More in this section

Forums / Developing with Sitefinity / Problem with Windows Authentication

Problem with Windows Authentication

7 posts, 0 answered
  1. Jason
    Jason avatar
    31 posts
    Registered:
    07 Nov 2007
    03 Dec 2007
    Link to this post
    Greetings all,

    We are trying to setup Windows Authentication with our company website.  First, can someone explain how this would work, does it mean that I can go: http://somecompanyname.com/sitefinity/admin within my domain and go right into the admin screen, or will I just be using my Windows Credentials to log in?

    Regardless, below is the stack trace of the exception we are getting:
    [COMException (0x80005000): Unknown error (0x80005000)]
    System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +451
    System.DirectoryServices.DirectoryEntry.Bind() +36
    System.DirectoryServices.DirectoryEntry.get_AdsObject() +31
    System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne) +73
    System.DirectoryServices.DirectorySearcher.FindOne() +42
    Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesRecursive(String path, List`1 collection) +188

    [COMException (0x80004005): Unknown error (0x80005000)]
    Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesRecursive(String path, List`1 collection) +577
    Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesForUser(String user) +459

    [COMException (0x80004005): Unknown error (0x80005000)]
    Telerik.Security.ActiveDirectory.TelerikADRoleProvider.GetRolesForUser(String user) +616
    System.Web.Security.RolePrincipal.GetRoles() +250
    Telerik.Security.UserManager.GetCurrentUserRoles(String providerName) +68
    Telerik.Security.AccessPermission.CheckDemand() +292
    Telerik.Cms.Web.CmsHttpModule.context_PostAuthenticateRequest(Object sender, EventArgs e) +574
    System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
    System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

    I have the autnetication mode set to windows in the Web.config and (using the documentation, changed my web.config membership and role providers to the AD version supplied by Sitefinity.

    Any other information required please let me know

    Thanks,

    Jason

  2. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    06 Dec 2007
    Link to this post
    Hi Jason,

    First, let me try to explain the Active Directory functionality in Sitefinity in a few words.
     
    There is an AD membership provider that manages authentication against the Active Directory. If you choose to use it with Forms authentication, the login page is used and the system would recognize any valid domain credentials. However, it would be easier for users not to type their Windows accounts every time, so you can end up using Windows authentication. With Windows authentication, during the first http request (*) to any Sitefinity page, the user is authenticated with his domain credentials, so if they navigate to the administration, they would not have to enter username/password.

    * If he/she is not using Internet Explorer, the user will remain anonymous as long as the application allows it. If he/she tries to navigate to the administration with Mozilla Firefox for instance, probably he would have to manually type his credentials.

    The AD role provider manages authorization for Sitefinity. It maps domain groups to Sitefinity roles.

    More information about Active Directory and Sitefinity you can find in the Security section of the Developer Manual.

    When an authenticated user tries to access some restricted areas (i.e. the administration), his roles are checked. That is where you get your error - in a query against Active Directory. Actually, when the roles are gathered, they are taken recursively, first all groups for the current user are listed, then all the groups the first groups belong to are added and so on.

    In your case, you were able to get the first level of roles, but for the next round an error occurred. That is why I assume that you have a problem with the permissions your account has in the domain, for example if you have permissions to get the object that refers to your PC, but don't have permissions to get other objects. Another suggestion is that there are some problems with your AD structure and the queries the GerRolesForUser() method executes.

    Could you please try to use a more powerful user (maybe administrator in AD) with the role provider? You should use the connectionUsername and connectionPassword properties of the provider. If this helps, the problem is rights-related. If the problem persists, please let us know. It would be appreciated if you open a support ticket and send us your web.config. We'll investigate it and do our best to provide a solution.

    Kind regards,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  3. Jason
    Jason avatar
    31 posts
    Registered:
    07 Nov 2007
    06 Dec 2007
    Link to this post
    Thank you very much for your response Yasen,

    I read your response many times over, but was not able to gain any further insight into why I was getting the unknown error.  I called our company's resident expert on AD over and after musing the documentation he noitced that for the AD conn string I am not allowed to specify a specific container.

    This is different from the actual Microsoft ad services class, but is not noted in the documentation.  Basically I had to point the connection string to the top level and make what he called a DSE.  I am able to login now.  I will now turn my attention to the mapping of roles.
  4. Jason
    Jason avatar
    31 posts
    Registered:
    07 Nov 2007
    06 Dec 2007
    Link to this post
    Greetings,

    I have Windows Authentication working, however, while it lets myself and the other members of the website group in as administrators, try as I might I can neither decrease the number of names in the user list nor prevent users who are not in the group from logging in and getting a Page not Served Server error.

    Help please
  5. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    10 Dec 2007
    Link to this post
    Hi Jason,

    Thank you for the feedback. You are right that most of the times not all users are needed for the Sitefinity administration. We are aware of this inconvenience and are working on providing the best solution. 

    Your experience with the GetRolesForUser method helped us find out that some problems may occur if you use a specific container in the connection string (not the root). If it troubles you, you can always override this method in a custom provider, we'll do our best to make it more universal for the next release.

    About users being able to login and then getting the 403 exception, you can prevent this by customizing the authentication functionality. By default, when a user provides credentials in the login form, they are validated through the Membership provider's validation methods. You can find/change this functionality in the Sitefinity/Login.aspx.cs file on the Authenticate event. An easy way would be to check if a user belongs to some particular role and if not, cancel the authentication.

    I hope this information is helpful, if you have any other questions, feel free to ask again.
    Your Telerik account has been updated.

    Best wishes,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
  6. Jason
    Jason avatar
    31 posts
    Registered:
    07 Nov 2007
    17 Dec 2007
    Link to this post
    Greetings Yasen,

    Thank you very much for your reply.  Thing are working fairly well on this end thanks in large part to the great support we have gotten through these forums.

    Regarding the user inconvience; while it is just that, I am thinking there must be a way to filter down the user list, as right now we have well over 1000 users registered.  This would not be an issue if admins were able to assign these users to the website group. This is not implemented, or so Sitefinity says, so there is no added gain with these users.

    For use with AD is this what we can expect for the time being?

    Thanks in advance and Best regards,

    Jason
  7. Yasen
    Yasen avatar
    121 posts
    Registered:
    18 May 2013
    17 Dec 2007
    Link to this post
    Hello Jason,

    We are currently working on some AD provider upgrades and most probably this functionality will be included in the January release. Our initial idea is to provide a public property "Use members only" that would be defined for the AD provider in the web.config. So admins would be able to choose between managing all users, or just users that belong to the groups specified in the "groupMaps" property. If you have anything else in mind, it would be highly appreciated if you share it with us.

    All the best,
    Yasen
    the Telerik team

    Instantly find answers to your questions at the new Telerik Support Center
Register for webinar
7 posts, 0 answered