+1-888-365-2779
Try Now
More in this section

Forums / Set-up & Installation / AD and Access control for multiple blogs/hosts

AD and Access control for multiple blogs/hosts

13 posts, 1 answered
  1. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    12 Jan 2010
    Link to this post

    Im currently testing 3.7 and need to know if the following is possible and if so, how best to accomplish it.

    System is hosted on W2k3 server within a 2008 AD domain.
    We want to have multiple blogs and each will have different access types based upon assigned AD user groups.
    Some users would be able to view all of the blogs, some would not.
    Edit/admin roles would be specific to each blog.

    Those blogs a user cannot view, ideally would not show a link to them from the home page. If that is not practical, returning an error message that they do not have access is acceptable.

    Is the above possible/practical with SF?

    In configuring AD:

    I have reviewed the follwing information on using Active Directory:
         http://www.sitefinitywatch.com/notes/09-07-20/Membership_and_Role_Providers.aspx
         http://www.sitefinity.com/help/developer-manual/active-directory.html
    but have not been succesful.

    I am getting the error: "Parser Error Message: An error occurred while parsing EntityName. Line 143, position 21."

    Following is line 143:
        Line 143:userSearchFilter="(&(sAMAccountType=805306368)(sAMAccountName={0}))"           

    Do you have any other instructions on configuring SiteFinity with AD or what I am doing incorrectly?

  2. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    13 Jan 2010
    Link to this post
    Hi topry,

    Generally we have permissions per module, not per blog. You need to tweak BlogsListView.ascx external template and create a code behind of it. Then you need to implement some logic to restrict the blog access.

    protected void Page_Load(object sender, EventArgs e)
       {
           GridView1.RowDataBound += new GridViewRowEventHandler(GridView1_RowDataBound);
       }
     
       void GridView1_RowDataBound(object sender, GridViewRowEventArgs e)
       {
           if (e.Row.RowType == DataControlRowType.DataRow)
           {
               IBlog blog = e.Row.DataItem as IBlog;
               // here you can check the current user and its roles using UserManager
               if (blog.Name == "b")
               {
                   e.Row.Visible = false;
               }
     
           }
       }

    You can hide the posts on the fontend - say your home page by applying dynamically filter to the BlogPosts control.

    Those blogs a user cannot view, ideally would not show a link to them from the home page. If that is not practical, returning an error message that they do not have access is acceptable.


    You can have a custom control that shows the blog names ( not posts) and when someone clicks on this link you have to redirect the user to the appropriate page where all posts resides. Here you can easy check whether the user belongs to a given role ( once he/she has been authenticated. ) by using UserManager.GetCurrentUserRoles() method.

    I am getting the error: "Parser Error Message: An error occurred while parsing EntityName. Line 143, position

    Try using userSearchFilter="(&(sAMAccountType=805306368)(sAMAccountName={0}))"

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  3. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    13 Jan 2010
    Link to this post
    Thank you for the prompt reply, that resolved the parsing error, but unfortunately I am now getting:
    Invalid ConnectionStringName on the following line within the RoleManager section
    type="Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security"

    I have tried a number of connection string permutations, all with the same result.
    The most simple as found in one of your examples:
        <add name="ADService" connectionString="LDAP://HENSSLER.COM/DC=HENSSLER,DC=com"/>

    No DNS issues (that Im aware of), simple, single AD Domain with two DCs.

    I have tried both examples of RoleManager settings from this page, with the same results.
    http://www.sitefinitywatch.com/notes/09-07-20/Membership_and_Role_Providers.aspx

    Any suggestions/ideas on what I'm doing wrong and which RoleManager settings to use?

    Regards,

    Tim
  4. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    13 Jan 2010
    Link to this post
    Hello topry,

    Check whether you have the correct connectionStringName in <dataAccess> node. Most probably you are not using the correct datatabase or you have not added the right connectionStringName in <dataAccess> node.

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  5. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    14 Jan 2010
    Link to this post
    I started with the default 3.7 Web.config - the following is the <dataAccess node:
        <dataAccess defaultConnection="DefaultConnection">  
          <connections> 
            <add name="DefaultConnection" driver="Nolics.ORMapper.DataProviders.SqlServer2005Provider" 
              connectionStringName="Sitefinity" /> 
            <add name="GenericContentConnection" driver="Telerik.Cms.Engine.Data.Providers.GCSql2005Provider, Telerik.Cms.Engine.Data" 
              connectionStringName="Sitefinity" /> 
          </connections> 
        </dataAccess> 
     
    I used the modifications listed in the top admin reply in this post, but with the same results:
    http://www.sitefinity.com/support/forums/sitefinity-3-x/developing-with-sitefinity/sitefinity-with-activedirectory-integration.aspx

    I have searched the forums looking for other connection strings to use for AD integration, but have not found any references to modifications required to this node. Can you advise what I should add/change?
  6. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    18 Jan 2010
    Link to this post
    Hi topry,

    Could you paste your web.config using FormatCode option? I would like to see whether something is going wrong on configuration level. Please send us the exact error you are getting and its stack trace.

    Best wishes,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  7. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    18 Jan 2010
    Link to this post
    I finally got AD working. This video provided the info to resolve my issue, which was caused by trying to use a combination of web.config modifications from multiple other forum posts. There seems to be a large number of questions on this topic with varying (and conflicting) information posted.

    The next step is to get Windows Authentication to work, so users do not need to enter their username/password.
    IE is configured to recognize the domain as being on the Intranet and the SF Website is set to use Windows Authentication.

    However, I'm still seeing the login page when I attempt to navigate directly to the administration page.

    Can you advise what other modifications are necessary to enable SF to work with Windows Authentication?
  8. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    18 Jan 2010
    Link to this post
    Hello topry,

    You can take a look at this MSDN article for more information about Windows Authentication - Using Windows Authentication is ASP.NET

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  9. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    18 Jan 2010
    Link to this post
    I have made the normal modifications required for Windows Authentication:
    1) In IIS, modify directory security unchecking Anonymous access and checking Integrated Windows Auth
    2) Modifying the web.config setting <authentication mode="Windows"/>

    After making those two changes, if I navigate to the default login page and enter my credentials, the form refreshes, but is not redirected - the login page is reloaded and no error is displayed.

    If I attempt to navigate directly to the portal admin page (dashboard), I am redirected to the login page (no errors).
    If I add the following to the web.config:
    <authorization>
          <deny users="?" />
    </authorization> 
    I'm redirected to the login page and in the server Application event log, the following error:

        Event code: 4006

        Event message: Membership credential verification failed.


    I'm assuming that there are no modifications required to any other ASPX pages within SF to use Windows authentication, only Web.config and IIS setting?
  10. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    19 Jan 2010
    Link to this post
    Hello topry,

    You need to make code modifications to get Sitefinity working with WindowsAuthentication.

    1. You need to modify/create custom  Login control, because it creates HttpCookie using FormsAuthentication.FormsCookieName

    2. You have to create a custom class that inherits from Telerik.Cms.Web.CmsHttpModule and override IsAuthenticated function where you should cast the user as RolePrincipal and then use WindowsIdentity.

    You also have to override ResetRolePrincipal and there create a new RolePrincipal.

    Greetings,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
    Answered
  11. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    19 Jan 2010
    Link to this post
    Thanks - I was under the impression that is was supported natively, similar to Sharepoint. For any others that may stumble on this thread looking to utilize Windows Authentication, I found the following post helpful as well: http://www.sitefinity.com/support/kb/sitefinity-3-x/sitefinity---using-wndows-authentication.aspx
  12. Ivan Dimitrov
    Ivan Dimitrov avatar
    16072 posts
    Registered:
    25 Nov 2016
    19 Jan 2010
    Link to this post
    Hello topry,

    The article contains only basic information and it is related to Sitefinity 2.x where the API is completely different.

    All the best,
    Ivan Dimitrov
    the Telerik team

    Instantly find answers to your questions on the new Telerik Support Portal.
    Watch a video on how to optimize your support resource searches and check out more tips on the blogs.
  13. topry
    topry avatar
    12 posts
    Registered:
    31 Oct 2008
    19 Jan 2010
    Link to this post
    Thanks, yes I noticed that after the fact - URL is confusing (IMO) - as it contains 3-x.
Register for webinar
13 posts, 1 answered