+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Authenticate Active Directory Users

Authenticate Active Directory Users

5 posts, 0 answered
  1. xr280xr
    xr280xr avatar
    2 posts
    Registered:
    21 Aug 2013
    24 Dec 2014
    Link to this post
    I'm working on some proof of concept stuff with a Sitefinity trial installation. I'm trying to allow it to authenticate me using my active directory domain account credentials. I've followed this document to set up my connection and have enabled the LDAP Membership and Role providers. I've restarted the app by saving a small change to the web.config after each change. I see my new provider listed on the login control, but I cannot log in with my domain account credentials. When logged in as a Sitefinity admin and navigating to Administration > Users > LDAP Uses, none are listed. Per the suggestion of another thread, I checked the sf_users table but only the sitefinity users are listed. I'm no AD whiz but I can't find a problem with the LDAP connection settings (See attachment). I've tried a couple different user & role filters based on different examples I've found but no luck. Any idea how to troubleshoot this?
  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    25 Dec 2014
    Link to this post
    Hi,

    Have you tried with the default settings for

    UserFilter - (&(objectClass=user)(!(objectClass=computer)))

    RolesFilter - (objectClass=group)

    Can you check if you use the same settings in our UI you are able to connect to the AD with another tool, because it looks like the connection to the AD is done but there is a problem with getting the users from it. Looking at the settings you used  they look very common, so I also suppose that the problem might be related to the connection.
    We have a class LdapQueryTranslator which works with the filters and expressions. This class is responsible for the way that queries are sent to the LDAP by LdapQueryProvider
    and it would be hard to say what the problem is. If the same connection works with another tool, then something might be wrong with the translator or query data is passed by the LdapMembershipProvider and LdapFacade not correctly.

    You can try to manually invoke LdapConnection  (System.DirectoryServices.Protocols). Here is a sample that you can use to debug your Sitefinity connection.

    protected LdapConnection connection;
     
        public virtual string LdapConnectionName
        {
            get;
            set;
        }
     
        protected virtual LdapConnection GetConnection(LdapSettingsConfig settings, string userName, string password)
        {
            LdapConnection connect = null;
            string connCacheName = GetConnectionCacheKey();
            if (connection == null)
            {
                if (SystemManager.HttpContextItems != null && SystemManager.HttpContextItems[connCacheName] != null)
                {
                    connection = ((LdapConnection)SystemManager.HttpContextItems[connCacheName]);
                    return connection;
                }
     
                var identifier = GetLdapDirectoryIdentifier(settings);
     
                NetworkCredential credential = GetNetworkCredential(settings, userName, password);
                if (settings.ConnectWithLogOnCredentials &&
                    credential == null)
                    return null;
     
                connect = BuildLdapConnection(settings, identifier, credential);
            }
            if (connect != null)
            {
                if (SystemManager.HttpContextItems != null)
                    SystemManager.HttpContextItems[connCacheName] = connect;
                connection = connect;
            }
            return connection;
     
        }
     
        protected virtual LdapConnection BuildLdapConnection(LdapSettingsConfig settings, LdapDirectoryIdentifier identifier, NetworkCredential credential)
        {
            LdapConnection connect = new LdapConnection(identifier, credential);
     
            connect.AuthType = settings.AuthenticationType == AuthType.Ntlm ? AuthType.Negotiate : settings.AuthenticationType;
            connect.Timeout = TimeSpan.FromSeconds(20);
            // need additional check if you use SSL!
            return connect;
        }
     
        protected virtual string GetConnectionCacheKey()
        {
            return string.Concat("ldapconn_", this.LdapConnectionName);
        }
     
        protected virtual LdapDirectoryIdentifier GetLdapDirectoryIdentifier(LdapSettingsConfig settings)
        {
            return new LdapDirectoryIdentifier(
                                    settings.ServerName.Split(new char[] { ';' }, StringSplitOptions.RemoveEmptyEntries),
                                    settings.Port, true, false);
        }
     
        protected virtual NetworkCredential GetNetworkCredential(LdapSettingsConfig settings, string userName, string password)
        {
            NetworkCredential credential = null;
            if (settings.ConnectWithLogOnCredentials)
            {
                if (settings.AuthenticationType == AuthType.Ntlm)
                    credential = CredentialCache.DefaultNetworkCredentials;
                else
                {
                    if (userName != null)
                        credential = new NetworkCredential(userName, password);
                    else
                    {
                        SitefinityIdentity identity = Thread.CurrentPrincipal.Identity as SitefinityIdentity;
                        if (identity != null)
                        {
                            credential = LdapCredentialsCache.GetCredential(identity.Id);
                        }
                    }
                }
            }
            else
                credential = new NetworkCredential(settings.ConnectionUsername, settings.ConnectionPassword, settings.ConnectionDomain);
     
            return credential;
        }


    Regards,
    Ivan Dimitrov
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  3. Chanan Zass
    Chanan Zass avatar
    123 posts
    Registered:
    21 Aug 2012
    06 Apr 2015
    Link to this post

    This is a few months later, but we're having the same problems establishing a working configuration to connect to our LDAP server (OpenLDAP).

     The following works on the same Web site where the Sitefinity instance is installed.

     

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
            Dim sb As New StringBuilder
            Try
                Dim dEntry As New DirectoryEntry()
                dEntry.Path = "LDAP://[IPaddress]:389/ou=users,dc=web,dc=[domain],dc=com"
                dEntry.AuthenticationType = AuthenticationTypes.None
                dEntry.Username = "cn=[username],ou=services,dc=web,dc=[domain],dc=com"
     
                dEntry.Password = "[password]"
     
                Dim dSearch As New DirectorySearcher(dEntry)
                Dim srchResultColl As SearchResultCollection
                Dim srchResult As SearchResult
     
                srchResultColl = dSearch.FindAll
                Dim propKey As String
     
                For Each srchResult In srchResultColl
                    For Each propKey In srchResult.Properties.PropertyNames
                        Dim prop As Object
                        For Each prop In srchResult.Properties(propKey)
                            sb.Append(propKey & ": " & [prop].ToString & "<br />")
                        Next prop
                    Next propKey
                    sb.Append("--------------------------------------------------------------<br />")
                Next
                lblUsers.Text = sb.ToString
     
            Catch ex As Exception
                lblUsers.Text = "An error occurred: " & ex.Message
            End Try
        End Sub

    We get a list of all properties of all items (in this case, users). 

    However, when we try to configure the Sitefinity LDAP connection, we consistently fail, getting the error message "The distinguished name contains invalid syntax." 

    Could anyone help us with "translating" what works outside of Sitefinity to the Sitefinity configuration?

     Any thoughts or suggestions about ways to test this would be most welcomed.

     

     

  4. Sabrie Nedzhip
    Sabrie Nedzhip avatar
    534 posts
    Registered:
    08 Dec 2016
    09 Apr 2015
    Link to this post
    Hello Chanan,

    In the ticket you have opened related to this issue we have replied that most probably the issue is caused due to an incorrect value entered in the field: The domain used in addition to the user name.

    I am pasting the reply from the ticket for your convenience:

    Jugging by the error message you are getting and the settings on your side, what we assume is that the issue might be caused by the value entered in the following field:

    The domain used in addition to the user name

    We have also analyzed the source code and what we expect is that the above field contains the domain of the LDAP server and should not contain characters like the following: , =.

    We have compared this to the settings we have on our side to connect to our LDAP server and we have entered in the above field the following: telerik.com

    What we can suggest is to enter in The domain used in addition to the user name field the domain of the LDAP server on your side.

    Regards,
    Sabrie Nedzhip
    Telerik
     
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Sitefinity CMS Ideas&Feedback Portal and vote to affect the priority of the items
     
  5. Chanan Zass
    Chanan Zass avatar
    123 posts
    Registered:
    21 Aug 2012
    09 Apr 2015 in reply to Sabrie Nedzhip
    Link to this post

    Thanks a lot for responding.

    It is becoming quite obvious that the company's IT guys have badly configured either the LDAP server or the Active Directory domain.

    Once they deal with that, we'll try our LDAP connection again.

    Thanks again.

5 posts, 0 answered