+1-888-365-2779
Try Now
More in this section

Forums / Developing with Sitefinity / Sitefinity with ActiveDirectory integration

Sitefinity with ActiveDirectory integration

29 posts, 0 answered
  1. fregas baratis
    fregas baratis avatar
    185 posts
    Registered:
    14 Nov 2002
    28 Jan 2008
    Link to this post
    Hi Telerik,

    On the site, it says this is possible:
    "Sitefinity takes full advantage of the .NET role based security by providing a powerful interface for managing users and roles. Sitefinity even allows you to use multiple membership/role providers in a single application. For example, you can implement the SQL providers to validate user credentials and manage profiles and roles as well as passwords and e-mail addresses of your registered ‘public’ users; and at the same time, you can use the Active Directory membership and role providers to grant permissions to your internal network users for the CMS backend."

    I have a need to do this exact thing.  I need public users and possibly other roles to be thru sql server or mysql, and all the domain users authenticated thru active directory.  How would i set this up in sitefinity?

    thanks,
    Fregas
  2. Matt
    Matt avatar
    22 posts
    Registered:
    25 Jan 2008
    29 Jan 2008
    Link to this post
    Ok, I'm new to Sitefinity (just started evaluating it today), but I think I might have some answers for you. We're in a similar boat, needing to use AD credentials for the administration and "other" for the public web users. You can probably use Sitefinity's built-in membership components, but, in our case, I'm going to need to integrate it with our third-party CMS. Should be loads of fun. But, for now, I have it working with AD and Sitefinity as the two authentication sources.

    The documentation is really lacking in this area - I was expecting simple step-by-step instructions, since this is a feature I think plays a major role in the decision to use Sitefinity in the first place. But here's a rundown of what I did, all taken from several articles in the help.

    First, add a connectionString (leave the default Sitefinity one in place). Should look like:
     <add name="ActiveDirectory" connectionString="LDAP://yourDomainName" /> 


    Second,  add a roleManager provider (again, leave the default alone):
    <add connectionStringName="ActiveDirectory" groupMaps="ADgroup" 
              name="Active Directory" type="Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security" /> 
    Replace "ADgroup" with the name of your AD security group for Sitefinity to read. If you have multiples, separate with commas. Edit the roleManager element and set the defaultProvider="Active Directory"

    Third, add a membership provider:
    <add connectionStringName="ActiveDirectory" enableSearchMethods="true" 
              attributeMapUsername="sAMAccountName" connectionUsername="ADuserName" 
              connectionPassword="ADpassword" name="Active Directory" type="Telerik.Security.ActiveDirectory.TelerikADMembershipProvider, Telerik.Security" /> 
     
    Replace ADuserName and ADpassword with the credentials of a user with AD access rights. If you leave these properties out, the ASP.NET account with be used, which may work just fine for you. Edit the membership element and set the defaultProvider="Active Directory"

    Finally, edit the security element (under telerik), edit the cmsProvidersName="Active Directory" under the roles element, add in the group(s) you defined earlier in the roleManager step:
    <add name="ADgroup" permission="Unrestricted" /> 
    Replace ADgroup with the group name you used previously. Add as many as you need, with the appropriate permissions.

    I *think* those are all the changes I made, but I tried so many things, I could have left something out. That should enable you to log in to the admin interface using a user account that is a member of "ADgroup."

    When you drop in a login control, click edit, then the edit button. Under data -> membershipProvider, enter Sitefinity to use the Sitefinity-native authentication. Leave blank to use the default, AD in this case. That way, you web users will authenticate against Sitefinity and your admin users against AD.

    If an admin user is logged in through the admin login screen and goes to a membership-required section, their credentials will be used. If they're not logged in, their AD credentials won't work on a login control set to use Sitefinity. I imagine there's a way around this, I just haven't found it yet.

    Hope that gets you started....

    Matt


  3. Sonya
    Sonya avatar
    231 posts
    Registered:
    24 Sep 2012
    30 Jan 2008
    Link to this post
    Hello Matt,

    Thank you very much for providing this answer. Your Telerik account has been updated for making the extra effort of helping a fellow developer :) 

    Hello fregas baratis,

    You can use the default membership and role providers for public users and the Active Directory ones for administrators to log in the CMS with their domain credentials. All you have to do is configure some settings in the web.config file.

    First you have to change the default membership and role providers’ name from Sitefinity to something else, like “Public”. Then, add both Active Directory providers to the membership and role sections and name them “Sitefinity”.
    Described below is the definition of the role providers. Keep in mind that you need to set the connectionUsername and connectionPassword attributes to the values for your connection. Also, the attribute groupMaps is set here just to illustrate an example of how to specify which groups from the domain to be included and processed. You could exclude it if you want to work with the whole domain. For more information, take a look at the topic Role Providers in the Developers Manual (Security -> Authorization section).:

    <roleManager enabled="true" cacheRolesInCookie = "true" defaultProvider = "Sitefinity"
     <providers> 
       <clear/> 
       <add 
            name = "Sitefinity" 
            connectionStringName = "ActiveDirectory" 
            connectionUsername = "userName" 
            connectionPassword = "password" 
            groupMaps = "Domain group 1, Domain group 2, Domain group 3"    
            type = "Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security" 
       /> 
       <add applicationName="/"  
            connectionStringName="DefaultConnection"  
            name="Public"  
            type="Telerik.DataAccess.AspnetProviders.TelerikRoleProvider, Telerik.DataAccess" 
       /> 
     </providers> 
    </roleManager> 
     

    Here, "Domain group 1", "Domain group 2" and "Domain group 3" are groups from your domain.

    Following is a possible implementation of the membership providers. Keep in mind that you need to set the connectionName and connectionPassword attributes to the values for your connection.

    <membership defaultProvider="Sitefinity" userIsOnlineTimeWindow="15" hashAlgorithmType="">  
      <providers>  
         <clear/>  
         <add name="Public" connectionStringName="DefaultConnection" type="Telerik.DataAccess.AspnetProviders.TelerikMembershipProvider, Telerik.DataAccess" enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="/" requiresUniqueEmail="false" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" passwordAttemptWindow="10" passwordStrengthRegularExpression="" minRequiredPasswordLength="1" minRequiredNonalphanumericCharacters="0"/>  
         <add name="Sitefinity" connectionStringName="ActiveDirectory" enableSearchMethods="true" attributeMapUsername="sAMAccountName" connectionUsername="userName" connectionPassword="Password" type="Telerik.Security.ActiveDirectory.TelerikADMembershipProvider, Telerik.Security"/>    
      </providers>  
    </membership>  
     

    The connection string for both membership providers should be set. The Sitefinity connection string is used by the Public provider, while the ActiveDirectory connection string is used by the Sitefinity (default) provider. You need to correctly set the strings for your providers.

    <connectionStrings> 
        <add name="Sitefinity" connectionString="Data Source=.\SQLExpress;Integrated Security=True;User Instance=True;AttachDBFilename=|DataDirectory|Sitefinity.mdf" providerName="System.Data.SqlClient"/> 
        <add name="ActiveDirectory" connectionString="LDAP://your_domain.com"/> 
    </connectionStrings> 

    Another thing you may want to do is to give unrestricted permissions for a given domain group. To do that you have to add a line similar to this:

    <add name="Domain group" permission="Unrestricted"/> 

    The Domain group is a group from your domain.

    Hope this helps. Let us know if you need further assistance.

    Greetings,
    Sonya
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  4. Matt
    Matt avatar
    22 posts
    Registered:
    25 Jan 2008
    30 Jan 2008
    Link to this post
    Thanks, Sonya. That's a much better explanation than mine :-)

    Have you considered building AD integration into the GUI? It would be a great step during the site setup, right after selecting a database provider....
  5. Sonya
    Sonya avatar
    231 posts
    Registered:
    24 Sep 2012
    31 Jan 2008
    Link to this post
    Hello Matt,

    Actually, we have plans to include Active Directory to the installation options. Apart from that, we plan to extend Sitefinity by setting the web.config file through the GUI. These plans, however, are not set for a specific version and we could not commit to a time frame for this functionality.

    Thank you for the involvement in improving Sitefinity.

    Best wishes,
    Sonya
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. Erik
    Erik avatar
    34 posts
    Registered:
    06 Dec 2007
    30 Apr 2008
    Link to this post
    Sonya,

    I have been able to successfully setup my config file so that my page loads with an Active Directory connection.  Thanks for the excellent and clear setup instructions.

    My next step in this project is to allow for the Admin page to be accessed using the Active Directory logins specified by the ldap connection string.  Currently I have an organizational unit called "Employees" that contains all users that will potentially have access to the admin portion of the site.  I also need to be able to allow the default "admin" username access to the admin part of the site as well.  Currently with my web.config file set up exactly as you have done it in your example, I am able to load my page fine, but I am not able to login to the sitefinity admin page using any domain credential nor the admin login.

    So, if you could please explain how I can enable these users to be able to log onto the system that will help me out.

    Thanks a lot and appreciate the helpful instructions,

    Erik
  7. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    30 Apr 2008
    Link to this post
    Hi Erik,

    In order to start administering Sitefinity with AD you need an Unrestricted user. By default when you create a new Sitefinity project you get the "admin" user who is member of the Administrators role, and this role has Unrestricted permissions. After that you are able to create roles and give permissions.

    When working with Active Directory you start this process all over again, so first you need an "Administrators" role. To qualify a role to have unlimited rights, you have to add this to the web.config:

    <add name="Any domain group" permission="Unrestricted"/>  

    In your case probably the "Employees" group
    .

    Having this done, all members of this role will have Unrestricted rights, so they could enter the site and set permissions for the other roles.

    If you have tried this but to no avail, probably there is another problem with membership/roles.

    I hope this solves your issue. If you still have questions, just contact us and we'll be happy to answer them.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  8. Erik
    Erik avatar
    34 posts
    Registered:
    06 Dec 2007
    30 Apr 2008
    Link to this post
    Question: Where in the web.config file do I insert that line?  Under membership, or does it matter?

    Also, by using Active Directory, does that bypass the users currently set up in the database for logging in?  If so, is there a way to be able to use both AD and the database users at the same time?

    If the above can't be accomplished, I assume that I will have to create groups in active directory and assign users to those groups to be able to assign certain permissions for sitefinity administration sections.  Is this correct?

    Thanks,
    Erik
  9. Erik
    Erik avatar
    34 posts
    Registered:
    06 Dec 2007
    30 Apr 2008
    Link to this post
    nevermind the first question, figured out that it goes in the security section under roles.  still wondering about the other stuff though, thx
  10. Erik
    Erik avatar
    34 posts
    Registered:
    06 Dec 2007
    01 May 2008
    Link to this post

    I know that I have my AD connection string working, but not sure why I get this error when attempting to login as my domain account into Sitefinity 

    Unknown error (0x80005000)

    Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.Runtime.InteropServices.COMException: Unknown error (0x80005000)

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [COMException (0x80005000): Unknown error (0x80005000)]
       System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +451
       System.DirectoryServices.DirectoryEntry.Bind() +36
       System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
       System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +73
       System.DirectoryServices.DirectorySearcher.FindOne() +42
       Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesRecursive(String path, List`1 collection) +188
    
    [COMException (0x80004005): Unknown error (0x80005000)]
       Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesRecursive(String path, List`1 collection) +577
       Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesForUser(String user) +459
    
    [COMException (0x80004005): Unknown error (0x80005000)]
       Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesForUser(String user) +616
       System.Web.Security.RolePrincipal.GetRoles() +250
       Telerik.Security.UserManager.GetCurrentUserRoles(String providerName) +68
       Telerik.Security.AccessPermission.CheckDemand() +292
       Telerik.Cms.Web.CmsHttpModule.context_PostAuthenticateRequest(Object sender, EventArgs e) +574
       System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64
    


    Version Information: Microsoft .NET Framework Version:2.0.50727.1433; ASP.NET Version:2.0.50727.1433

    I think I just need further elaboration on setting up users in AD and assigning them unrestricted access and so forth.  I also think some explanation on how to correctly set up connection strings and other settings in the web.config based on how the AD is set up.  Like how do you assign an organizational unit named "Employees" unrestricted access?  Do you have to include the OU=employees in the ldap connection string or do you just have to name it under the security section?  Maybe the better question is what is the definition of a "group" in the groupMaps property; or more specifically, is an OU (organizational unit) considered a group?

    Questions like this I just need an answer to in order to more fully understand how to set this up.

    Thanks,
    erik

  11. Sonya
    Sonya avatar
    231 posts
    Registered:
    24 Sep 2012
    09 May 2008
    Link to this post
    Hello Erik,

    Is it possible for you to upgrade to Sitefinity 3.2 - many problems have been fixed there. If it is not acceptable for you,  we could provide a custom solution that includes the 3.2 functionality.

    Also, please accept our apology for not including more examples for this topic. I checked your configuration file and it looks fine, except for the "Unrestricted" roles. A group for Sitefinity means any Active Directory object that could include child objects, so OU is definitely a group. In order to give the "Employees" unrestricted rights use :

    <add name="Employees" permission="Unrestricted" /> 

    in the Security => Roles section. You can remove all other add tags as their corresponding roles don't exist.

    You cannot include the default users defined in the database when using the AD providers. To do so you'd have to create custom membership and role providers and gather information from both data sources.

    If anything needs further clarifications feel free to contact us again.



    Kind regards,
    Sonya
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  12. Brian
    Brian avatar
    5 posts
    Registered:
    02 Jun 2008
    04 Jun 2008
    Link to this post
    Hi there,

    Thank you for this helpful posting, it helped me get up and running with Active Directory on the site I am developing.

    I am experiencing a new problem, however, which I would like to bring up here. 

    The configuration I am using has 2 providers: Public (Sitefinity database users) and Sitefinity (Active Directory).

    From the login screen, I am able to log in just fine now with any of my Active Directory users.  However, now it will not let me log in with my Public users.  Any time I attempt to log in with my user "admin", it tells me 
    Your login attempt was not successful. Please try again.

    Is the point of having multiple providers not to be able to log in as either a Public user or an Active Directory user?

    When I go into my web.config file and comment out my Sitefinity (Active Directory) provider, and change my defaultProvider back to Public, I am then again able to log in as admin without any problems.

    What am I doing wrong in the case of multiple providers?  Please help...

    Thanks!
    Brian
  13. Brian
    Brian avatar
    5 posts
    Registered:
    02 Jun 2008
    10 Jun 2008
    Link to this post
    Just to clarify my last post...

    If I change my role or membership "defaultProvider" to either Public or Sitefinity, then only the users belonging to that provider are accepted by my login screen.

    <roleManager enabled="true" cacheRolesInCookie="true" defaultProvider="Sitefinity">

    allows only Acitve Directory users, while

    <roleManager enabled="true" cacheRolesInCookie="true" defaultProvider="Public">

    allows only Sitefinity database users.

    Any ideas on why I can't get multiple providers working from my login screen?  Any help would be greatly appreciated...

    Thanks,
    Brian

     
  14. Slavo
    Slavo avatar
    295 posts
    Registered:
    24 Sep 2012
    13 Jun 2008
    Link to this post
    Hi Brian,

    There's no problem to login in the CMS backend with users from different membership providers. There is however the limitation that sitefinity can only work with one Role Provider when setting permissions. From what I understand you have 2 membership providers and 2 role providers for them. This is why users from one of the providers cannot login - Sitefinity does not give permissions for the users managed by the second Role provider.

    You can do a couple of things:
    1. You can use only one role provider. Then, you will be able to manage permissions for users from one of the membership providers (CMS users). The users from the other membership provider (public) will always belong only to the Everyone role. If you give "CMS Access" rights to this role, they will be able to log in.
    2. The problem of having one role provider with multiple membership providers is that sometimes there are users with the same username in both membership providers. This is a conflict which you can resolve by writing your own code to synchronize the two membership providers, and make the role provider differentiate between the same usernames. This, however, would not be trivial.
    Since users from one provider are public users anyway (they don't need cms access), I suggest using the first approach. They will be able to log in, but pretty much do nothing.

    We have plans to provide functionality for using one role provider with two membership providers, but we cannot commit to a time frame yet. I would be happy to answer your questions on how to set this up, or on any other issues you may have.
    Best wishes,
    Slavo
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  15. Brian
    Brian avatar
    5 posts
    Registered:
    02 Jun 2008
    13 Jun 2008
    Link to this post
    Hello Slavo,

    Thanks for your suggestion - I have carried out #1 in your posting: I have removed my Public role provider.  Remining is my Sitefinity role provider (Active Directory role provider), my Sitefinity Membership provider (Active Directory), and my Public Membership provider (Sitefinity database).

    When I attempt to log in with one of my public users, it still tells me that the user does not exist.  Furthermore, when I log in as one of my Active Directory admins, the Administration/Users screen does not show the public users...only the Active Directory users.  Finally, I no longer see a drop-down list in my Command Panel, allowing me to select which Provider I am viewing users for.

    From this same Users screen, I can create a new user.  The application prevents me from assigning this user to a Sitefinity role, as I expected from your description in your last post.  Is this user that I've created considered a "public" user?  Is it stored in the Sitefinity database?

    If so, when I go back into my web.config file and remove my "Public" membership provider, I would expect that the new public user I just added through the Users screen to not be valid any longer.  However, it is still valid, and I can freely log in as this new user I've created.

    My work-around to my problem, until further notice, will be to use the Active Directory role and membership provider solely, and add additional users to this list (which will be of the Everyone role) as needed.  For anyone who needs to belong to a specific role, I will ensure that that user is added to Active Directory.

    Perhaps I'm just confused or not thinking broadly enough on this topic, but I have been playing around with the Active Directory functionality for quite some time now, and I still am finding that the original quote stated at the top of this forum:

    "Sitefinity even allows you to use multiple membership/role providers in a single application. For example, you can implement the SQL providers to validate user credentials and manage profiles and roles as well as passwords and e-mail addresses of your registered ‘public’ users; and at the same time, you can use the Active Directory membership and role providers to grant permissions to your internal network users for the CMS backend."

    ...is slightly inaccurate.  I can understand your difficulties with having duplicate usernames etc., but from the statement above, I would expect  the functionality to be as follows:
    • - Through the Users screen, be able to select either membership provider (Sitefinty / Public)
    • - When either is selected, an administrator can add/remove/set respective roles for that provider, without affecting the other provider
    • - Pages / Modules can have permissions set for either provider's roles.
    • - Login screen should have the ability to choose a provider, in which either a Public or Sitefinity user can log in.

    • Perhaps you could help clear up what is the intended functionality with Sitefinity's multiple role/membership providers currently, and what is coming down the project roadmap?

    Thanks and best regards,
    Brian

  16. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    10 Jul 2008
    Link to this post
    Hello Brian,

    We are currently working on a real life example, supported with more detailed documentation on using multiple role providers with public users and permissions. Its main purpose is to make things clear about working with many providers, login forms and public users.

    This document will be ready on Monday, 14th.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  17. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    17 Jul 2008
    Link to this post
    Hi Brian,

    If you still have any issues on the subject please refer to this KB article. I hope it solves your issues.

    Best wishes,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  18. jkregala
    jkregala avatar
    159 posts
    Registered:
    22 Sep 2009
    07 Jul 2010
    Link to this post
    Hi Sonya, I followed your instructions step by step (The one dated Jan. 30, 2008) and I keep having this error:

    Server Error in '/SSP' Application.

    This type of page is not served.

    Description: The type of page you have requested is not served because it has been explicitly forbidden.  The extension '.aspx' may be incorrect.   Please review the URL below and make sure that it is spelled correctly.

    Requested URL: /SSP/Sitefinity/Admin/Default.aspx

    Hope this could be resolved.... Thanks! :)
  19. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    07 Jul 2010
    Link to this post
    Hi jkregala,

    Most probably the user that you have authenticated does not belong to the role you have set as unrestricted. Make sure that AD role exists and the user you use belongs to it. You could also try to log in by using an administrators user from Sitefinity provider and explicitly set CmsAccess permissions ( from Administration >> Permissions tab) to a given role of your AD provider. Then, try to access Sitefinity's backend.

    All the best,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  20. jkregala
    jkregala avatar
    159 posts
    Registered:
    22 Sep 2009
    08 Jul 2010
    Link to this post
    Thanks Mr. Dimitrov! This was the issue - "Most probably the user that you have authenticated does not belong to the role you have set as unrestricted."

    I have a follow up question. Since all is well and done with regards to ActiveDirectory, meaning I can now login through the domain and the users under the domain group specified are loading already. Is there any way wherein approval workflow can be implemented with it? I mean using the default provider, you can add as many roles as you want for example:

    Authors - add, edit, delete News
    Approvers - add, edit, delete, approve, publish News

    So which means Authors submit News articles subject to Approver's approval. Since using ActiveDirectory means one group domain is loaded as one role, can I further filter that group domain into many roles so I can still implement the same scheme to the users under ActiveDirectory roles? Thanks.
  21. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    08 Jul 2010
    Link to this post
    Hello jkregala,

    You can create roles only in Sitefinity's provider. Note that if a user belongs to several roles "Deny" permission has higher priority - for instance if user "myuser" belongs to role "a" and role "b" and for the same object ( page or content item) this user "myuser" has "View" Allow in role "a" and "View" Deny the user will not be able to see the object.
    By default Sitefinity's AD provider has acceptor role - it cannot be use to create user/roles in your AD.

    Sincerely yours,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  22. jkregala
    jkregala avatar
    159 posts
    Registered:
    22 Sep 2009
    08 Jul 2010
    Link to this post
    How about the users under the domains in the ActiveDirectory, can't I assign roles to them that are available under the default provider?
  23. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    08 Jul 2010
    Link to this post
    Hello jkregala,

    You cannot make CRUD operations against your AD roles/users. You can only assign permissions to them.

    All the best,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  24. jkregala
    jkregala avatar
    159 posts
    Registered:
    22 Sep 2009
    08 Jul 2010
    Link to this post
    Is there a way wherein I could at least differentiate the permissions of various groups of individuals within a role in Active Directory. For example I have a role "All Marketing Editors" but then within this role certain individuals should have less control over permissions while others have more.
  25. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    08 Jul 2010
    Link to this post
    Hi jkregala,

    Granular permissions are implemented in Sitefinity 4.0. Currently you can implement a custom persistent class to where you can make pair relation between user ID/SID from your Ad and a given right. Then you need to tweak built-in controls/backend views where you want to implement this granularity. 

    All the best,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  26. Matt
    Matt avatar
    22 posts
    Registered:
    25 Jan 2008
    08 Jul 2010
    Link to this post
    @jkregala - I know this isn't the exact solution you're after, but we ended up creating a bunch of Sitefinity-specific security groups in AD, then mapping them in through the groupMaps on the roleManager provider. We have users in both AD (internal) and Sitefinity (public), with roles defined in each. It means there has to sometimes be a role duplicated in AD and Sitefinity, but it does work.

    I wanted the same thing as you "All Marketing Editors" example, but ended up just creating a new group for each different permission set.

    Another reason to be excited about 4.0!
  27. Siddesh Kapadi
    Siddesh Kapadi avatar
    239 posts
    Registered:
    09 Oct 2009
    26 Jul 2010
    Link to this post
    Hello,

    I have created th entries in the web.config as specified above. I am able to login to the page using AD, but as specified by jkregala I get the same error 'This type of page is not served.'. I changed the provider to accept the database user. I was again able to login and was taken to the dashboard page(default.aspx). I went to Adminsitrator/Users section and tried changing the provider from Public to Sitefinity. I get an error: 
    'The specified domain either does not exist or could not be contacted.'

    What can be the possible cause of this issue.

    Also, Please let me know if my AD user does not fall in any of the Group how can I set the permissions for the user.

    Regards,
    Siddesh Kapadi
  28. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    26 Jul 2010
    Link to this post
    Hi Siddesh Kapadi,

    It looks like you cannot connect to to the domain controllewhere AD is created. This issue can occur because the Sysvol directory is not shared out on the domain controller. Check your AD for DNS issues.  To access AD in an ASP.NET application, it is better to run the app under a domain local administrator to see how everything behavies. Sitefinity is only acceptor to the AD. Sitefinity does not control the users of the AD or roles management. Sitefinity just accepts the settings you have done during the AD setup. The problem is related to your AD and the way that it has been set up.

    Greetings,
    Ivan Dimitrov
    the Telerik team
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  29. Siddesh Kapadi
    Siddesh Kapadi avatar
    239 posts
    Registered:
    09 Oct 2009
    26 Jul 2010
    Link to this post
    Hey Ivan,
    Thanks for your reply. It was the same issue. My machine is not in the domain.
    It worked absolutely fine when I deployed the same on the server under the domain.


    Regards,
    Siddesh Kapadi
Register for webinar
29 posts, 0 answered