Enabling Windows Authentication
Within
the console, under Settings -> Preferences there is a new panel
“Windows Authentication” which allows for Windows authentication to be
enabled and to also specify the valid domain name.
(image 1)
Console user authentication
Windows authenticate of a console user requirements:
- Windows authentication to be enabled via the preferences
- Within
the console, Modules -> Members -> Manage Member Roles, edit or
create the required role/s to match up with the Windows groups that are
to be allowed.
For example, image 2 shows a console user role
“ConsoleRole1” which has the “Enable Windows Auth” checkbox selected and
also has the “Windows Group Name” set to “WindowsGroup1”. This will
allow console users within the “ConsoleRole1” role to be Windows
authenticated if they are within the Windows group “WindowsGroup1”.
Note that multiple Windows group names can be included by separating the names with a comma.
- Console users are automatically authenticated when navigating to the console section of the site.
(image 2)
Member authentication
Windows authenticate of a front-end member requirements:
- Windows authentication to be enabled via the preferences
- Within
the console, Modules -> Members -> Manage Member Roles, edit or
create the required role/s to match up with the Windows groups that are
to be allowed.
For example, image 3 shows a members role
“MemberRole1” which has the “Enable Windows Auth” checkbox selected and
also has the “Windows Group Name” set to “WindowsGroup2”. This will
allow members within the “MemberRole1” role to be Windows authenticated
if they are within the Windows group “WindowsGroup2”.
Note that multiple Windows group names can be included by separating the names with a comma.
- A
new skintag [pbMemberWindowsAuth] is to be included on any page or
layout template that requires the current user to be logged in as a
member. This can be placed on a login landing page, or on each page that
is required to be members only.
(image 3)
Web config and server settings
If
the server has not yet been setup to allow overrideModeDefault for the
anonymousAuthentication and windowsAuthentication sections of the
applicationHost.config, this will need to be done.
C:\Windows\System32\inetsrv\config\applicationHost.config
C:\Windows\SysWOW64\inetsrv\Config\applicationHost.config
<sectionGroup name="authentication">
<section name="anonymousAuthentication" overrideModeDefault="Allow" />
<section name="windowsAuthentication" overrideModeDefault="Allow" />
</sectionGroup>
I encountered an issue with the internal loopback on the server I was using and needed to apply the fix detailed here http://support.microsoft.com/kb/896861 to have the authentication work.
, the following changes are required.
The authentication node within the web.config of the Pegboard application needs to be replaced to enable Windows authentication.
Windows authentication only
<authentication mode="Forms">
<forms name="Pegboard5.ASPXAUTH"
defaultUrl="~/cc/Default.aspx"
loginUrl="~/cc/WindowsLogin.aspx"
protection="All"
timeout="30"
slidingExpiration="true"
path="/cc" />
</authentication>
Standard (Forms authentication only)
<authentication mode="Forms">
<forms name="Pegboard5.ASPXAUTH"
loginUrl="~/cc/Login.aspx"
protection="All"
timeout="30"
slidingExpiration="true" path="/" />
</authentication>
The following location sections need to be added to the web.config. These can be added below the existing location sections.
<location path="cc/Login.aspx">
<system.web>
<authorization>
<allow users="?" />
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="true" />
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<location path="cc/WindowsLogin.aspx">
<system.web>
<authorization>
<deny users="?" />
<allow users="*" />
</authorization>
</system.web>
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
</location>