I have a package i want to create, but first i thought i would seek some advice.
A while back we developed an internal umbraco site, that we wanted to tie down specific bits based on users acitive directory membership, but we also wanted seemless login.
So because we couldn't find anything (and do tell me if we missed it)
We developed a ActiveDirectory RoleProvider for umbraco that worked with the backend (it limits the list of groups you can see in the UI so it's managable).
and a autologon user control - (user hits site. redirect to form page, which uses IIS to log them on & check AD).
It all works very nicely for us, but it's a clunkly to get working.
you need to:
install the provider.dll and usercontrol
alter web.config to take the new roleprovider (this includes knowing you AD Settings)
change settings in IIS to intergrated authentication (and exclude webservices folders lower down)
Setup membertypes in your membership (provider needs a default type)
So if we where to package it up ? how much of that should we / could we do. i suspect the answer (at best) is 1 and 4 ?
Personally I would only beleive that 1 and 4 are possible. Interestingly I've been trying to acheive exactly what you mention above, however when using a custom Active Directory membership provider (for BackOffice access) and role provider. I get the following error:
The parameter 'username' must not be empty.
I'd be really interested to see how you've achieved this - would you mind sharing the source code to start with on CodePlex?
Yes, I will put something up; we are only using this provider for the frontend membership - we've left logon for the backend umbraco editors - (althought we have used the standard AD Provider for logon)
i've actually thought about this a bit more and the web.config settings could be done with a custom page at then end of the package install - it would need to prompt for domain, user etc. before writing the provider into the AD.
Althougth I think that's probibly still quite involved - this won't be a install and go package no matter what i do.
I was wondering if you've put anything up online about this yet - I'm at the stage were I need to implement what sounds like an identical solution, so rather than reinventing the wheel I'd like to learn from what you've done.
it takes some heavy lifting to get working, and the code is avalible on the codeplex site : http://uadroles.codeplex.com/ with some documentation that hopefully makes some sense of how to achive it.
big caveats with it all, only ever ran on a brandnew domain install, and the one production domain it has been deployed to, but it would be good to get feedback and see if anything can be improved on this one.
Just to update you, this works perfectly! The only comments I have are:
In the documentation the role provider config extract states that you need to supply 'domainPath', whereas based on the source code this should be 'domain'
I'm using IIS7.5 on WinServer 2008 R2 - therefore rather than Integrated Security, you instead enable 'Windows Authentication' and disable 'Anonymous Authentication'
I'd rename the package you've uploaded to the Umbraco projects database to 'Intranet Authentication' - as this is without doubt the best solution I've seen.
In the end, I was going wrong by trying to use a custom membership provider, rather than using the standard Umbraco one.
Role provider in a package: Advice
Hello,
I have a package i want to create, but first i thought i would seek some advice.
A while back we developed an internal umbraco site, that we wanted to tie down specific bits based on users acitive directory membership, but we also wanted seemless login.
So because we couldn't find anything (and do tell me if we missed it)
We developed a ActiveDirectory RoleProvider for umbraco that worked with the backend (it limits the list of groups you can see in the UI so it's managable).
and a autologon user control - (user hits site. redirect to form page, which uses IIS to log them on & check AD).
It all works very nicely for us, but it's a clunkly to get working.
you need to:
So if we where to package it up ? how much of that should we / could we do. i suspect the answer (at best) is 1 and 4 ?
any thoughts ?
Personally I would only beleive that 1 and 4 are possible. Interestingly I've been trying to acheive exactly what you mention above, however when using a custom Active Directory membership provider (for BackOffice access) and role provider. I get the following error:
The parameter 'username' must not be empty.
I'd be really interested to see how you've achieved this - would you mind sharing the source code to start with on CodePlex?
It may be worth looking at the community package actions project http://our.umbraco.org/wiki/reference/packaging/package-actions/community-made-package-actions
Yes, I will put something up; we are only using this provider for the frontend membership - we've left logon for the backend umbraco editors - (althought we have used the standard AD Provider for logon)
i've actually thought about this a bit more and the web.config settings could be done with a custom page at then end of the package install - it would need to prompt for domain, user etc. before writing the provider into the AD.
Althougth I think that's probibly still quite involved - this won't be a install and go package no matter what i do.
Hi Kevin,
I was wondering if you've put anything up online about this yet - I'm at the stage were I need to implement what sounds like an identical solution, so rather than reinventing the wheel I'd like to learn from what you've done.
Cheers
Jonathan,
I've put a basic package up now, http://our.umbraco.org/projects/backoffice-extensions/umbraco-ad-roles
it takes some heavy lifting to get working, and the code is avalible on the codeplex site : http://uadroles.codeplex.com/ with some documentation that hopefully makes some sense of how to achive it.
big caveats with it all, only ever ran on a brandnew domain install, and the one production domain it has been deployed to, but it would be good to get feedback and see if anything can be improved on this one.
Kevin,
You're a star - thanks for this - I will try it out and feedback to you asap.
Just to update you, this works perfectly! The only comments I have are:
Thanks, for going through it - it needed someone else to do it - I've been copying it from site to site since i set it up :)
is working on a reply...