Active directory group permissions

Can we control forum access using local server groups?  Or do the users have to be set up inside the forum software? 
If the users must be controlled inside the forum software, then what do you mean when you say that you integrate with active directory? 

Group permission has to be done inside the forum software, we we don't provide integration with "role providers".

Integration with AD means once a user is logged on to AD, he is automatically recognized by the forum software, without having to 1) register 2) log in. We provide authentication support for AD users/groups, but not "forum post/reply/read etc. permission" support with AD groups directly.

What if I don't want everyone in our active directory to see the forum? 
If I have a large group of people wanting to view our forum, must I enter them all one at a time?  Or could I enter a local server group into the forum software? 
Can I disallow other people from attempting to register or login? 

1. if you don't want someone to see the forum, do not grant them access to the forum directory from the permission section in AD. When I referred to permission in my previous post, I was talking about forum specific permission -> whether person A has Read permission or "Post new message" permission on a specific forum.
2. no, you don't have to. You just grant that group of users permission to access the "forum folder", and they will be able to see the forum. I was just saying that AD groups will not be created automatically in the forum as User Groups, which allows you to assign different "forum permission" in the software. So, if a user / AD group is granted access to the forum, he can see the forum.
3. And yes, you can turn off registration. Login is not necessary as the software recognizes AD.

AD integration controls the access to the forum software in general. It can be individual users / AD groups. We just cannot grant different "forum permission" (read/post new/vote etc.) based on your existing AD groups. Forum's user groups are independent from the AD's groups.

After reading your reply, we interpreted it two different ways.  Please help us to understand. 
1) I thought your comments said we could use a local server group to determine who has access to read/see our forum.  Any additional permissions (post/vote, etc) would need to be controlled within the forum software. 
2)  Someone else thought your comments said we could use different local directory groups for the different permission levels.  EX: use a SafetyPost group to grant the people in our safery group post permissions to post.  Use a SafetyVote group to grant the people in that group to vote, etc... 

Also, you mention Active Directory.  Does the software need to integrate with groups at the active directory level, or can theu use local server groups on the server where the forum software is installed. 

Thanks with all the answers and clarification.

Hi,

Your first point is correct. The Active Directory integration is a "Yes / No", "On / Off" type of integration. If you allow a group / user to access the forum folder from AD, he will see the forum. But once he is in the forum, he is treated as a regular user, who does not have any higher / lower permission on forums than anyone else. If your company CEO wish to have a private forum which only company board members can enter, you will have to set those up explicitly in the forum's admin CP.

AD groups membership cannot be used to assign forum based privilege. AD integration controls only who can enter the forum in general, and nothing else. This takes away the need to register again for your users, and they don't need to log in on the forum's login form either.

Does the software need to integrate with groups at the active directory level?

No, it does not have to. The software utilizes the membership provider that comes with ASP.NET, so you decide on which level the software integrates to by specifying the configuration options for the AD membership provider. It can integrate with local group/users too. You just need to specify the connection string in web.config.

How exactly do you enable Active Directory integration?

Your installation instructions direct me to include a connectionString in web.config containing the database name, server, User ID, and password.

We are not able to add the user and password in our web config due to security policy.

Can you provide an alternative secure method for connecting the forum to the database?

Your refer to "Add your active directory information. See the following guide: http://blogs.msdn.com/gdu...2005/08/17/452905.aspx "

This article describes a non-trivial implementation.  Am I to assume that I must add the directories and login pages to implement AD integration?  I thought I would set a web.config setting.  Or at least integrate "without any programming effort!"

I am confused and not sure how to move forward.  Thanks

you can easily "encrypt" the connection string in web.config. See

http://odetocode.com/Articles/418.aspx

Scroll down to "Using Encryption" to get the code.

No, you don't have to add any page - our software has all the pages you need. This article is directly from Microsoft and maybe you will find it a little easier to understand:

http://channel9.msdn.com/wiki/howtousemembership/
 
See Step 2 about adding the provider info into the forum's web.config

I am still having trouble understanding.

Will my users be directed to a page where they type in credentials and get authenticated against AD?

These articles are obscure when trying to relate to your implementation.  Thanks 

It depends on how you want it set up. If your users are already logged on to AD before they have a chance to see the forum, then no, our software will automatically recognize them (no registration, no login).

If you wish to redirect guests (not logged on yet) to the login form, you can do so by checking No Action - Must Register First under section Site Wide Options -> User Features 1/2 -> Guest Permission in the admin CP.

I am still having trouble.  I need to provide a summary soon on this tool (and its ability to integrate with AD) and cannot successfully make it happen.

Do you have detailed procedures?
Can you tell me what feedback I will get when integration is successful?

With the changes supplied in the various links, I get to the main page with "Welcome !" and no ability to add messages.

What is the next step?  Is there any chance we can have a discussion on the phone?  Thanks...k