I want use Mixed mode authentication in my application.
I want Windows AD Authentication for intranet users and Forms authentication for internet users.
How can I configure this.
Check out the Kentico documentation for Mixed Mode Authentication.
Essentially you will:
determine if you want to import AD roles or not (web.config key)
Add an LDAP connection string to your web.config
Modify the membership and roleManager elements under congfiguration/system.web section in your web.config to use the AD connection string and provider
map the username field
It's not a hard setup really and much easier if you don't have users already in the Kentico system. If the username already exists in Kentico, the user will NOT be imported into Kentico from AD.
Related
I registered one existing .NET application in Azure AD enterprise application for SSO. When i access this application using external URL, it prompts me for Microsoft Sign-in. Is there a way to avoid Microsoft Sign-in page? In few online article, i found to pass "domain_hint" in sign-in URL. Let me know if there is as way to setup domain hint in sign-in URL while registering enterprise app.
You can enable true single sign-on through the process highlighted in this Microsoft document (published one week ago). You can use a domain-joined device so that the users can sign on silently and do not need to enter a username and password. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
Please see the quick start guide as well. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-quick-start
The way you make use of Domain_Hint will depend on a few details about your application -
What protocol you use to talk to your Azure AD?
Depending on the protocol, you'll need to pass the domain hint in the sign in URL for your application as shown below:
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain
hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
Whether your application is single-tenant or multi-tenant?
If it's single tenant, then it's simple - pass the domain hint for domain of one tenant that uses this application.
If it's multi tenant, then it needs to be conditional and you need to know the tenant before hand so you can pass the hint correctly to sign-in URL. For example, if the URL hit by each tenant is different, then that could help you.. Look at this part in the Microsoft documentation..
For example, the application "largeapp.com" might enable their
customers to access the application at a custom URL
"contoso.largeapp.com." The app might also include a domain hint to
contoso.com in the authentication request.
Here are the 2 best Microsoft documentation Links on this topic that I came across:
Domain Hints
Using Azure AD to land users on their custom login page from within your app
I have sharepoint 2010 application that has default zone and an extended internet zone. The application uses classic mode authentication. I want to convert the application to use claims based authentication. I followed this article http://bit.ly/9StUpd and http://technet.microsoft.com/en-us/library/gg251985.aspx to create a sample application and it works fine.
I have configured default zone to use windows auth and the extended zone to use Forms based authentication. I have only modified the web.config of extended application to use the connection string and membership provider settings as mentioned in the article.
Now my question is do I need to configure web.config of Default zone to use the asp.net membership provider settings.
I'm not able to search asp.net membership provider users in the people picker. The reason is I want to assign a user in asp.net sql membership provider database as site collection administrator so that they have access to all the site menu items.
I have a web application using windows authentication. I also want to authenticate non-domain users against AD. Can I have domain members can enter site directly, and non-members enter their domain username and password.
How can I do this?
It is possible to do this but you probably want to have 2 distinct web applications running accessing a similar set of application code.
Web application 1 is configured to use Windows authentication.
Web application 2 is configured to use Forms authentication. You need to have some additional code in this application which allows a user to authenticate themselves using LDAP against the active directory. This code is placed in an authentication provider if you use ASP.NET.
Assuming your using ASP.NET, you can write a custom provider that first auths against your AD, then a non AD store.
Or you can use multiple providers, ActiveDirectoryMembershipProvider and then for example SqlMembershipProvider.
I've imported a bunch of users into my Active Directory with some custom fields. Then I did a profile import from Active Directory to Sharepoint with all the custom fields and regular fields. After this, I needed each user to be in a site collection with a MySite set up for them. I did that by writing some code that ensured the user existed and then checked the profile attribute "personalspace" to see if a MySite had been created. Everything worked great until some of the users needed to login from outside the network.
I'd like to get rid of the windows authentication pop-up that a user would get if they hit from outside the network (or haven't added the site to their trusted zone in IE). I've extended my web application to create an internet zone. Then I edited the web.config of the internet site to do active directory forms authentication, along with editing the Central Administrator's web.config so that it can see the data source. This is all well and good, the user can login through a nice interface. The only problem is that now the user is detached from their user profile. Essentially Sharepoint views a windows authentication user and a forms authenticated user as two separate users.
Is there a way to link the profiles? Do I have to write a custom membership provider to log a user in and then link them up to their windows account? Is there a way to log a user in from the internet web app and then spoof their windows credentials and pass it to the intranet? Do I need to recreate all the user profiles based on the forms authentication data source?
Is this what are you looking for .. http://grounding.co.za/blogs/brett/archive/2008/01/09/setting-up-dual-authentication-on-windows-sharepoint-services-3-0-forms-and-ntlm.aspx ?
See ya
I've been trying to accomplish the same thing, with exactly the same problem - the "forms-authenticated-me" is not the same as the "windows-authenticated-me" to sharepoint, and I can't see how to map the two.
After a lot of frustrating efforts, I think I've finally realized it's not possible. In retrospect, this isn't too surprising.
here's an excerpt from http://msdn.microsoft.com/en-us/library/bb975136.aspx (my emphasis added)...
Deciding to Use Forms Authentication
Some organizations want to use Windows
users and groups in SharePoint
Products and Technologies, but enter
credentials via forms authentication.
Before using forms authentication,
determine why to use forms
authentication in the first place:
What is the business driver? If user
accounts are stored in a location
other than an Active Directory domain
controller, or if Active Directory is
not available in a particular
environment, using forms
authentication with a membership
provider is a good choice. But if you
want to force logon only via forms
authentication, but still use Windows
and all of the integrated features it
provides, you should consider an
alternative such as publishing the
SharePoint site with Microsoft
Internet Security and Acceleration
(ISA) Server 2006. ISA Server 2006
allows users to log on by using a
forms authentication Web form, but
treats them like Windows users after
authentication. This implementation
provides a more consistent and
compelling experience for end users.
You can set up the Forms Authentication to use the Active Directory Forms Authentication provider. You'll get the best of both worlds.
The login prompt will be the Forms Authentication prompt that you want, but the profile and login info will come from Active Directory.
Follow these instructions to configure the provider:
How To: Use Forms Authentication with Active Directory
I have created an authetication provider and went to central administration >> Authentication Providers and changed the authentication settings to Forms and filled in Membership provider and Role manager details.
Now, when i go to create a site collection under the above mentioned web application, the people picker in the create site collection page still refers to the active directory(central admin has windows authentication).
Can any one explain this behaviour?
I actually expected the People picker in the Create site collection page to refer to the Forms database rather than active directory.
Thanks
In the web.config for your web app, you need to change the value in the <PeoplePickerWildcards> node. Change the key to your membership provider.
You need to add your the configuration information for the membership provider to the web.config file for Central Administration. This will allow Central Admin to find from both AD and your own membership. There are examples on Technet for a SQL Server and an LDAP membership provider. Note how it mentions that the membership provider info needs to be added to both the web app's web.config and to Central Admin's. If you're using a Role Manager though, don't put that info in the Central Admin web.config, or at least not unless you really know what you're doing and why. :)
Once you do this the people picker should be able to find people from your FBA solution's membership provider. One little caveat if you happen to be using the same AD store (or some kind of replica) for both Windows auth and LDAP auth. You'll need to use the "prefix" of your membership provider name when specifying the user, otherwise the people picker will always lookup the native AD version of that user. For example, looking up "jdoe" will always find "domain\jdoe" first. If you want jdoe from an LDAP provider pointing at that AD, you'll have to explicitly put in "ldap:jdoe" (substituting whatever you called your membership provider in the web.config for "ldap"