in and am presented with the sites log in page, where I type the username of a member in AD, and the password as well as the verification code. 

This is the full error. 

Server Error in '/ASPPlayground' Application.
--------------------------------------------------------------------------------
General access denied error
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: General access denied error
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
Source Error:
Line 54:         If Authentication.EnableMemberhipIntegration Then
Line 55:             Dim mu As MembershipUser = Membership.GetUser(loginUsername)
Line 56:             If mu IsNot Nothing Then mu.UnlockUser()
Line 57:         End If
Line 58:
 
Source File: C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb    Line: 56
Stack Trace:
 
[UnauthorizedAccessException: General access denied error
]
   System.DirectoryServices.Interop.IAds.SetInfo() +0
   System.DirectoryServices.DirectoryEntry.CommitChanges() +158
   System.Web.Security.ActiveDirectoryMembershipProvider.UnlockUser(String username) +590
   System.Web.Security.MembershipUser.UnlockUser() +85
   App_Templates_Classic_UC_Login.handleAuthentication(String loginUsername, String loginPassword) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:56
   App_Templates_Classic_UC_Login.Login1_Authenticate(Object sender, AuthenticateEventArgs e) in C:\Inetpub\wwwroot\Forum\ASPPlayground\App_Templates\Classic\UC\Login.ascx.vb:34
   System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +108
   System.Web.UI.WebControls.Login.AttemptLogin() +115
   System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +101
   System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +37
   System.Web.UI.WebControls.LinkButton.OnCommand(CommandEventArgs e) +118
   System.Web.UI.WebControls.LinkButton.RaisePostBackEvent(String eventArgument) +135
   System.Web.UI.WebControls.LinkButton.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
   System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
   System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +175
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1565

It looks like that it fails on the UnlockUser line... hmm..

Ok, 2 things to try:

1. Put IP address instead of domain name or server name in your LDAP connection string.. Is your SAM store on the same machine where you install the forum software?
2. If it doesn't help, please open the file in question and comment out line 56. See if it works.

ASPPlayground.net Developer

neither worked, Commenting out line 56 caused another error which I can post if you'd like. 
I'm pretty sure that the AD connection is working, because if I type an invalid username (one that doesn't exist in AD) the software does tell me that there is no user of that name in the database. 

Please post the other error, thanks.

So, you are saying the login page does work when you put an invalid name on the login form?

ASPPlayground.net Developer