Great package so far. I was going to build my own but your's gets me to the finish line much faster. I stumbled upon the issue with my Intranet site not looking like one to IE and having to add it to my Intranet zone. You might add that information to the install instructions.
Normal AD users are able to view the site, no issues. When a user browses to a site I've set Public Access permissions on, they correctly and transparently are sent to my autologin page, their Member record is created with all the details including email. What is not happening, the groups they are assigned to in AD are not being assigned to them in Umbraco. I cannot go in and manually assign them as my AD user does not have permission to edit, just view.
Also, I read someone else having a concern about the Member password in Umbraco not being updated when it changes in AD. Has this been changed in the current version of this project?
Additional information: This is the same issue I had with setting up AD for back office login. If the AD is not in the same domain as the web server, it's next to impossible to get group information.
System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
In the other instance I had to use a different method but that was only checking to see if the user logging in was in one group.
in terms of groups, if the role provider is working it should see the groups you have named in the web.config - check for things like case of groups is ok, the provider will trace the groups out so adding ?umbDebugShowTrace=true should so you something in the trace.
The password of the user isn't stored in umbraco - the login is always performed against the AD - so their is no password to sync with the umbraco db.
Setting up a trust between the servers will never happen, my admin won't allow it. In Microsoft's flawed wisdon, they allow us to see many details about an AD member but doing something like GetGroups() causes an error. The information is in the string MemberOf but then I'd have to parse it out which won't be fun. Looks like I'll have to resort to the old DirectorySearcher filter method.
you might be able to get it to work without a trust, but probably with a lot more tweaking which you're probably not going to be allowed to do.
We did start to go down the DirectorySearch root, in the end we did the DomainPrincipal because that does nested group membership (not always an issue)
Ok, did some rework of the code and got it to work. Now, need to see what happens for an existing Member who is added to additional groups. Do they get added or do groups only get assigned when the Member is first created? How about if a Member is removed from an AD group?
the groups aren't really there, The package replaces the membership role provider so no groups go into the umbraco DB wherever groups are listed by umbraco it's roleprovider telling it the groups.
It gets the user's groups dynamically when they logon (from the AD) - so if they are removed in the AD they go in umbraco.
Member created and logs in but Member Groups not assigned
Great package so far. I was going to build my own but your's gets me to the finish line much faster. I stumbled upon the issue with my Intranet site not looking like one to IE and having to add it to my Intranet zone. You might add that information to the install instructions.
Normal AD users are able to view the site, no issues. When a user browses to a site I've set Public Access permissions on, they correctly and transparently are sent to my autologin page, their Member record is created with all the details including email. What is not happening, the groups they are assigned to in AD are not being assigned to them in Umbraco. I cannot go in and manually assign them as my AD user does not have permission to edit, just view.
Also, I read someone else having a concern about the Member password in Umbraco not being updated when it changes in AD. Has this been changed in the current version of this project?
Additional information: This is the same issue I had with setting up AD for back office login. If the AD is not in the same domain as the web server, it's next to impossible to get group information.
System.DirectoryServices.AccountManagement.PrincipalOperationException: Information about the domain could not be retrieved (1355).
In the other instance I had to use a different method but that was only checking to see if the user logging in was in one group.
Any ideas how to tackle this?
you can use domains outside of the one the webserver is in (assuming it can see it - there is a trust between domains, etc) through the settings
The password of the user isn't stored in umbraco - the login is always performed against the AD - so their is no password to sync with the umbraco db.
Setting up a trust between the servers will never happen, my admin won't allow it. In Microsoft's flawed wisdon, they allow us to see many details about an AD member but doing something like GetGroups() causes an error. The information is in the string MemberOf but then I'd have to parse it out which won't be fun. Looks like I'll have to resort to the old DirectorySearcher filter method.
you might be able to get it to work without a trust, but probably with a lot more tweaking which you're probably not going to be allowed to do.
We did start to go down the DirectorySearch root, in the end we did the DomainPrincipal because that does nested group membership (not always an issue)
Ok, did some rework of the code and got it to work. Now, need to see what happens for an existing Member who is added to additional groups. Do they get added or do groups only get assigned when the Member is first created? How about if a Member is removed from an AD group?
the groups aren't really there, The package replaces the membership role provider so no groups go into the umbraco DB wherever groups are listed by umbraco it's roleprovider telling it the groups.
It gets the user's groups dynamically when they logon (from the AD) - so if they are removed in the AD they go in umbraco.
How do I view the Trace.Writes so I can try and debug my install?
On an masterpage based site add ?umbdebugshowtrace=true to the URL
you need to ensure Use Debug mode is set to true in your web.config
not sure how or if you can do this with an MVC based project.
is working on a reply...