Ektron 9.00

Using Active Directory with Ektron

Active Directory lets you retrieve user and user group information from the Microsoft Windows Active Directory (AD) into Ektron. As a result, you can administer user information from 1 place, and users need to remember only 1 username/password combination to sign on to the network and Ektron.

Setting up Active Directory

Setting Up Active Directory

IMPORTANT: Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory Integration. SSL encrypts passwords that are otherwise sent as clear text to the Ektron server. See Also: Updating web.config to Use SSL

You can set up Active Directory in the following ways:

  • Advanced Domains—Set up through editing the web.config file and entering information in the Workarea. Use this method if:
    • You are using a firewall.
    • The Ektron server need not be part of an Active Directory domain.
    • You are connecting to multiple Active Directory domains, even ones that do not see each other.
  • Legacy—The domain connects to the AD domain within the web.config. Use this method if you are using auto discovery and Active Directory single signon.
Setting up Active Directory via the advanced domains method

Setting Up Active Directory via the Advanced Domains Method

  1. Verify AD information because, after you enable AD integration, logon name and domain are imported to Ektron.
  2. If your Active Directory forest has multiple domains, decide if you want Ektron to reference the listed domains or if you want to choose a specific one. (You will use this when completing the Domain field of the Active Directory Setup Screen.)
  3. Edit the web.config file to the following values:
    <add key="ek_ADEnabled" value="true"/>
    <add key="ek_ADAdvancedconfig" value="true"/>
    <add key="ek_AUTH_Protocol" value="LDAP"/>
    <identity impersonate=“false”>

    NOTE: When using the Advanced Domains Method, the domains screen's credentials are used.

  4. Set up your domains on the Edit Domains screen.
  5. Configure the AD setup page. See Setting Up Active Directory.
  6. Assign AD groups to Ektron user groups. See Importing AD User Group Information .
Setting up Active Directory via the Legacy Method

Setting Up Active Directory via the Legacy Method

  1. Make sure each AD user to be used in Ektron is defined correctly in the Active Directory. Remember that, when you enable AD integration, logon name and domain are copied from AD to Ektron.
  2. If you have multiple domains in your Active Directory forest, decide if you want Ektron to reference all domains or if you want to choose a specific one. (You will use this when completing the Domain field of the Active Directory Setup Screen.)
  3. Set the following elements in the web.config.
    • Set the ek_ADEnabled element to true. It should look like this:
      <add key="ek_ADEnabled" value="true"/>
    • Make sure the ek_ADAdvancedconfig element is set to False. (This is the default value.)
    • Set the ek_AUTH_Protocol element to GC. It should look like this:
      <add key="ek_AUTH_Protocol" value="GC"/>
    • Declare a domain account through ek_adusername and ek_adpassword. (Before entering the password, encrypt it using Ektron’s password encryption utility. To access that utility, go to the Windows Start menu > All Programs > Ektron > current release > Utilities > Encrypt Email Password.) It should look like this:
      <add key="ek_ADUsername" value="[username]@domain" />
      <add key="ek_ADPassword" value="YourPasswordHere" />
    • For the authentication element, change the value of the impersonate attribute to False. It should look like this:
      <identity impersonate="false" userName="" password=""/>
  4. Configure the AD setup page. See Setting Up Active Directory.
  5. Assign AD groups to Ektron user groups. See Importing AD User Group Information .
Implementing Active Directory

Implementing Active Directory

You can implement Active Directory in 1 of 2 modes.

  • Active Directory Integration mode—the following information is shared between Active Directory and Ektron:
    • user logon name
    • domain
    • password
  • User authentication only mode—the following information is shared between Active Directory and Ektron:
    • user logon name
    • domain
    • password
    • user’s first and last name
    • email address
    • user groups
    • user’s group memberships
Implementing Active Directory Integration mode

Implementing Active Directory Integration Mode

Active Directory Integration maintains consistent user and user group information between AD and Ektron. First, user information is imported from AD into Ektron. When this is complete, user group information is imported.

Ektron does not write to Active Directory; it only reads from it. This changes the way Ektron manages user and user group information.

  • After you enable AD integration, many changes to user and user group information must be made in AD. Several fields on the Edit User and User Group screens become view-only.
  • When adding new users or groups, you can only select from users and groups in AD. If a user or group does not exist in AD, create it there then import it to Ektron.

  • Integration requires Read Membership Group Permissions within Active Directory. See Also: AD integration not reading user group memberships correctly

  • When using Integration, you must select a Administrator group. (There can only be one admin group per Ektron CMS.) Click the search option and select Domain users or an admin group created in AD specifically for CMS.

Ektron imports the following AD user information.

  • Authentication (user logon name and domain) for signing in to Ektron. The AD password is not stored in Ektron but only refers to it during sign in.
  • Group name (AD attribute cn), which corresponds to the Ektron domain and user group name.
  • User information
    —Information fields—

    Field in AD

    AD Attribute

    Corresponding Field in Ektron

    User logon name (pre-Windows 2000)

    sAMAccountName

    Domain and Username

    Last Name

    sn

    Lastname

    First Name

    givenName

    Firstname

    Email

    mail

    email Address

NOTE: Users and user groups can share a name in different domains, for example, juser@example.com and juser@example.net. Otherwise, user names must be unique.

The following diagram illustrates the Active Directory feature's components.

—Image: Active Directory components—

Setting up active directory integration mode

Setting Up Active Directory Integration Mode

The Active Directory feature uses multiple Ektron screens to edit domains, set up Active Directory, display AD status, and view and search for users and user groups.

Adding domains to AD

Adding Domains to AD

Use the Edit Domains screen to identify each network domain you will use with Ektron's Active Directory Integration. The screen lets you add new domains, modify existing ones, or delete obsolete ones. Use this screen to define domains, as opposed to using auto discovery to find them.

Domains are used during signon. In addition to username and password, users must select a domain. Domains are also referenced when defining the users and user groups that map to the Ektron users and groups.

Prerequisites

  • Edit web.config as explained in Setting Up Active Directory via the Advanced Domains Method .
  • You need your NetBIOS and setting, if it is different from your domain name. Contact your server administrator for this information.
  • You need your domain’s DNS. Contact your server administrator for this information.

To add a new domain:

  1. Navigate to Workarea > Settings > Configuration > Active Directory > Domains.
  2. Click Edit. The Add New Domain and Remove Last Domain options appear.
  3. Click Add New Domain. The Edit Domains screen appears.
    —Image—

    Domain DNS—Enter the domain’s DNS. Contact your server administrator for this information. For example, corp.example.com.

    NetBIOS—If your NetBios is the same as your domain name, leave the box checked. Otherwise, uncheck the box and enter your NetBIOS setting in this field. Contact your server administrator for this information.

    Username—Enter the name of the user with permission to sign on to the domain server. The name is in the format username@domainDNS. For example, jsmith@corp.example.com.

    Password—Enter the password of the user in the Password field.

    Domain Controller IP—Enter the IP address or DNS name of your domain controller. If using Active Directory with LDAPLightweight Directory Access Protocol; permits access to distributed information. across a firewall, the IP address should be that of the firewall. On the firewall, traffic on port 389 (LDAP) should be allowed. Active Directory with GC uses different ports.

Setting up Active Directory

Setting Up Active Directory

The Active Directory Setup screen lets you enable or disable AD and manage other AD settings, such as whether users and groups are automatically updated.

To enable AD and manage settings:

  1. Go to Settings >Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  2. Click Edit.
  3. Enable options or enter information in fields as required.
    —Active Directory Setup field descriptions—

    Active Directory Installed

    • Disable Active Directory and LDAP Authentication—Disables the use of Active Directory and LDAP Authentication. See Disabling AD Integration.
    • Enable LDAP Authentication—If enabled, you must complete the LDAP-related fields (Type, LDAP Server, Port, Organization, Domain, Attribute, Use SSL, Path). See Enabling LDAP.
    • Enable Active Directory Authentication—If enabled, user authentication is functional, and you can enable the following 3 fields. If you do not enable these fields, you are using Implementing User Authentication Mode. For information on LDAP, see Using LDAP with Ektron
      • Enable Active Directory Integration—If enabled, the Active Directory Integration feature is functional and you can enable the next 2 fields.
      • Enable automatic addition of user from AD—If enabled, user information is imported from AD to Ektron when that user logs in or when the user is added to Ektron.
      • Enable automatic addition of user to groups—If enabled, a user’s group membership is first imported from AD when a user logs in or is added.

    Auto Add

    • User Type—Choose the type of user to be automatically added: Author or Member.

    User Property Association

    • EmailAddr1—Enter the Active Directory property that maps to the user’s last name in Ektron. By default, this is mail, but you can change it to any AD property.
    • FirstName—Enter the Active Directory property that maps to the user’s first name in Ektron. By default, this is givenName, but you can change it to any AD property.
    • LastName—Enter the Active Directory property that maps to the user’s last name in Ektron. By default, this is sn, but you can change it to any AD property.

      For more information on user properties, see MSDN Library
      User Object User Interface Mapping (Windows)

    Ektron Administrator Group Association

    • AD Group Name @ AD Domain—Enter the Active Directory user group and domain name that map to the Ektron administrator group. If your AD does not have a user group that includes all Ektron administrators, you should create one then enter it here. See Mapping the Administrator Group.
    • Domain—If you want to restrict the search of new users and groups to one AD domain, select that domain. The Search Active Directory for Users and Search Active Directory for Groups screens let you search the selected domain only.

      Also, if any Ektron user or group names include a domain (for example, admin@saturn.example.com) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain.

  4. Messages may be displayed near the top of the Active Directory Setup screen to notify you that additional configuration steps are required. If either message appears, click it. The Active Directory Status screen appears, which helps you resolve the discrepancies.

    Active Directory Authentication is Enabled and Requires More Configuration—Some Ektron users are not associated with AD users. Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated.

    Active Directory Authentication is disabled, but needs further configuration—Some Ektron users and/or groups are no longer unique. This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, 2 users or groups can no longer share a name—each must be unique.

Displaying Active Directory status

Displaying Active Directory Status

Use the Active Directory Status screen to identify and resolve discrepancies between Ektron and AD:

  • An Ektron user must be associated with an AD user
  • An Ektron user group must be associated with an AD user group
  • An Ektron user’s group membership must be associated with the same AD user’s group membership

Any combination of these messages may be displayed depending on the issues requiring resolution. The following procedure provides steps to resolve all 3 issues.

  1. Go to Settings > Configuration > Active Directory > Status.
  2. Click a link on the Active Directory Status screen to display a new screen lets you resolve the discrepancy.
  3. Click CMS users need to be associated with Active Directory users on the Active Directory Status screen. The Associate CMS Users with Active Directory Users screen appears. Use this screen to associate Ektron users with AD users.
    —Image—

  4. Depending on the user, perform the appropriate action:
    • If a user with the same username exists in AD, that name and domain appear in the AD Username and AD Domain fields. If the user exists in more than one AD domain, select a domain from the pull-down list.
    • If there is no default and you know the AD user name to associate with an Ektron user, enter that in the AD Username and AD Domain fields. If you do not know the AD username, click Search to find the user in AD.
    • If you decide to change the username in AD to match the Ektron username, make the change in AD. Then, click Refresh () to update Ektron and resolve the discrepancy.
    • If a user should not exist in Ektron, click the Delete box.
  5. After you complete the changes, click Save.
  6. Click CMS relationships need to be associated with Active Directory relationships on the Active Directory Status screen. The Associate CMS Relationships with Active Directory Relationships screen appears. The screen displays a user’s group membership that exists in Ektron, but does not exist in AD. Use this screen to coordinate Ektron user group membership with AD user group membership.
    —Image—

  7. After viewing the discrepancy, perform the appropriate action:
    • To associate the user with the same user group in AD, go to AD and assign the user to the group. Then, return to this screen and click Refresh () to update user group information in Ektron. See Also: Importing a User’s AD Group Information to Ektron
    • To remove the user’s group membership in Ektron, check the Delete box and
  8. After you complete the changes, click Save ().
  9. Click CMS groups need to be associated with Active Directory groups on the Active Directory Status screen, the Associate CMS User Groups with Active Directory Groups screen appears. Use this screen to associate Ektron groups with AD groups.
  10. Depending on the group, perform the appropriate action:
    • If there is no default, enter that in the AD Group Name and AD Domain fields. If you do not know the AD group name, click Search to find the group in AD.
    • If a group should not exist in Ektron, click the box under the Delete column to delete the group.
  11. After you complete the changes, click Save.
Viewing and searching for users

Viewing and Searching for Users

  1. Click Settings > Users from the Workarea. The View users screen appears.
  2. Click a user to display detailed information for that user. The View User Information screen appears.
    —Image—

  3. If you are using user authentication mode, Username and Domain can only be edited in AD. You can edit all other fields on this screen.

    If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.

    The screen also displays the following buttons.

    • Edit—Edit information on screen.
    • —Delete user.
    • —Retrieve latest information from AD into Ektron. This button is not displayed in user authentication mode.
    • —Replace CMS user with different AD User.
    • —Return to previous screen

    If you cannot easily locate specific users on the View Users screen, use the search function.

  4. Click Add User. The Search Active Directory for Users screen appears.
    —Image—

  5. Enter as many search criteria as you know to reduce the number of users that the search returns. For example, if you know the user’s last name is Jackson and he is in the planets domain, enter those criteria to get fewer results.
  6. Click Search. The Active Directory Users screen appears.
  7. Check the box next to each user you want to add to Ektron.
  8. Click Saveto import the information.
Viewing and searching for user groups

Viewing and Searching for User Groups

The View User Groups Screen displays all AD user groups that have been imported to Ektron.

  1. Go to Settings > User Groups. The View User Groups screen appears.
  2. Click the group name to display detailed information for the group. The View Users in Group screen appears, showing the following information for each user in the group:
    • username and domain
    • first and last name
    • language
  3. To add AD groups to Ektron, click the toolbar button () that lets you add AD groups to Ektron. The Search Active Directory for Groups screen appears.
  4. If the Domain setting on the Active Directory Setup screen is set to restrict AD integration to one domain, you can only search for groups in that domain.
    —Image—

  5. Click Search. A new screen appears that lists all AD groups that satisfy the search criteria.
  6. Click the box next to groups you want to create in Ektron.
  7. ClickSaveto import their information.
Importing AD user information to Ektron

Importing AD User Information to Ektron

This section explains importing AD user information when integration is first enabled and on an ongoing basis.

AD user information is initially imported to Ektron in different ways depending on whether:

  • the Ektron database has already been populated with users
  • the Ektron database has not yet been fully populated with users. (At least one user is always present because of the default admin user.)
  • users are manually added to the Ektron database

For a populated Ektron database:

  1. If Enable automatic addition of user from AD is checked on the Active Directory Setup screen, user information is imported from AD to Ektron when that user logs in or is added to Ektron. See Also: Setting Up Active Directory
  2. At that time, AD information overwrites all Ektron information.
  3. If 2 or more AD users have the same Ektron user logon name but different domains (for example, JDoe in Eng.Example.com and JDoe in Mkt.Example.com) and that username (JDoe) also exists in Ektron, the Active Directory Setup and Active Directory Status screens indicate this discrepancy via this message: CMS users need to be associated with Active Directory users.
  4. Click the message to proceed to the Associate Ektron Users to Active Directory Users screen. From there, you can link an AD user to an Ektron user. See Also: Maintaining AD User Information

For a Ektron database with only a few users, go to the Search Active Directory for Users screen and select AD users that will use Ektron. You can only select AD users that do not exist in Ektron. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.When you add a user, AD information is imported to Ektron. See Also: Viewing and Searching for Users

You can also manually add AD users to Ektron:

  1. From the Workarea, click Settings >Users.
  2. Click Add Users. The Active Directory Users screen appears.
  1. From the Domain pull-down list, select the domain from which you want to add a user.
  2. Enter as much information as you know into the other fields.
  3. Click Search. A screen displays all users that satisfy the search criteria.
  4. Check the box next to each user you want to add.
  5. Click Save.
Maintaining AD user information

Maintaining AD User Information

When AD integration has been established, new AD user information is imported to Ektron when either of these events occurs:

  • the user logs in
  • someone clicks Refresh () on the user’s View User Information screen

Maintenance tasks include:

  • Editing—Because Ektron does not write to AD, you can only change some fields on the Edit User screen. Edit read-only fields from AD.
  • Deleting—If a user is deleted in AD, Ektron does not delete the user. However, the login fails because the user cannot be authenticated. To delete the user from Ektron, use the Delete User function described in Deleting a User.

    If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see Getting Started with Ektron.

  • Replacing—If you associate the wrong AD user with an Ektron user, you can replace the user. If you do, all Ektron permissions and approval process responsibilities transfer from the old to the new user.
  1. Go to Settings > Users.
  2. Click the user you want to replace.
  3. Click Associate CMS User with Different AD User ().
  4. Select a user to replace the previously selected user.
  5. Click Save. The first user is deleted from Ektron.
Importing AD user group information

Importing AD User Group Information

This section explains how a user’s group membership is imported from AD to Ektron after integration is enabled. When assigned to a group, the user automatically receives all Ektron permissions and approval process responsibilities associated with it.

NOTE: Active Directory has 2 kinds of user groups: security and distribution. Ektron does not distinguish between them. As long as a user is a member of either kind of group, group information can be imported to Ektron.

Before using AD integration, import all AD groups you will use into Ektron:

  1. From the Workarea, choose Settings > User Groups.
  2. Click Add Groups. The Search Active Directory for Groups screen appears.
  1. From the Domain drop-down list, select the domain of the user group you want to add.

    NOTE: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.

  2. Enter as much information as you know into the Active Directory Group field.
  3. Click Search. A screen displays all groups that satisfy the search criteria.
  4. Check the box to the left of each group you want to import to Ektron.
  5. Click Save.
Importing a user's AD group information to Ektron

Importing a User’s AD Group Information to Ektron

Users' membership in AD Groups are imported to Ektron in different ways depending on the state of existing Ektron user groups:

  • If CMS user groups already exist—If Enable automatic addition of user to groups is checked on the Active Directory Setup screen, a user’s group membership is imported from AD to Ektron when a user first logs in or is added. At this time, any AD group memberships overwrite Ektron group memberships except the Everyone group, to which all users belong.

    In the case of a discrepancy between AD and Ektron user groups:

    • If a user belongs to an AD user group that does not exist in Ektron, no action is taken. The AD Integration feature assumes that not all AD groups are meaningful in Ektron.
    • If a user belongs to an Ektron user group that does not exist in AD, the discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. From these screens, you can import AD group information into Ektron.
    • If the user should belong to an AD group, add the group membership within AD. Then, refresh the user on the View User Information screen to import AD group information into Ektron.
  • If only default user groups exist in the CMS—Follow the procedure described in Importing AD User Information to Ektron to import AD user groups to Ektron. Then, as users in those groups are added to Ektron, their group memberships are applied.
  • After AD integration is enabled—a user’s group memberships in Ektron are updated when all of the following are true:
    • The Enable automatic addition of user to groups field is checked on the Active Directory Setup screen
    • A user is added to Ektron or the user's ADactive directory group membership changes
    • The user logs in or someone clicks Refresh () on the user’s View User Information screen

Alternatively, if Enable automatic addition of user to groups field is unchecked, you can add the user to (or remove the user from) groups independently of AD group memberships.

Mapping the administrator group

Mapping the Administrator Group

On the Active Directory Setup screen, you identify the AD group that maps to the Ektron Administrator group using a syntax of AD group name@AD domain. Members of this group receive administrator privileges.See Also: Administrator Role Privileges

—Image—

If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.

Note that only one AD group can be mapped to the Ektron Administrator group. You cannot have an AD administrator group within each AD domain.

NOTE: Unlike other Ektron user groups, whose names are imported from AD, the Ektron Administrator and Everyone group names cannot be changed.

Maintaining AD user group information

Maintaining AD User Group Information

Maintenance tasks include:

  • Removing users from a group—If you delete a user from an AD group, the user is removed from the associated Ektron group the next time the user's information is updated.
  • Adding user groups—If AD integration is enabled, you can only add user groups in AD. Then log on to Ektron and use the Search Active Directory for Groups screen to import the AD user group to Ektron as described in Importing AD User Group Information .
  • Adding a user to a group—You cannot add a user to a user group within Ektron; you must do so in Active Directory.
  • Replacing a group—If you associated the wrong AD user group with an Ektron user group, replace the user group.
    1. From the Workarea, click Settings >User Groups.
    2. Click the user group that you want to replace.
    3. Click Associate CMS Group with Different AD Group ().
    4. Select a group to replace the group you selected in Step 2.
    5. Click Save.
  • Deleting a group—You can delete a user group from AD or Ektron. When deleting user groups, consider the following behaviors:
    • If you delete a user group in AD and users are assigned to the group within Ektron, the group is not deleted in Ektron. However, any Ektron users who were members of the group are no longer members the next time their Ektron information is updated. The discrepancy is flagged on the Active Directory Setup and Active Directory Status screens.
    • If you delete a user group in Ektron and users are assigned to that group within AD, nothing happens. This is because AD Integration assumes that the Ektron administrator only maintains user groups that are meaningful to Ektron, and some AD groups are not meaningful to Ektron.
Disabling AD integration

Disabling AD Integration

When you disable AD integration, domain names are dropped, which may cause user and user group names to not be unique. For example, 2 users are named JJackson@example.net and JJackson@example.com. When AD is enabled, domain names make the users and user groups unique. However, when AD is disabled and domain names are dropped, the names are now identical. You need to make the users and user groups unique.

To disable AD authentication or integration:

  1. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  2. Enable the Disable Active Directory and LDAP Authentication radio button. If any users or groups have the same name with different domains, the following message appears: Active Directory Authentication is disabled, but needs further configuration
  3. Click the message. The Active Directory Status screen appears.
  4. Click the CMS users need to be made unique message. The Make CMS Users Unique screen appears.
    —Image—


    User group names are handled in the same manner. Click the CMS user groups need to be made unique message. The Make CMS Groups Unique screen appears.
    —Image—

  5. Click Save to accept the suggested new names as recommended by Ektron. By accepting the suggested name, you allow the software to automatically associate AD andEktron users or groups if you later decide to re-enable AD integration.
Implementing user authentication mode

Implementing User Authentication Mode

In user authentication mode, AD is used only to authenticate users logging in to Ektron. User groups are managed within Ektron, not AD.

Transferring user information from AD to Ektron

Transferring User Information from AD to Ektron

Ektron does not write to AD; it only reads from it. This changes how usernames, domains, and passwords are handled in Ektron.

  • Changes to user logon name, domain and password must be made in AD. You cannot update these fields in the Ektron Edit User screens.
  • When adding a new user to Ektron, you can only select AD users. If the user does not exist in AD, create the user there and then import the user into Ektron.

Ektron refers to the following AD authentication information during sign-in: password, user logon name, and domain. Note that the password is not stored in Ektron; Ektron only refers to the password during sign-in.

Adding and maintaining user information

Adding and Maintaining User Information

Adding user information in user authentication mode is the same as in AD integration mode.

If a user’s logon name changes in AD, it no longer matches the Ektron logon name. This discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. Go to the Associate CMS Users to Active Directory Users screen, where you can update the user information.

Alternatively, you could:

  1. Go to the View User Information screen.
  2. Select the user whose AD name changed.
  3. Click Associate the CMS user with Different AD user ().
  4. Select the AD user and domain.

See Also: Maintaining AD User Information

Editing user information in Ektron

Editing User Information in Ektron

Ektron does not write to AD. This means that you can only change the Username and Domain fields from AD. You can change the following fields on the Ektron Edit User screen:

  • First Name
  • Last Name
  • E-Mail Address
  • User Language
  • Disable Receiving of Workflow and Task Email

IMPORTANT: If you replace a user in user authentication-only mode, the user’s first name, last name, and email address are not overwritten with information in AD.

Using AD integration screens in user authentication mode

Using AD Integration Screens in User Authentication Mode

Because the scope of user authentication mode is limited to authentication, only some fields on AD Integration screens are used:

Logging into a System that Uses AD Integration

Because AD usernames and passwords are stored by domain, the AD sign-on procedure requires the user to select a domain. When AD integration is enabled, the sign-on screen includes a domain drop-down list.

Single sign on

Single Sign On

The Single Sign On feature retrieves a user’s login information from Active Directory to authenticate access to Ektron. The user does not need to enter a password. After clicking Login, he immediately logs in.

Single Sign On uses a variable called User.Identity.Name. This maintains the user's account and domain in Active Directory, and has the format [domain]\[username]. For example, EKTRON1\ssmith. The variable's value is set when a user authenticates against a Windows server.

When a user clicks the Login server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified., if the variable passes successfully and Active Directory is enabled, the server control opens the autologin.aspx page. Next, the opening window refreshes like a normal login, except the user is not prompted for a username, password, and domain.

However, if the user‘s computer is not on a domain, not on the same domain as Ektron, or does not include the Ektron server as a trusted site, the following login screen appears.

—Image—

If Active Directory is not enabled, the normal login.aspx page appears.

Single Sign On uses the autologin.aspx file in the workarea/SSO directory. When set up, user authentication is enabled from any domain that this server can reach. For example, if Ektron is located in a third level domain, users from third, second, and first level domains can authenticate.

To allow membership users to use single signon, see Authenticating Membership Users with AD or LDAP. When enabling this functionality, create one login page for Ektron users and another for membership users. For example, use the membership user login as the front-facing login, and then secure a /cmslogin.aspx for Ektron user. Next, secure the login with IIS security because Windows authentication only allows the Ektron administrators group in AD to read permissions on the /cmslogin.aspx page.

NOTE: Single signon may not work directly on servers, due to security settings on the server and its browser. Try a different machine and make sure it works elsewhere before troubleshooting further.

See Also: Enabling NTLM Authentication (Automatic logon)

Use the setup instructions below that correspond to the IIS version running on your server.

After completing these procedures, enable Active Directory within Ektron (if it isn’t already enabled). See Also: Setting Up Active Directory

You should enable the automatic addition of users and groups.

Use the following line of codebehind when troubleshooting user login with Single Signon. If this .NET code cannot get the user login, then Ektron cannot either.

Response.Write("UserName:" & Request.ServerVariables("LOGON_USER"))
Setting up single sign on using IIS7 or IIS7.5

Setting up Single Sign On Using IIS7 or IIS7.5

Setting up Single Sign On with IIS 7 or IIS7.5 involves modifying the web.config file and editing security settings.

Modifying Web.config for single sign on

Modifying Web.config for Single Sign On

  1. Open site root/Web.config.
  2. Find the ek_AUTH_protocol element and change its value to LDAP:
    <add key="ek_AUTH_Protocol" value="LDAP" />
  3. Find the authentication element and change the value of authentication mode to Windows.
  4. Change the value of impersonate to False:
    <authentication mode="Windows" /> 
    <identity impersonate="false" userName="" password=""/>
  5. Comment out the MyDigestAuthenticationModule only.
    <modules>
<!--add name="MyDigestAuthenticationModule" 
type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule, 
  Ektron.ASM.EkHttpDavHandler" /-->
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule,
  System.Web.Extensions, Version=1.0.61025.0, Culture=neutral,
  PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
<add name="EkUrlAliasModule" type="UrlAliasingModule" 
  preCondition="integratedMode" />
</modules>
Adjusting security settings for the site root folder

Adjusting Security Settings for the Site Root Folder

  1. Go to Start menu > Administrative Tools > Internet Information Services.
  2. Within IIS, go to Sites and select your Ektron site.
  3. From the right panel, select Authentication.
    —Image—

  4. On the Authentication screen, enable Anonymous Authentication.
    —Image—

Adjusting security settings for autologin.aspx

Adjusting Security Settings for autologin.aspx

  1. Make sure that Windows Authentication is installed on this server. To do this:
    1. Open Start menu > Administrative Tools > Server Manager.
    2. Click Roles > WebServer (IIS) Role Services > Security > Windows Authentication.
      —Image—

    3. If the status of Windows Authentication is Installed, proceed to Step 2.

      If the status of Windows Authentication is Not Installed, click Add Role Services. The Add Role Services screen appears.

      —Image—

    4. Check Windows Authentication.
    5. Click Next and follow the prompts to install Windows Authentication.
    6. Close Server Manager.
  2. Open IIS Manager.
  3. Go to Sites > your website’s root folder > Workarea > SSO and right click Switch to Content View.
    —Image—

  4. In the center panel, right click autologin.aspx and select Switch to Features View.
    —Image—

  5. In the center panel, click Authentication.
  6. From the center panel, check the status of Windows Authentication. If it is disabled, enable it by selecting it, right clicking, and choosing Enable from the menu.
    —Image—

  7. From the center panel, check the status of Anonymous Authentication. If it is enabled, disable it by selecting it, right clicking, and choosing Disable from the menu. As a result of this procedure, autologin.aspx passes credentials from the logged-in user's desktop.
Updating the Login Server Control for Single Signon

Updating the Login Server Control for Single Signon

This sample shows how to modify the Login server control to accommodate single signon. See Also: Login server control

/Cmslogin.aspx <cms:login> Control
<cms:login runat="server" AutoLogin="True" AutoAddType="Author" 
  id="cmslogin" />
/login.aspx.cs
bAutoLogin = true;
Active Directory and eSync

Active Directory and eSync

An Active Directory configuration does not get synchronized.

In an eSync environment, add all users to one environment. Then, sync the users if multiple servers are using AD login.