Active Directory Authentication

Topics: Customizing Orchard, Writing modules
Sep 19, 2012 at 3:38 PM
Edited Sep 19, 2012 at 3:39 PM

Good Morning,

I am using Orchard as my intranet site for work and I am really hoping to allow for active directory authentication for this site. From what I have found there have been a couple of modules that are no longer being maintained. One being AlexZh's Windows Authentication module, which seems to have had the best progress of the ones I have found.

I have also found that this was a past feature request but it was dropped because it really didn't gain traction with the lead developers in this project.

Does anyone currently have AD Authentication working on their site, and if so, how did you accomplish this? Please keep in mind I do not do coding in my everyday life, I am simply an advanced HTML/CSS/Javascript user. Any information or guidance would be very much appreciated!

Sep 19, 2012 at 5:38 PM

We're also working on this same scenario at present. If anyone else has anything working I'd love to hear about it...

Sep 19, 2012 at 11:15 PM

http://adorchard.codeplex.com/

http://orchardldap.codeplex.com/

I guess you took a look at these?

Sep 20, 2012 at 5:27 PM

Yeah, none of those work. First one I don't even see what it does, or how you set it up. There's no documentation or even any posts about it. Last check-in was in February. The LDAP one is the same story, just an even older distribution.

Sep 20, 2012 at 7:17 PM

Yes we looked at those too. Have my team working on our own implementation now and making decent headway, will share more details in the next few days.

Sep 20, 2012 at 7:55 PM

Thanks for your work on this, please keep me updated. I'd also be willing to be in the first phase of testing as well if that would help your project work out bugs.

Sep 24, 2012 at 4:06 PM

@gr0undzer084 we have an early version available if you'd like to give it a go: https://github.com/moov2/Orchard.ActiveDirectoryAuthorization

There's instructions there but key point is to make sure you have an Orchard Administrator role which matches your AD role (or vice versa). So for example, if you already have a "myDomain\IntranetAdmin" role set up in AD, make sure you add that exact same role into orchard with admin permissions before you enable the module.

The way this works is if a user is detected with appropriate admin role then it will create a linked orchard user with appropriate permissions (we have to do this as orchard content expects an Owner with ID).

Any problems let us know.

Dan

Sep 24, 2012 at 4:06 PM

P.s package can be downloaded from: https://github.com/moov2/Orchard.ActiveDirectoryAuthorization/downloads

Sep 24, 2012 at 7:05 PM

Hmm, doesn't appear to be working for me. Is your IIS using anonymous or windows authentication?

Sep 24, 2012 at 7:16 PM

Windows, what behaviour are you seeing? What version of IIS? (We're running 7)

Sep 24, 2012 at 7:42 PM

Well I'm using anonymous. What tipped me off as to it being an issue with my authentication was that it would show "Logged In As:    " with no name. When I turn Windows Authentication on I get prompted to supply a username and password when i refresh the page, so I think the main issue is a poor IIS configuration. I do not really know much about IIS and Windows Authentication mode.

Sep 24, 2012 at 7:47 PM

What happens if you enter your credentials in the prompt?

Sep 24, 2012 at 7:50 PM

It asks me again and it just doesn't authenticate. I followed the setup guide on Orchard's website.

Sep 24, 2012 at 7:52 PM

tried with your domain before your username?

mydomain\myusername
mypassword 

Sep 26, 2012 at 6:26 PM

Yeah I tried that, and still doesn't work. I also set my site-name to be in my intranet zone in IE. Is there some trick to getting windows authentication to work on a domain site?

My account has read,write,modify permissions on the root folder. Couple of questions regarding how you have IIS configured for your site. 

 

  1. Do you have Orchard set up as just a website? Or is it an application or a virtual directory?
  2. Is your App Pool just using a local account as its identity, or is it using a built-in account?
  3. Is your website just using Pass-through authentication, or is it using the local account?

I am just trying to figure out our differences that would allow this to work for you.

 

 

 

 

Sep 26, 2012 at 6:37 PM

Sounds like you're using IIS6? We're using 7.

We had nothing to do with how the server was configured on the domain so no idea if the AD side of things has any affect but have setup everything on the IIS side of things:

1 - it's own website
2 - Using ApplicationPoolIdentity (an IIS7 thing)
3 -  We've literally only enabled Windows Authentication and nothing else

From a fresh Orchard install follow the steps here: http://peterkeating.co.uk/active-directory-authorization-module-for-orchard/

Is it IIS6 you're on?

Sep 26, 2012 at 6:48 PM

7.5 actually, its running Server 2008R2.

Odd thing is I can get the site to load locally when I browse it, and I get prompted the same way. It shows me logged in as <domain>\<username>. Does the orchard username have to include the domain name or can it be just the username?

Even so it doesn't explain why I am getting continuously prompted for my domain credentials though. Only thing I have found regarding that issue points to duplicat SIDs, which might be an issue since it is a virtual.

Sep 26, 2012 at 7:07 PM

There is no orchard username to add, the user will get automatically inserted when you browse to the server from an AD account with the appropriate role. The role name has to match though and that also includes domain E.g. "MyDomain\CMSAdmin" where CMSAdmin is an AD role.

Ours is on a virtual server too, accessing it also via a Citrix web login and virtualised desktop. Interestingly it sometimes prompts for credentials but not others (have put this down to being dependant on whichever server the desktop you log into lands on). Either way though it always works after having provided credentials.

Sep 26, 2012 at 7:35 PM

Hah, so that is likely the root of my problems. I'll get to work and let you know. Sucks being IT here, we are locked out of AD from making new groups here, but we do have some already in place, so I will see how I can incorporate this. I'll let you know.

Thanks for your work on this, and your support.

Sep 26, 2012 at 7:37 PM

No worries, make sure you include the domain in your role name when adding it to Orchard so you will literally be adding "yourdomain\yourChosenRole" as the role name in Orchard.

Sep 27, 2012 at 2:51 PM

It appears to work now. My issue was this system we built from a VM template and it had a duplicate SID, so I had to disjoin it from the domain, run sysprep, get a new SID, and then rejoin it to the domain. I will provide additional information on what I had to do via IIS to give your documentation more assistance from that side. A lot of users, if following Orchards setup documentation, will likely be using Orchard with basic Anonymous Authentication. Their Application Pool also might be using a local account for its identity. Just some things to consider.

Sep 27, 2012 at 3:00 PM

Glad you have it working!

Any information you can provide to help the documentation would be much appreciated. The lack of docs on the other projects definitely made them prohibitive so if we can do better then we're off to a good start.

Oct 9, 2012 at 4:55 PM

Hey, just an update. It is working well now and appears to function as intended. I am compiling what I did and will get it over to you. One thing I have noticed and would be nice if you could get it to work. Currently my accounts that are getting created in Orchard are not associating an e-mail address. Is there a way to request and associate the e-mail/exchange account with the orchard account automatically when the account is created?

Oct 9, 2012 at 5:10 PM

Glad it's working and if you could provide any details you feel are relevant to set up that would be really valuable, I think we can both attest this community needs a reliable AD implementation with decent documentation!

Regarding emails, I don't think that is as straightforward as you might hope. Basically when using Windows Authentication we get access to the username and roles of the currently authenticated user and nothing else, in fact it's not really aware of AD at all. You would need to provide details of an account with permissions to the AD data store and lookup the details based on the username.

We do have another module we've implemented which does offer AD connectivity (a contact directory) which basically does the mechanics of what would be needed but for a different purpose. Would be good to see if this module works for you as well.

Once we get both modules up together and in the gallery we can perhaps look at adding some sort of "Populate user details from AD" feature.

Oct 9, 2012 at 5:17 PM

That would be excellent, and I'd definately be willing to help test that out. Thanks for your hard work on this.

Oct 10, 2012 at 4:58 PM

Contact lookup module is now up on github if you wouldn't mind giving it a go? You'll need to figure out your AD connection string and have credentials of an account with read access (full instructions on the github page) https://github.com/moov2/Orchard.ActiveDirectoryContactLookup

Oct 10, 2012 at 5:52 PM

I got it installed, but when I enter the settings and save they don't seem to stick.

Oct 10, 2012 at 6:03 PM
Edited Oct 10, 2012 at 6:05 PM

I also seem to have picked up a Resume Submissions entry on my dashboard menu. It might be related to another module, is this something you guys have as well?

Oct 10, 2012 at 6:24 PM

Settings don't stick? The password field goes blank but the rest should remain, it tries to do a test connection on saving and should return a prompt of success or not. What are you using for the address field?

Not sure where "Resume Submissions" is coming from, was that definitely from this module?

Oct 10, 2012 at 7:42 PM
Edited Oct 10, 2012 at 7:45 PM

I am using LDAP://server.ourcompany.domain, <domain>\<username> and my password. Don't worry about the resumes thing, I figured it out. I installed a really bad module.

I don't get a failure or anything, it just comes back to the same settings page with no confirmation or anything.

Oct 10, 2012 at 7:58 PM
Edited Oct 10, 2012 at 7:59 PM

Correction, I do get a settings updated message; however, the boxes go blank and nothing is retained. I still have the reminder that my settings need to be configured.

Oct 10, 2012 at 9:52 PM

I'm not sure then that it's the latest version, should still work though just might not be doing the connection checking, will check that in the morning.

For us, the LDAP connection looks like this:

MyServerAddress:12345/DC=Company,DC=Domain

Where 12345 is the AD port (if non standard) and the domain would be Company.Domain

We don't have the <domain>\ part in the username, just the username.

Does that help?

Oct 10, 2012 at 10:32 PM

End of day here, I'll give it a shot tomorrow and let you know. Thanks!

Oct 11, 2012 at 8:33 AM

We've just pushed up an update (found the bug) so give it another download and let us know how you get on.

Oct 11, 2012 at 2:34 PM

Works like a charm. All I had to enter was:

  • LDAP://<servername>.<corp>.<domain>.<net/com/org>
  • <username (nothing fancy)
  • <password>

I didn't have to use the port or anything, I think if you use LDAP:// prior to the rest it will automatically assign the port number, so I guess thats just a matter of preference to configuration.

So how would I use this in conjunction with, say, orchard forms. Currently I collect data from a New Hire form, which only our Hiring Managers AD group has view and publish access to. On submission, a rule kicks an email out to the necessary parties. I am currently using {User.Name} in the rule, but I'd really like to be able to use {User.Email}, or something of that nature to pull the e-mail address from AD. I'm not sure if you guys use anything similar to this and have it working, just a thought.

 

 

 

Oct 12, 2012 at 8:17 AM

Cool, glad it's working! 

The LDAP:// is prepended automatically so is optional, if you use a non-standard port then that would need to be appended to the <servername>:99999

Can you clarify a bit more what you're after? I'm not too familiar with Orchard forms but assume it's just a form of information being submitted. Who do you mean by "necessary parties" and are they all in AD already?

What you want is technically possible but would probably need to be another module of some sort.

We've just submitted the lookup to the Gallery, would appreciate a review of that and the AD Authorization one when it's on there if you don't mind.

Oct 12, 2012 at 3:10 PM

Dan,

I submitted my review of the AD Authorization module. Orchard forms are the frame for a content type, where you have a series of text boxes, dropdown boxes, whatever, that collect information from the end user. The Orchard form is what gets published and sets the form behavior. You can then use Rules to configure the email portion of the site. Here is an example of the rule that gets generated when our new hire form is submitted:

A New Hire Request was submitted by {User.Name}.<br /><br />

<b>Employee Name: </b>{Content.Fields.Request-NewHire.EmployeeName}<br>
<b>Start Date: </b>{Content.Fields.Request-NewHire.StartDate.Date}<br>
<b>Department: </b>{Content.Fields.Request-NewHire.Department}<br>
<b>Manager: </b>{Content.Fields.Request-NewHire.NameofManager}<br>
<br />
<b>Office Location: </b><br>
{Content.Fields.Request-NewHire.OfficeLocation} on the {Content.Fields.Request-NewHire.OfficeFloor}.<br /><br />
<b>Requested Equipment: </b><br>
{Content.Fields.Request-NewHire.RequestedEquipment}<br /><br />
<b>Additional Information: </b><br>
{Content.Fields.Request-NewHire.NotesJustification}<br /><br /><br /><br />
{Content.Date}

The User.Name function, with your AD Authorization module, populates it as "<Domain>\<username>". This is great as is and does some of what we are wanting to do. The nifty thing about Orchard rules is, on the email rule you can use these content items in the subject or email recipients box as well. This is why I was wanting to use {User.Email}. Right now the form has a text box for the user to enter his/her email address, but this is something I want to get away from due to the room for error.

Jul 25, 2013 at 10:09 PM
Hi again Dan. I submitted this issue via github, but I wanted to let you know about it personally. I am doing some early testing of Orchard 1.7RC and the authentication module doesn't appear to work with this version of Orchard. I am not sure if you were aware of it. Let me know if you need anything from me. Thanks again for this module. -John


Jul 26, 2013 at 6:46 AM
Thanks John, we'll take a look, been meaning to have a play with 1.7, will keep you posted.
Jul 26, 2013 at 1:16 PM
Great, no worries. Thanks for the help.