Active Directory Membership, Profile Provider, and User Auto Creation Guide
Product Information
Created Date: March 14th, 2014
Reason for Guide
This document explores how to enable and configure the following new features: Active Directory Membership Provider, Active Directory User Profile Provider.
|
Important Note
This document will go into great depth and will cover several technical concepts in order to implement the three features. Please do not attempt to implement the contents of this document on your own if you are uncomfortable configuring the portal or unsure on exactly what the new feature does. Please contact us to assist you.
|
All three of these features are completely independent from one another and you can choose which ones to implement. The following table shows acceptable features per authentication type.
|
|
AD User Profile Provider |
AD Membership Provider |
User Auto Creation |
|
Forms Authentication |
X |
X |
X |
|
Windows Authentication |
X |
|
X |
Below are some of the common setups that can be used by customers:
· Windows Authentication + AD User Profile Provider + User Auto Creation
· Windows Authentication + AD User Profile Provider
· Forms Authentication + AD Membership Provider
· Forms Authentication + AD Membership Provider + AD User Profile Provider
· Forms Authentication + AD Membership Provider + AD User Profile Provider + User Auto Creation
Active Directory User Profile Provider
Enabling this provider allows a portal administrator to configure any custom field to use this provider instead of the Portal Database. You are able to select the option on a per field basis when in the Profile Field Manager and using the Configure User Profile Field tool. When configuring a custom field to use Active Directory, a portal administrator will be able to choose what field from Active Directory should populate for that user throughout the portal. It is also important to mention that if the Active Directory Membership Provider has been enabled, the portal will always use the Active Directory Username and Password.
Who should enable Active Directory User Profile Provider?
If you wish to use Active Directory to store the value for any field in the portal, you should enable the provider. The provider can allow you to significantly reduce the amount of work in maintaining data in the portal by only having to update the values for users in Active Directory rather than in both spots. In addition, if you plan on enabling Active Directory Membership Provider it is strongly recommended to use this provider for your fields as well.
Enabling and Configuring Active Directory User Profile Provider
If using server 2003, this Microsoft fix-it needs to be completed:
http://support.microsoft.com/kb/q196271/ followed by a server restart. If this step is not done, it will bring the portal down.
Step 1 – LDAP Connection String
The first step to enabling the provider is to configure the LDAP (lightweight directory access protocol) Connection String. This connection string is the IP address or the domain of your Active Directory instance. To find the line in your web.config, perform a find by pressing control + F and searching for “LDAP.”
Example
<add name="LDAP" connectionString="LDAP://CABLE" />
It is very important to write the path like above using LDAP:// and not using a trailing slash after the IP address or computer name.
Step 2 – Configuring the Active Directory User Profile Provider
After properly setting the LDAP connection string in step 1, in order to enable and configure the Active Directory User Profile Provider, it is as simple as un-commenting the proper tag in the web.config or adding it if it does not already exist. Once this is done, the provider will be immediately available for use upon refreshing the portal.
Find the opening element within the parent element “<system.web>” titled “<userProfiles>”. Following this element is another element called providers <providers>. Between this should be two <add> elements with the second one being commented out (the first being DefaultUserProfile). If the add element does not exist then you can add it now using the one below.
<!--<add
name="ActiveDirectoryUserProfile" description="Active Directory" connectionStringName="LDAP" attributeMapUserName="sAMAccountName" type="Passageways.Portal.Web.UserProfiles.ActiveDirectoryUserProfileProvider, Passageways.Portal.Web" />-->
Uncomment this tag by removing the <!-- and --> from before and after the tag.
Step 3 – Changing a field to use Active Directory
Once the provider is enabled, you will now be able to configure fields in the portal to use this provider. As a portal administrator you should follow the following steps to do switch a field to use Active Directory.
1. Expand the Manage Users Portal Tool
2. Click on Profile Field Manager
3. Select the field you want to switch the provider off or select New Field
4. From the provider drop down select “Active Directory”
5. This should provide a new drop down called Field Name where you will select what field in Active Directory should be displayed for this field in the portal.
6. If you are unsure what the Field Names mean, please view the table below under Definitions.
OPTIONAL Step– Custom AD Fields addition (only in Framework 6.1+!)
To add additional fields please go to this article which has steps to add custom Active Directory Fields, as well as a breakdown of all the fields from AD that can be added to the portal in Framework 6.1+!
Article: Adding Custom Active Directory Fields to User Profile in 6.1+
|
Switching a field to use Active Directory will switch the field for everyone. The provider can only be set on a per field basis rather than a per user basis. Please ensure that you have properly filled out information in active directory before switching a field. Take special care in determining your switch when changing First Name, Last Name, E-mail, and Supervisor fields as these are considered special “system” fields within the portal!
|
Enabling Automatic User Creation
(Note: This is enabled by default as of Framework 6.0+)
Enabling automatic user creation means that anyone who is an active user of your domain will have an account created, should one not exist, upon their first log-in into the portal. This means that if you enable this in tandem with having your portal set to use Windows Authentication, the users account will automatically be created upon entering the URL of the portal and they will be signed-in immediately as well.
This feature only creates a small amount of data for the user such as username, organization workgroup and alert preferences, so it is highly recommended that it is used in tandem with the Active Directory User Profile Provider which was detailed in the previous section.
In addition, since the secure windows ID is associated with the user account, if the user gets married or has a name change and you have to update their login name, it will automatically be reflected the next time they log into windows and then log into the portal.
NOTE: As of Framework 4.9, in order for users to be created automatically using this feature, the fields First Name and Last Name must be set up to be pulled from Active Directory in the User Profile Provider as above.
Who should enable Automatic User Creation?
You should enable automatic user creation if you would prefer to have their users created automatically instead of through the Create User tool within the portal. However, you the create user tool remains available to you to use if you enable the automatic user creation.
Step 1 – LDAP Connection String
This connection string is affects both the Active Directory Membership Provider and the Active Directory User Profile Provider. The name of the element, “LDAP”, is how the connection string is referenced by both of these providers.
The first step to enabling the provider is to configure the LDAP (lightweight directory access protocol) Connection String. This connection string is the IP address or the domain of your Active Directory instance. You should be able to find the element inside of the <connectionStrings> tag in the web.config. If the element is not present, you will want to add it below the other connection string elements. The line can be found in the example below.
Example
<add name="LDAP" connectionString="LDAP://CABLE" />
It is very important to write the path like above using LDAP:// and not using a trailing slash after the IP address or computer name.
Step 2 – Enabling Automatic User Creation with Active Directory Membership Provider
Enabling auto creation can be done quickly by un-commenting two lines in the web.config or adding the elements if they do not already exist. Start by finding the opening element “<httpModules>”. This is located within the “<system.web>” element. In the examples below, if the line does not already exist you should add the one provided below. Further down the web.config, you will find an opening element “<modules” under the parent element “<system.webServer>”. Again, like before, if the line does not already exist you may add it within this element, otherwise uncomment the existing one.
Both lines should appear as follows.
<httpModules>
<add name="AccountSynchronization" type="Passageways.Portal.Web.AccountSynchronizationModule, Passageways.Portal.Web" />
<modules>
<add name="AccountSynchronization" preCondition="managedHandler" type="Passageways.Portal.Web.AccountSynchronizationModule, Passageways.Portal.Web" />
Once these lines are un-commented, all user creation will happen automatically simply by having first time users type in the portal’s URL, as well as having the First Name and Last Name profile fields set to use the Active Directory Profile Provider. They will be put into the Employee role automatically as well as have their alert preferences set immediately. The user will also have the ability to create workgroups and create my pages.
Active Directory Membership Provider
(for Forms Authentication Only)
Enabling this provider replaces the default Portal Membership Provider. By enabling this provider, when a user attempts to authenticate against the portal using Forms Authentication, it will look at Active Directory to determine if the user should be allowed into the portal. If the user accessing the portal is valid and enabled in Active Directory, they will be granted access to the portal.
Who should enable Active Directory Membership Provider?
If your network uses Active Directory and you wish to use it to determine if a user is successfully authenticated within the portal by their AD account and you are not using Windows Authentication, then you should use the Active Directory Membership Provider.
|
You should not enable the Active Directory Membership Provider if you plan to integrate the portal or use Windows Authentication at any point. The Active Directory Membership Provider is exclusively used by the Login Form as an alternative to the Portal Database Provider! |
Enabling and Configuring Active Directory Membership Provider
Step 1 – LDAP Connection String
This connection string is affects both the Active Directory Membership Provider and the Active Directory User Profile Provider. The name of the element, “LDAP”, is how the connection string is referenced by both of these providers.
The first step to enabling the provider is to configure the LDAP (lightweight directory access protocol) Connection String. This connection string is the IP address or the domain of your Active Directory instance. You should be able to find the element inside of the <connectionStrings> tag in the web.config. If the element is not present, you will want to add it below the other connection string elements. The line can be found in the example below.
Example
<add name="LDAP" connectionString="LDAP://CABLE" />
It is very important to write the path like above using LDAP:// and not using a trailing slash after the IP address or computer name.
Step 2 – Configuring the Membership Provider
After setting up your LDAP Connection String, we will enable Active Directory Membership Provider by finding it in the web.config and un-commenting it or adding it if it does not already exist. Open the web.config and find the element “<membership defaultProvider="PortalMembership">”. Inside of this element there will be another add element named PortalMembership. Below is an example of the element that should be present. If it is, you may uncomment the element, otherwise you should add it now.
<!--<add
name="ActiveDirectoryMembership"
description="Users Stored in Active Directory"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="LDAP"
enableSearchMethods="true"
requiresUniqueEmail="false"
clientSearchTimeout="30"
serverSearchTimeout="30"
attributeMapEmail="mail"
attributeMapUsername="sAMAccountName"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="10"
passwordAnswerAttemptLockoutDuration="30"
minRequiredPasswordLength="7"
minRequiredNonalphanumericCharacters="1"
passwordStrengthRegularExpression="(?=.{6,})(?=(.*\d){1,})(?=(.*\W){1,})" />-->
Uncomment this tag by removing the <!-- and --> from before and after the tag. Before going on to step three, here is a brief description of the properties above. Additional properties other than the ones listed may be found at http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx. Many of these should be left to their default value, but it is good to understand them.
Step 3 – Setting Active Directory Membership Provider as default provider
In order to enable Active Directory Membership Provider we will need to set it as the default provider for membership in the portal. Like in Step 2, we will change the defaultProvider to appear as below..
You should change the line to appear as follows.
<membership defaultProvider="ActiveDirectoryMembership">
This will fully implement the Active Directory Membership Provider and set Active Directory as the default data store for determining membership in your portal!
Active Directory Portal Framework Settings
Within the portal, there are two options for easier user management that are also connections to Active Directory. The options are to delete or disable users in the portal if that has been done in Active Directory. These options can be found and changed by Portal Admins by navigating here within the portal- Portal Tools > Manage Portal Framework > Portal Framework Settings > System Policies section
You can choose to enable one or both options. The Synchronization Time field can be set to any time and at that time is when the options will be applied. A portal cache clear will also complete the task and can be done at any time.
Definitions
Active Directory Membership Provider – Manages storage of membership information for an ASP.NET application in Active Directory and Active Directory Application Mode servers. To contract with the Portal Membership Provider, the Active Directory Membership Provider allows the portal to check Active Directory to decide whether a user is considered a member of the portal.
To clarify on this point a bit, the way to think about the Active Directory Membership Provider is to assume that if a user is in Active Directory, their account is enabled, and they have the ability to navigate to the portal on the current domain, then they are also considered to be a member of not only the domain, but the portal as well.
Alternatively, when using Portal Membership Provider, this tells the portal to check the Portal Database for a record of the user accessing the portal. If a record does exist, the provided password matches and the record is activated, then the user is considered a member of the portal.
Active Directory User Profile Provider – In the most basic sense, the active directory user profile provider manages the storage of user profile information for an ASP.NET application in Active Directory. When selecting Active Directory User Profile Provider for a particular field in the portal, this provider uses provided properties in the web.config to read information from Active Directory for display throughout the portal.
Field Names –
|
co |
Country |
|
facsimileTelephoneNumber |
Fax Number |
|
givenName |
First Name |
|
homePhone |
Home Telephone Number |
|
initials |
User Initials |
|
l |
City |
|
|
E-mail Address |
|
manager |
User’s Supervisor |
|
mobile |
Mobile Telephone Number |
|
pager |
Pager Telephone Number |
|
postalCode |
Zip or Postal Code |
|
sn |
Last Name |
|
st |
State |
|
streetAddress |
Street Address |
|
telephoneNumber |
Work Telephone Number |
|
title |
Job Title |
|
wWWHomePage |
Web Site Address |
|
whenCreate |
Date of Entry Into Active Directory |
Comments
0 comments
Please sign in to leave a comment.