Authentication Enhancement: Member and Console User Windows Authentication

Enabling Windows Authentication

Within the console, under Settings -> Preferences there is a new panel “Windows Authentication” which allows for Windows authentication to be enabled and to also specify the valid domain name.

 

(image 1)

 

 Console user authentication

Windows authenticate of a console user requirements:
 

-          Windows authentication to be enabled via the preferences

-          Within the console, Modules -> Members -> Manage Member Roles, edit or create the required role/s to match up with the Windows groups that are to be allowed.

For example, image 2 shows a console user role “ConsoleRole1” which has the “Enable Windows Auth” checkbox selected and also has the “Windows Group Name” set to “WindowsGroup1”. This will allow console users within the “ConsoleRole1” role to be Windows authenticated if they are within the Windows group “WindowsGroup1”.

Note that multiple Windows group names can be included by separating the names with a comma.

-         Console users are automatically authenticated when navigating to the console section of the site.

(image 2)

 

Member authentication

Windows authenticate of a front-end member requirements:
 

-          Windows authentication to be enabled via the preferences

-          Within the console, Modules -> Members -> Manage Member Roles, edit or create the required role/s to match up with the Windows groups that are to be allowed.

For example, image 3 shows a members role “MemberRole1” which has the “Enable Windows Auth” checkbox selected and also has the “Windows Group Name” set to “WindowsGroup2”. This will allow members within the “MemberRole1” role to be Windows authenticated if they are within the Windows group “WindowsGroup2”.

Note that multiple Windows group names can be included by separating the names with a comma.

-          A new skintag [pbMemberWindowsAuth] is to be included on any page or layout template that requires the current user to be logged in as a member. This can be placed on a login landing page, or on each page that is required  to be members only.

(image 3)

 

Web config and server settings

 

If the server has not yet been setup to allow overrideModeDefault for the anonymousAuthentication and windowsAuthentication sections of the applicationHost.config, this will need to be done.

 

C:\Windows\System32\inetsrv\config\applicationHost.config

C:\Windows\SysWOW64\inetsrv\Config\applicationHost.config

 

<sectionGroup name="authentication">

  <section name="anonymousAuthentication" overrideModeDefault="Allow" />
  <section name="windowsAuthentication" overrideModeDefault="Allow" />

</sectionGroup>


I encountered an issue with the internal loopback on the server I was using and needed to apply the fix detailed here http://support.microsoft.com/kb/896861 to have the authentication work.

 

, the following changes are required.

 

The authentication node within the web.config of the Pegboard application needs to be replaced to enable Windows authentication.

 

Windows authentication only

<authentication mode="Forms">

<forms name="Pegboard5.ASPXAUTH"

defaultUrl="~/cc/Default.aspx"

loginUrl="~/cc/WindowsLogin.aspx"

protection="All"

timeout="30"

slidingExpiration="true"

path="/cc" />

                        </authentication>

 

Standard (Forms authentication only)

<authentication mode="Forms">

<forms name="Pegboard5.ASPXAUTH"

loginUrl="~/cc/Login.aspx"

protection="All"

timeout="30"

slidingExpiration="true" path="/" />

    </authentication>

 

The following location sections need to be added to the web.config. These can be added below the existing location sections.

 

<location path="cc/Login.aspx">

      <system.web>

          <authorization>

              <allow users="?" />

          </authorization>

      </system.web>

      <system.webServer>

          <security>

              <authentication>

                  <anonymousAuthentication enabled="true" />

                  <windowsAuthentication enabled="false" />

              </authentication>

          </security>

      </system.webServer>

  </location>

 

  <location path="cc/WindowsLogin.aspx">

      <system.web>

          <authorization>

              <deny users="?" />

              <allow users="*" />

          </authorization>

      </system.web>

      <system.webServer>

          <security>

              <authentication>

                  <anonymousAuthentication enabled="false" />

                  <windowsAuthentication enabled="true" />

              </authentication>

          </security>

      </system.webServer>

  </location>