First, let me try to explain the Active Directory functionality in Sitefinity in a few words.
There is an AD membership provider that manages authentication against the Active Directory. If you choose to use it with Forms authentication
, the login page is used and the system would recognize any valid domain credentials. However, it would be easier for users not to type their Windows accounts every time, so you can end up using Windows authentication
. With Windows authentication, during the first http request (*)
to any Sitefinity page, the user is authenticated with his domain credentials, so if they navigate to the administration, they would not have to enter username/password.
* If he/she is not using Internet Explorer, the user will remain anonymous as long as the application allows it. If he/she tries to navigate to the administration with Mozilla Firefox for instance, probably he would have to manually type his credentials.
The AD role provider manages authorization for Sitefinity. It maps domain groups to Sitefinity roles.
More information about Active Directory and Sitefinity you can find in the Security section of the Developer Manual.
When an authenticated user tries to access some restricted areas (i.e. the administration), his roles are checked. That is where you get your error - in a query against Active Directory. Actually, when the roles are gathered, they are taken recursively, first all groups for the current user are listed, then all the groups the first groups belong to are added and so on.
In your case, you were able to get the first level of roles, but for the next round an error occurred. That is why I assume that you have a problem with the permissions your account has in the domain, for example if you have permissions to get the object that refers to your PC, but don't have permissions to get other objects. Another suggestion is that there are some problems with your AD structure and the queries the GerRolesForUser() method executes.
Could you please try to use a more powerful user (maybe administrator in AD) with the role provider? You should use the connectionUsername and connectionPassword properties of the provider. If this helps, the problem is rights-related. If the problem persists, please let us know. It would be appreciated if you open a support ticket and send us your web.config. We'll investigate it and do our best to provide a solution.
the Telerik team