Ektron 9.00
Active Directory lets you retrieve user and user group information from the Microsoft Windows Active Directory (AD) into Ektron. As a result, you can administer user information from 1 place, and users need to remember only 1 username/password combination to sign on to the network and Ektron.
IMPORTANT: Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory Integration. SSL encrypts passwords that are otherwise sent as clear text to the Ektron server. See Also: Updating web.config to Use SSL
You can set up Active Directory in the following ways:
web.config
file and entering information in the Workarea. Use this method if:web.config
. Use this method if you are using auto discovery and Active Directory single signon.web.config
file to the following values:<add key="ek_ADEnabled" value="true"/>
<add key="ek_ADAdvancedconfig" value="true"/>
<add key="ek_AUTH_Protocol" value="LDAP"/>
<identity impersonate=“false”>
NOTE: When using the Advanced Domains Method, the domains screen's credentials are used.
web.config
. ek_ADEnabled
element to true. It should look like this:<add key="ek_ADEnabled" value="true"/>
ek_ADAdvancedconfig
element is set to False. (This is the default value.)ek_AUTH_Protocol
element to GC. It should look like this:<add key="ek_AUTH_Protocol" value="GC"/>
ek_adusername
and ek_adpassword
. (Before entering the password, encrypt it using Ektron’s password encryption utility. To access that utility, go to the Windows Start menu > All Programs > Ektron > current release > Utilities > Encrypt Email Password.) It should look like this:<add key="ek_ADUsername" value="[username]@domain" />
<add key="ek_ADPassword" value="YourPasswordHere" />
authentication
element, change the value of the impersonate
attribute to False. It should look like this:<identity impersonate="false" userName="" password=""/>
You can implement Active Directory in 1 of 2 modes.
Active Directory Integration maintains consistent user and user group information between AD and Ektron. First, user information is imported from AD into Ektron. When this is complete, user group information is imported.
Ektron does not write to Active Directory; it only reads from it. This changes the way Ektron manages user and user group information.
Integration requires Read Membership Group Permissions within Active Directory. See Also: AD integration not reading user group memberships correctly
When using Integration, you must select a Administrator group. (There can only be one admin group per Ektron CMS.) Click the search option and select Domain users or an admin group created in AD specifically for CMS.
Ektron imports the following AD user information.
Field in AD | AD Attribute | Corresponding Field in Ektron |
---|---|---|
User logon name (pre-Windows 2000) | sAMAccountName | Domain and Username |
Last Name | sn | Lastname |
First Name | givenName | Firstname |
email Address |
NOTE: Users and user groups can share a name in different domains, for example, juser@example.com and juser@example.net. Otherwise, user names must be unique.
The following diagram illustrates the Active Directory feature's components.
The Active Directory feature uses multiple Ektron screens to edit domains, set up Active Directory, display AD status, and view and search for users and user groups.
Use the Edit Domains screen to identify each network domain you will use with Ektron's Active Directory Integration. The screen lets you add new domains, modify existing ones, or delete obsolete ones. Use this screen to define domains, as opposed to using auto discovery to find them.
Domains are used during signon. In addition to username and password, users must select a domain. Domains are also referenced when defining the users and user groups that map to the Ektron users and groups.
Prerequisites
- Edit
web.config
as explained in Setting Up Active Directory via the Advanced Domains Method .- You need your NetBIOS and setting, if it is different from your domain name. Contact your server administrator for this information.
- You need your domain’s DNS. Contact your server administrator for this information.
To add a new domain:
Domain DNS—Enter the domain’s DNS. Contact your server administrator for this information. For example, corp.example.com.
NetBIOS—If your NetBios is the same as your domain name, leave the box checked. Otherwise, uncheck the box and enter your NetBIOS setting in this field. Contact your server administrator for this information.
Username—Enter the name of the user with permission to sign on to the domain server. The name is in the format username@domainDNS. For example, jsmith@corp.example.com.
Password—Enter the password of the user in the Password field.
Domain Controller IP—Enter the IP address or DNS name of your domain controller. If using Active Directory with LDAPLightweight Directory Access Protocol; permits access to distributed information. across a firewall, the IP address should be that of the firewall. On the firewall, traffic on port 389 (LDAP) should be allowed. Active Directory with GC uses different ports.
The Active Directory Setup screen lets you enable or disable AD and manage other AD settings, such as whether users and groups are automatically updated.
To enable AD and manage settings:
Active Directory Installed
Auto Add
User Property Association
mail
, but you can change it to any AD property.givenName
, but you can change it to any AD property.sn
, but you can change it to any AD property.For more information on user properties, see MSDN Library
User Object User Interface Mapping (Windows)
Ektron Administrator Group Association
Also, if any Ektron user or group names include a domain (for example, admin@saturn.example.com) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain.
Active Directory Authentication is Enabled and Requires More Configuration—Some Ektron users are not associated with AD users. Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated.
Active Directory Authentication is disabled, but needs further configuration—Some Ektron users and/or groups are no longer unique. This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, 2 users or groups can no longer share a name—each must be unique.
Use the Active Directory Status screen to identify and resolve discrepancies between Ektron and AD:
Any combination of these messages may be displayed depending on the issues requiring resolution. The following procedure provides steps to resolve all 3 issues.
If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.
The screen also displays the following buttons.
If you cannot easily locate specific users on the View Users screen, use the search function.
The View User Groups Screen displays all AD user groups that have been imported to Ektron.
This section explains importing AD user information when integration is first enabled and on an ongoing basis.
AD user information is initially imported to Ektron in different ways depending on whether:
For a populated Ektron database:
Eng.Example.com
and JDoe in Mkt.Example.com
) and that username (JDoe) also exists in Ektron, the Active Directory Setup and Active Directory Status screens indicate this discrepancy via this message: CMS users need to be associated with Active Directory users.For a Ektron database with only a few users, go to the Search Active Directory for Users screen and select AD users that will use Ektron. You can only select AD users that do not exist in Ektron. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.When you add a user, AD information is imported to Ektron. See Also: Viewing and Searching for Users
You can also manually add AD users to Ektron:
When AD integration has been established, new AD user information is imported to Ektron when either of these events occurs:
Maintenance tasks include:
If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see Getting Started with Ektron.
This section explains how a user’s group membership is imported from AD to Ektron after integration is enabled. When assigned to a group, the user automatically receives all Ektron permissions and approval process responsibilities associated with it.
NOTE: Active Directory has 2 kinds of user groups: security and distribution. Ektron does not distinguish between them. As long as a user is a member of either kind of group, group information can be imported to Ektron.
Before using AD integration, import all AD groups you will use into Ektron:
NOTE: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.
Users' membership in AD Groups are imported to Ektron in different ways depending on the state of existing Ektron user groups:
In the case of a discrepancy between AD and Ektron user groups:
Alternatively, if Enable automatic addition of user to groups field is unchecked, you can add the user to (or remove the user from) groups independently of AD group memberships.
On the Active Directory Setup screen, you identify the AD group that maps to the Ektron Administrator group using a syntax of AD group name@AD domain. Members of this group receive administrator privileges.See Also: Administrator Role Privileges
If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.
Note that only one AD group can be mapped to the Ektron Administrator group. You cannot have an AD administrator group within each AD domain.
NOTE: Unlike other Ektron user groups, whose names are imported from AD, the Ektron Administrator and Everyone group names cannot be changed.
Maintenance tasks include:
When you disable AD integration, domain names are dropped, which may cause user and user group names to not be unique. For example, 2 users are named JJackson@example.net
and JJackson@example.com
. When AD is enabled, domain names make the users and user groups unique. However, when AD is disabled and domain names are dropped, the names are now identical. You need to make the users and user groups unique.
To disable AD authentication or integration:
In user authentication mode, AD is used only to authenticate users logging in to Ektron. User groups are managed within Ektron, not AD.
Ektron does not write to AD; it only reads from it. This changes how usernames, domains, and passwords are handled in Ektron.
Ektron refers to the following AD authentication information during sign-in: password, user logon name, and domain. Note that the password is not stored in Ektron; Ektron only refers to the password during sign-in.
Adding user information in user authentication mode is the same as in AD integration mode.
If a user’s logon name changes in AD, it no longer matches the Ektron logon name. This discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. Go to the Associate CMS Users to Active Directory Users screen, where you can update the user information.
Alternatively, you could:
See Also: Maintaining AD User Information
Ektron does not write to AD. This means that you can only change the Username and Domain fields from AD. You can change the following fields on the Ektron Edit User screen:
IMPORTANT: If you replace a user in user authentication-only mode, the user’s first name, last name, and email address are not overwritten with information in AD.
Because the scope of user authentication mode is limited to authentication, only some fields on AD Integration screens are used:
Because AD usernames and passwords are stored by domain, the AD sign-on procedure requires the user to select a domain. When AD integration is enabled, the sign-on screen includes a domain drop-down list.
The Single Sign On feature retrieves a user’s login information from Active Directory to authenticate access to Ektron. The user does not need to enter a password. After clicking Login, he immediately logs in.
Single Sign On uses a variable called User.Identity.Name
. This maintains the user's account and domain in Active Directory, and has the format [domain]\[username]
. For example, EKTRON1\ssmith
. The variable's value is set when a user authenticates against a Windows server.
When a user clicks the Login server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified., if the variable passes successfully and Active Directory is enabled, the server control opens the autologin.aspx
page. Next, the opening window refreshes like a normal login, except the user is not prompted for a username, password, and domain.
However, if the user‘s computer is not on a domain, not on the same domain as Ektron, or does not include the Ektron server as a trusted site, the following login screen appears.
If Active Directory is not enabled, the normal login.aspx
page appears.
Single Sign On uses the autologin.aspx
file in the workarea/SSO
directory. When set up, user authentication is enabled from any domain that this server can reach. For example, if Ektron is located in a third level domain, users from third, second, and first level domains can authenticate.
To allow membership users to use single signon, see Authenticating Membership Users with AD or LDAP. When enabling this functionality, create one login page for Ektron users and another for membership users. For example, use the membership user login as the front-facing login, and then secure a /cmslogin.aspx
for Ektron user. Next, secure the login with IIS security because Windows authentication only allows the Ektron administrators group in AD to read permissions on the /cmslogin.aspx
page.
NOTE: Single signon may not work directly on servers, due to security settings on the server and its browser. Try a different machine and make sure it works elsewhere before troubleshooting further.
See Also: Enabling NTLM Authentication (Automatic logon)
Use the setup instructions
After completing these procedures, enable Active Directory within Ektron (if it isn’t already enabled). See Also: Setting Up Active Directory
You should enable the automatic addition of users and groups.
Use the following line of codebehind when troubleshooting user login with Single Signon. If this .NET code cannot get the user login, then Ektron cannot either.
Response.Write("UserName:" & Request.ServerVariables("LOGON_USER"))
Setting up Single Sign On with IIS 7 or IIS7.5 involves modifying the web.config
file and editing security settings.
site root/Web.config
.ek_AUTH_protocol
element and change its value to LDAP:<add key="ek_AUTH_Protocol" value="LDAP" />
authentication
element and change the value of authentication mode
to Windows. impersonate
to False:<authentication mode="Windows" />
<identity impersonate="false" userName="" password=""/>
MyDigestAuthenticationModule
only.<modules> <!--add name="MyDigestAuthenticationModule" type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule, Ektron.ASM.EkHttpDavHandler" /--> <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" /> <add name="EkUrlAliasModule" type="UrlAliasingModule" preCondition="integratedMode" /> </modules>
If the status of Windows Authentication is Not Installed, click Add Role Services. The Add Role Services screen appears.
autologin.aspx
passes credentials from the logged-in user's desktop.This sample shows how to modify the Login server control to accommodate single signon. See Also: Login server control
/Cmslogin.aspx <cms:login> Control <cms:login runat="server" AutoLogin="True" AutoAddType="Author" id="cmslogin" /> /login.aspx.cs bAutoLogin = true;
An Active Directory configuration does not get synchronized.
In an eSync environment, add all users to one environment. Then, sync the users if multiple servers are using AD login.