Orchard CMS with windows auth? - iis

Can Orchard work with AD and Windows authentication?
I need to allow only specific AD groups access to a blog. The rest of the site should be accessible to any valid domain user. The admin dashboard should only be accessible by another specific AD group.
[ update ]
At the suggestion of ViRuSTriNiTy, I tried the following:
- install the windowsauth module
http://gallery.orchardproject.net/Packages/Orchard.Module.AlexZh.WindowsAuthentication
- in the admin settings, I added a user for myself as "my-domain\my-user-name", where the domain name and user are mine.
- added a role to match a AD role that I am a member of and gave this role access to everything.
- switched the iis settings over to use windows auth, and turned off anonymous
- updated the web.config to use windows auth and specify the role that I setup previous
However,I cant get to the admin panel now. What could I be missing?
[ update 2 ]
After noticing the documentation link he provided (duh), I saw that I needed to enable windows auth for the modules. So I enabled IIS anonymous again (so I could log in), and updated the settings for the modules, but I see no option under Settings\Users for to enable windows auth. Did it move?
Im using v1.10.2

You can use the module AlexZh.WindowsAuthentication.
Documentation: http://orchardwinauth.codeplex.com/documentation
First you need to change the Orchard.Web project properties (in Visual Studio, click on project + F4) to ...
Anonymous Authentication: Disabled
Windows Authentication: Enabled
... and then you need to change the Orchard.Web\Web.configto something like this
<authentication mode="Windows">
<forms loginUrl="~/Users/Account/AccessDenied" timeout="2880" />
</authentication>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
<authorization>
<allow roles="YourDomain\Domain Users" />
<deny users="?" />
</authorization>
The permissions can be configured as usual based on Orchard roles.
I've been using this module since 2 years now and i'm pretty happy with it but be aware that the module has several bugs:
it might cause a deadlock, see https://github.com/OrchardCMS/Orchard/issues/7688
it creates a new user when the logged in domain user cannot be found in the Orchard DB, you might want to alter the class CustomAuthenticationService to avoid this (i can provide some code if you need it)

Related

ASP.Net MVC 5 Windows Authentication

I know that this has been asked before here, but I couldn't find a way to fix this. I'm using VS 2022/MVC 5/IISExpress and these are my configs:
web.config:
<authentication mode="Windows" />
<authorization>
<deny users="?" />
</authorization>
And these lines in my vbproj file:
<IISExpressAnonymousAuthentication>disabled</IISExpressAnonymousAuthentication>
<IISExpressWindowsAuthentication>enabled</IISExpressWindowsAuthentication>
According to the approved solution in this post the above should work, but doesn't. I am logged in to Windows using my domain account and have been added to local administrators group (Of course I'm not a domain admin, just a standard user). I can login to my web app using my own domain account, but not with other domain accounts (I have tried two different accounts). Any credentials other than mine is rejected by application. How can I fix it?

IIS Authorization Rule Issue for AD Group

I want to configure the IIS to accept only the request from users who belong to a particular AD Group. This configuration is required at Default Website level. So on Default Website I enabled Windows Authentication, went to Authorization rules option,choose Add Allow Rule and put the AD group in "Specified roles or user groups:".
This does not work with any AD group (for which I am a member). This work well when I put the AD user in the next option "Sepcified User" https://i.stack.imgur.com/hbqhK.png .
Can some one please help on what I am missing. As stated above I want to do it at Default Website level on IIS so there is no Web.config invovled.
Cheers.
Real old thread, but in case anyone Googling this issues comes across the same problem:
I could only get this to work with AD groups that are have their Group Type set to "Global" in AD. Ones set to "Security" wouldn't work for me.
In IIS this is specified under the "Roles" section on the IIS Authorization rules.
I have only Windows Authentication selected as an authentication method. Strange IIS bug?
Here is the web.config for reference
<configuration>
<system.webServer>
<security>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="" roles="DOMAIN\TestGroup" />
</authorization>
</security>
</system.webServer>
</configuration>

Unable to disable forms authentication in one of the sub folders in IIS 7.0

I have a website that is deployed on IIS 7.0 . The requirement i am looking for is very simple . The authentication at root level has form authentication enabled . But i need to disable forms authentication end enable windows authentication in one of the sub folders . But i am unable to do this ! I have tried differnt forums but nothing seems to work . Please help on this !
Problem is that with forms authentication enabled at the root level i am unable to disable forms authentication in one of the sub folders for which windows authentication needs to be enabled !
Please help!
This solution works for me, I have used it with ASP.NET applications with Forms Authentication to disable authentication:
<configuration>
...
<location path="subfolder/images">
<system.web>
<authorization>
<allow users="*" />
</authorization>
</system.web>
</location>
...
</configuration>
However, as I far as I know you can't have 2 authentication methods inside the same application. In this scenario your described you need to create a "Virtual Directory" in IIS for the subfolder instead of making it a "Sub Folder".
The Virtual Directory will allow you to declare a new web.config where you set the new authentication method in this case Windows.
For a full walkthrough on how you can perform this please refer to this site:
http://msdn.microsoft.com/en-us/library/vstudio/bb763173(v=vs.100).aspx

Authenticate with SharePoint's authenticate.asxm web service

I am trying to authenticate with the sharepoint authenticate web service in an account I have.
I get an error saying NotInFormsAuthenticationMode.
How do I change it from forms to none or windows?
I tried with:
myReference.Authentication auth = new myReference.Authentication();
myReference.AuthenticationMode = myReference.AuthenticationMode.None;
but it says myReference.AuthenticationMode is a type. which is not valid in the given context.
Suggestions?
Any help is appreciated.
Your sharepoint server needs to be modified...
See steps 5, 6 and 7 here:
simple-talk.com/dotnet/windows-forms/configuring-forms-authentication-in-sharepoint-2007/
This is all done in central administration.
Normally in other asp.net applications you would do this through the web.config to look something like this:
<!-- Web.config file -->
<system.web>
<authentication mode="Forms">
<forms forms="401kApp" loginUrl="/login.aspx" />
</authentication>
</system.web>
Edit:
Alright, if you cant change windows authentication then you need to change the way you're authenticating. If impersonate is enabled in the authentication of the sharepoint site than you can programatically impersonate a user.
See http://msdn.microsoft.com/en-us/library/ms998351.aspx ("Impersonating by using LogonUser")

SharePoint and <identity impersonate="false" />

I would like to use integrated authentication to access a SQL database from a web part. It should use the IIS Application pool identity.
By default you will get the error:
System.Data.SqlClient.SqlException: Login failed for user 'SERVER\IUSR_VIRTUALMACHINE'.
Because in web.config impersonation is set to true:
<identity impersonate="true" />
I can set this to false and the database code will work. Anonymously accessed sites will also work. Any SharePoint site that uses authentication will fail however so this is not really a solution..
To solve this would I have to encapsulate all my database access code to run with elevated priviliges, is that how SharePoint does it internally? Somehow that doesn't seem like the most performant solution.
Is that still the way to go, just use SQL security to access databases from SharePoint custom web parts?
The <identity /> and <authentication /> elements in the web.config file will together determine the account that is used in to connect to SQL Server when using integrated authentication.
When <authentication mode="Windows" /> is configured, you're deferring to IIS to authenticate users. I'm guessing that your your web.config contains:
<authentication mode="Windows" />
<identity impersonate="true" />
and that IIS is configured to allow anonymous users. Setting <identity impersonate="true" /> causes IIS to pass the identity of the IIS anonymous access account to SQL Server.
As Lars point out, using SPSecurity.RunWithElevatedPrivileges will achieve what you want. I don't believe you'll see any noticeable impact on performance but that's something you can test :-)
Use SPSecurity.RunWithElevatedPrivileges to run your code in the context of the app pool identity.
This is incorrect. Because <identity impersonate="true" /> is set to true ASP.NET / IIS will run the thread as the user that is currently logged in (so not the app pool account but the actual user logged into the website).
Something else is going on here. Could you post your connection string for the custom database? (minus the private data off course)

Resources