Hi Richard, 

Obviously i've got this working, but it is tricky.First thing i would say is we have been developing a new more robust version for our own use and are planning to release this today or tommorow. i should make some of the configuration easier. 

things to check

Role provider is installed 

if the role provider is installed then right clicking on any content node and picking public access should give you the permissions dialog, if you select role base protection you should get a dialog listing all your groups (like below)

User Control Working

the logon user control actually works independently of the role provider, but if you get your users re-directed to your login page (with the logon user control installed) then the the login control should create the membership record for a user when they logon.

the gotcha here is default user type in web.config 

defaultMemberTypeAlias in the UmbracoMembershipProvider needs to point to an existing mebership type in umbraco, without this the user won't be created.

User Groups being pulled through

If the role provider is in and users are being created, then clicking on a member in umbraco should display the groups they are in - if this doesn't work then your role provider isn't logging into the domain and getting the list of groups back. 

Win2008 - is a real pain, and our new version does it diffrently

The provider does work with win 2008 , but IIS7 will swap between passing DOMAIN\USERNAME and USERNAME to umbraco. - this happens because when using NTLM it passes DOMAIN\USERNAME if you then go to the umbraco login page- even though this is for user not member login, IIS will start passing just USERNAME to the front end. 

This issue happens if the same user is logging into the site and then going to the umbraco backend. 

We are chaning the provider so it always registers users with DOMAIN\USERNAME in the backend, and if it gets passed just USERNAME it will append the default domain to the front

Hi Richard, New Version is now on our.umbraco.org. you might find that version easier. 

Kevin,

My developer has several questions re: the scope of your active directory provider and some issues that he hoped you could shed light on:

1. Does your AD provider handle back office authentication of users who login to the Umbraco backend, ie content editors or is that another provider.

2. We have a single Umbraco instance running 50 sites. The vast majority of vistors to our sites are from the public, ie"anonymous users".  Other visitors are members of the UCSF (Univ. of CA San Francisco) , ie faculty and staff.  To access the network, they login either from their desktops or via VPN to a system called “My Access” that includes all of their AD group memberships plus other applications not relevant here.

If we implement AD, we l need to accommodate the anonymous users. The AD provider uses windows-based atuhrenticaltion (IIS).  My developer is concerned that when AD is turned on in the provider, the login form only checks whether the AD privileges are valid and that anonymous and forms-based logins have to be turned off.

Simply put, can your provider accommodate both anonymous users and AD users?  If my question is unclear, I will have my developer post directly. I did this from notes I took talking to him.

3. Several possibilities exist w/respect to pages that require AD authentication to access.  One is that the menu page link appears for everyone who visits the site. When clicked on, those w/valid AD access simply see the page. Non-AD visitors are served a page that says they don’t have access (error page).  An alternative is that the menu link is hidden from  users w/out AD access.   See http://our.umbraco.org/forum/developers/extending-umbraco/38179-Active-Directory-(AD)-Selective-or-Filtered-Display-of-Pages-on-Public-Site 

Which of these is the default scenario?

Hi Richard, 

that's a bit involved but i will try 

1. no this provider is for Membership (i.e front end users) you can use the standard AD Provider for the back end (CMS Users), there is documentation on our.umbraco.org for that. http://our.umbraco.org/wiki/how-tos/membership-providers/active-directory-membership-provider

2. i think (although i haven't actually tried) that it will work with anonymous users - if their is no security set on the nodes inside umbraco, then the user will never be directed to a 'login' page - the login user control is the thing that logs the user in. 

From what you've said i would be inclined to replace the automatic login usercontrol in the package with a standard forms based login form

The form would take persons username and password from a form and log them onto the active directory

This does require you have some AD experience, but in essence you get hte user to supply their username and password, then try a AD logon using the System.DirectoryServices class. if this works - your user can then be logged on in the same way the form works already.

We did this once ( https://gist.github.com/KevinJump/5041416 ) it's not in the package however - it was a quick hack.

3. The Role provider will return a users groups, you can use HasAccess in your menu macro to display only items the user can actually see. http://our.umbraco.org/wiki/reference/umbracolibrary/hasaccess - we do this it works - it's often overlooked, but it is dead simple (might be in Umbraco 4.7.1+ only)

Thanks Kevin.

I will pass along this helpful info to our developer Rob Mayfield and IT expert Raymond Tam. They may be following up w/their own posts.

Kevin,

1. re: the AD providier for back end (CMS Users), there appear to be two providers: what you refer to as the standard provider, . our.umbraco.org/.../active-directory-membership-provider and http://our.umbraco.org/projects/backoffice-extensions/active-directory-backend-users  - Do you have a recommendation as to which one is better/easier to use etc.

2. re: your second point in the last discussion, if your users are already logged into AD at the same time they log into their computers, why would the AD-authentitcated user ever have to be presented with a form. Shouldn't they simply get the page returned as if the page was unprotected? Unless I am not understanding something?

re: "We are chaning the provider so it always registers users with DOMAIN\USERNAME in the backend, and if it gets passed just USERNAME it will append the default domain to the front"   - is this change in the new version.

Hi Richard, 

1. I've only every used the standard version for CMS Users but i think the other one has slightly more options ?

2. yes it would but if you also want anonymous users then i'm not sure if it will always pass the username to umbraco - i would have to try it

3. yes the new version handles the domains better, and has a config tab in umbraco. try it - tell us if it's any better. 

System: Umbraco Version - 4.7.1 ,Windows Server 2008 – 8gb memory – 4 Zeon 2.27Ghz processors service pack 1 – 64 bit OS , IIS version 7.5.7600.16385, SQL Server 2008 R2, Stacktrace - N/A         

Kevin,

We installed 0.2 and followed all of your instructions.  We got further than before but are stuck w/at his error message when we attempt to access a protected page.

Can you advise us as to where we might be having problems, what to change and/or what other information you need from us?

Richard

Antother screenshot of our configuation:

According to our developer, the error we were getting (“No Username (LOGON_USER - Blank) : No Logon”) is generated when Anonymous authentication is turn on. But Anonymous authentication has to be turned on for the regular user to see the website (all users must have a AD login). 

We have 50 sites. We want to distinguish/differentiate public users from AD users, allowing access to most pages, but protecting a few. With Anonymous authentication on, no visitor to the set can get to a page without being presented w/a login box.

I'm speculating that you may be using you AD system as a mere substitute for the cumbersome membership routines in Umbraco, so you don't have to create groups twice, dupiciating your AD users in the membership area.  This is fine if your site is not public (all users must authenticate) whereas our site, which I think is the more typical case, has a mix of public (anonymous users) and AD (private users)

With anonymous authentication turned off, we're still gettting IIS errors that authentication is incorrect, but if the extension/provider does not support anonymous authentication, its a moot point. Would you be able to test whether anonymous authentication can work in your environment? 

This program at Stanford at the link below is similar to ours. We're actually building a site now patterned on theirs (which probably does not use Umbraco):

http://trachea.stanford.edu/protocolsforms.html

You can see that this is public site.  However for a few links, including these two on that page, one uses AD while the other uses a forms based login:

Smartpage Onsite - AD

Smartpage Offsite - forms-based login

Hi Richard, I suspect that's one of two things.

1. IIS Not being configured for Intergrated Authentication (unlikely)

2. The web browser not passing Authentication to the server

The browser (lets say Internet Explorer for the rest of this) will only pass the Authentication Settings to the server if it thinks the web service is trusted. by default this happens when the browser thinks the server is on it's local intranet - and it will sayso in status bar (bottom right) 

However the setting can be changed, in IE it the bottom setting in the security settings

- however, if your site is on the internet you can't really control this. 

I Suspect you need to go down the form based logon route - the Role Provider will still work, but replacing the current user control for windows logon that is in the package with one that does forms based logon, I posted a sample bit of code further up the discussion thread for one we did in house,

it's not in the package, but you should be able to produce on from the code. here https://gist.github.com/KevinJump/5041416

the form will authenticated the user against the AD, and create their stub account in umbraco, the role provider will then be able to use this to lookup groups.

I don't think in the situation you have you can get the seemless logon of AD users to work with anonymous access also. 

i would strip this right back,

1. get a form based login on umbraco against your active directory (that doesn't need the provider) 
2. the get hte provider to read groups for those logged in users.

hope that helps. 

Thanks Kevin,

We'll recalibrate our efforts in light of you most recent posts and let the group know our results.

Hi Kevin,

I'm in the same boat as Richard it appears.  I'm trying to make this work w/ forms authentication, but I'm a bit of a novice with creating the control to do this.  I see your code on github, but not sure how to make it work.  Would it be possible to create a release with both the Auto-Login user control and a Forms-based user control?  So close to making this work for our users!  :)

Thanks,

Brian

Brian,

We're still working on our solution.  The goal is to have two choices to protect a page: either forms-based or AD.  We're not attempting to create two methods for the same page, ie. if person not in AD, they can still use forms-based login.  We need the forms-based because on some sites, users may not be members of an AD group.  

Have you succeeded getting AD to work?

Richard

I noticed there is a related thread to this discussion so I am adding a cross-reference to it here:

http://our.umbraco.org/projects/backoffice-extensions/umbraco-active-directory-authentication/project-discussion/38228-Prompt-for-credentials

Richard,

I was finally able to get AD working, but via a forms-based login that queries AD to login.  Our site is public, so turning off Anonymous for the whole site wasn't an option.  I essentially just use this package for it's role-provider (and it does an excellent job of this!) and then wrote my own login form using MVC (we are on version 6 for this site).

To be clear, my solution doesn't provide a seamless login based on the logged-in user on the local domain computer, but rather presents every user with a form login.  Hope that makes sense.  Let me know if you are interested in seeing my code for this.  It is pretty hacked together as most people aren't running v6 and even more aren't running in MVC mode (I would imagine).  Works beautifully now though!

Resources I used for my login form:

• MVC Login Form - http://24days.in/umbraco/2012/creating-a-login-form-with-umbraco-mvc-surfacecontroller/
• Kevin's Code alluded to in an earlier post in this thread - https://gist.github.com/KevinJump/5041416
• Had to modify Kevin's code somewhat to make it fit into my MVC solution, but if you are using 4.7 and web forms, should be a straightforward process 

Brian

Thanks Brian,

So, in your setup, let's say I'm a member of the AD group.  I login at my host computer in the morning and that validates my active directory credentials.  When I try to call up a protected page on your site, I must then enter my credentials again on a separate login form.  

So the main advantage with your solution is that instead of using the native Umbraco membership system, which essentially duplicates your AD info, you only having to work w/a  single set of membership data. But they still have to login.

 Why not bypass the login screen by autofilling it w/data based on their AD credentials. Or is that not possible?

Hi Richard, 

I'm not sure when you have a site that is also anonymous and you want automatic login that is possible (not with this package anyway)

this package was written with an setup where IIS always does it's bit of authentication before it gets to umbraco, as such its dependent on IIS securitng the site

As brian has said the role provider will work with either, i think your issues really focus on how the user is authenticated by the logon form - and i suspect browser settings play a big part because the browser isn't always sending the NTLM information especcially if it thinks the site is on the internet and not local Intranet. 

Richard,

To my knowledge, the autofilling isn't possible, unless you disable Anonymous Authentication for the entire website.  The workflow is like this:

• Anonymous User browses website
• Anonymous User browses to page that is protected triggering the login process (in my case, presented with a form)
• Upon entering user/pass, that data is used to check if the user exists in AD.
• If exists, user is logged in using their domain account
• Then, the role provider from this package does it's magic and checks to see if you are in the group(s) selected for that page
• If you are in that AD group, you see the page, otherwise, you get the error page.

Brian/Kevin,

We're convinced now that auto-authentication in the cirumstances described above is not possible, ie. w/Anonymous Authentication enabled. Having said that, we have an additional issue it would be great if you could weigh in on.

I had previously thought that when a user VPNs into a UCSF Medical Center website, such as the one above, that AD credentials were available to authenticate what would otherwise be an anoynous user.  That assumption was incorrect. When I VPN in to an AD protected site at UCSF, I am still an anonymous user since my computer is not a part of the UCSFMedCtr domain, like users who are on campus (I am a telecommuter).

My programmer and I as well as doctors at remote locations need access to some of the pages on the site that is protected by AD.  Is there a way to allow alternate authentications to a given page, either AD or the native protected membership provider of Umbraco.  That would cover both AD  users as well as anonyomous. I suspect this may be difficult, but I wanted to at least ask. 

Richard

Hi Richard -  not with this provider in it's current form - the provider replaces umbraco's default role provider with one that looks at the AD for all member roles. you have two options

1. use forms based authentication, and have an AD account for all users who logon to the site, you could create a "webuser" group in your AD and manage it all via that

2. Write a hybrid AD/Native provider, where groups could be written to a custom property on the membership account, so you could add aditional roles to those the AD might / might not find. 

I personally would try for number 1 as its easier to support / understand. 

Kevin 

Kevin,

What do you think of this solution if it fact it is one - seems so:

http://our.umbraco.org/forum/core/general/24216-Using-Active-Directory-with-mixed-authentication

Kevin,

Just looking at that link, your solution 1 above looks a lot simpler.

These are some other interesting threads where users have asked about mixed authentication (AD and Umbraco Native). The solutions look a lot less complex than the link I posted above:

http://our.umbraco.org/forum/developers/api-questions/21926-Users-and-Active-Directory-Authentication

http://our.umbraco.org/forum/developers/api-questions/31251-Mixed-Authentication

Brian,

re: "To be clear, my solution doesn't provide a seamless login based on the logged-in user on the local domain computer, but rather presents every user with a form login.  Hope that makes sense.  Let me know if you are interested in seeing my code for this.  It is pretty hacked together as most people aren't running v6 and even more aren't running in MVC mode (I would imagine).  Works beautifully now though!"

Sure, post your code if you think it will help us in a 4.71 implementation?

Richard,
Here is a link to my code.  It was done with MVC.
https://gist.github.com/laidleymedia/9c7fc8b342fa258cadd9

Hope it is helpful!

We finally got AD installed on our Umbraco installation using  a custom hybrid AD provider our developer wrote.  It uses a forms based login. Our sites are mostly  public pages accessible by anonymous users.  We have 50+ sites.  Some are pages that are protected for unique AD security  groups.

One problem is that authenticated AD users are only added to the relevant group in the Umbraco membership area on their initial visit. For subsequent authentication of the same user to  other AD member groups, the member already in Umbraco  is not updated with the second group. This must be done manually within Umbraco   E.g.  User 1 logs into Protected Page “A” as member of UserGroup1.  Success.  User 1 then logs into Protected Page “B” as member of UserGroup2.  Login fails. Error:  you are not a member of usergroup2. The AD extension  does not update the User 1 member with the new AD group.   A  user of the site might seek authentication of Protected Page “A” at Time X and Protected Page “B” at Time X + 5 minutes and be turned away at the second site.

Non-AD users are manually configured in the mermbership area with the relevent membership groups. They work fine. This is the standard native Umbraco interface.

Another problem is with passwords.  Let's say a user already in Umbraco  changes his AD password outside of Umbraco. The Umbraco member's password is not updated. This does not affect subsquent logins within Umbraco. The user is validated because his account has already been created there. But now the user's static password for this AD group is out of sync and this presents security issues. If an AD member changes/updates his password outside of Umbraco, the update is not passed into Umbraco which essentially has a static login/password combination.  The AD membership in the domain and the Umbraco membership area are essentially silos w/passwords that may go out of sync. It will be confusing for an Umbraco user to learn that his changed AD password does not work when logging into a protected page in Umbraco.

If an Umbraco member/user is removed from the AD group (let's say he gets a new job elsewhere or transfers Depts.) the login still works w/in Umbraco.  This obviously presents a security problem.

In summary, then, the AD login works on the first pass for a new first time user of a protected page.  But the login information is fixed and static and fails to authenticate for other AD security groups beyond the initial one. The way I envisioned this working is a dynamic one.   The membership in Umbraco should be aligned with the AD membership. Changes in the AD system should be reflected in Umbraco or alternatively all of the AD data should be consulted but not held w/in Umbraco.

The way it is set up now, AD members have to be manually configured for secondary membership groups and manually updated for passwords and deletions from the AD system.  This sort of defeats the purpose of having an AD interface w/in Umbraco.  Plus there is a signficant burden imposed on the IT and Umbraco managers to manually push changes from AD to Umbraco.

I suggest to our developer that he delete all the membership data for that user as soon as it is written and he is authenticated  so that each subsquent access is de novo (as if a new user).  He said that the membership data must remain in Umbaraco to for continued access during that session.

I also suggested comparing the AD privileges and passwords each time a user logs in w/the info in the Umbraco membership area. For AD members in existing Umbraco member groups , force revalidation by comparing AD credentials w/potentially outdated, stale Unmbraco membership credentials. If role no longer exists, deny access, If pswd is validly changed, update Umbraco membership.  If existing role of user is valid, but other role requested is not in Umbraco, then update current membership role(s) with new role.

Any suggestions, comments or solutions would be helpful.

Hi Richard, 

it is difficult to comment on exactly the best way for you to impliment AD login, as the AD is a complicated beast and having 50+ sites with a mix of authentication types is never going to give you a simple solution. 

As with all development you have to way up the complexity and time it takes to develop the solution with the subsequent costs of support, and while it may appear on the face of it that your currentl solution has high maintance costs, they could well be less than implimenting more complex code within umbraco.

so with a large pinch of salt. you could look at

1. Developing your own hybrid role provider for umbraco, that extends the standard umbraco provider but uses some custom fields on the member record to also take into account the users group membership in the AD .

if you could get this working, this would provide the standard umbraco membership for your non-ad users while extending the group membership for those users who had AD accounts - you could mark those users with a flag on their accounts (set at creation?) 

2. you could do something similar with your logon control - it sounds like it is already logging the users onto the AD first time - if you put a flag on the account (you do this by adding fields for the member types on the membership tab) then the login control could check this flag, if set login via the AD - if not, use the umbraco username/password combo. 

this might solve your Password sync problem.

Again this is very dependent on your AD and Umbraco setups, i can't say that either of these will work or be better or eaiser to support than what you now have. but they might give you ideas on things to look at. 

Thanks Kevin, I passed these suggestions on to our developer. I will keep the group here posted. 

Hi

I have set up the login page and authentication required for a single page . So when i try to browse the page , the Active directory user is recognised and created as a member in Umbraco . But when it tries to redirect to the page where the request came from , it goes into a loop . The error i get is "This webpage has a redirect loop"

Any help will be much appreciated

Regards

-Arul

If I simply want to use windows authentication with Umbraco and create my own users that match the AD users that will be using the site, do I need to use the AD provider? Or, can I simply set the site to use windows auth and autl-login the user somehow by matching their Identity and their corresponding user in the Umbraco database?

The idea being is that I would manually setup the user in the backoffice, but the user would be auto-logged in when they visit the site. This is a strictly intranet scenario.

is working on a reply...