Windows Authentication - Add Users

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
3/2/2012 9:18:02 AM
Rob A
Gravatar
Total Posts 30
View Posts

Windows Authentication - Add Users

We have an Active Directory forest with one parent domain and two child domains.  I am using Windows authentication for our staff intranet with the latest version of mojoPortal running on SQL/IIS.

The problem that I am experiencing is that I don't want users to be automatically added to the mp_Users.  In particular users from the child domains should absolutely not be getting added to the database.  Here is the authorization section of web.config:

<authentication mode="Windows" />

<authorization>
   <allow roles="parentdomain\domain users" />
   <deny roles="childdomain1\domain users" />
   <deny roles="childdomain2\domain users" />
   <deny users="?" />
   </authorization>

I'm finding that if users from the child domain are logged onto a computer within our network and try and access the mojo site they get added to the database automatically.  If they try and access the site through a browser on a computer outside of our domain (e.g. from home) they don't get added to the database.

I don't really even want to allow parent domain users to be automatically added.

Any ideas as to what is wrong with my setup?

Thanks, Rob

3/2/2012 9:50:50 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication - Add Users

Hi Rob,

Sorry but internally mojoPortal uses its own siteUser obejct which must be reflected in the mp_Users database. Any authenticated user must have a corresponding row in this table no matter what kind of authentication is used, therefore we create one automatically upon successful authentication when using Windows auth or LDAP/AD over forms authentication.

Windows authentication only works on local networks and using IE, it cannot be used on the internet. LDAP/AD over forms auth is the only way to use existing windows accounts over the internet. For people to use Windows Auth from home they would have to be connected to your lan over a vpn.

But again in all cases mojoPortal needs a row in mp_Sites for each authenticated user.

Best,

Joe

3/2/2012 9:57:27 AM
Rob A
Gravatar
Total Posts 30
View Posts

Re: Windows Authentication - Add Users

Hi Joe,

We published our website a week ago using this authentication method and it is no problem logging on from outside our network (not LAN or VPN).  The box "Use LDAP Authentication" is clearly unchecked.

I have developed a SQL script to load users from our Active Directory in to mp_Users.

Thanks,

Rob

3/2/2012 10:08:42 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication - Add Users

Hi Rob,

I have been under the impression for along time that Windows Auth was a local network thing only, but a quick google found this article which indicates it does apparently work over the internet at least for IE but in that case IIS prompts for domain credentials whereas on a local network the noegotiation between IE and IIS would happen automatically without any prompt from IIS. According to the article I "guess" that is safe and ok if the only users who will login will use IE.

Still, mojoPortal needs a row in mp_Users for each authenticated user.

Best,

Joe

3/2/2012 10:34:12 AM
Rob A
Gravatar
Total Posts 30
View Posts

Re: Windows Authentication - Add Users

In my testing this scenario works with all major browsers.  From outside our network Chrome, Firefox, IE prompt for credentials and users can successfully login.  From inside the network IE passes credentials right in.  So it is perfect for our staff intranet.

I understand that each user needs an entry in mp_Users which is why I was doing it through a SQL load.  I would like to know how to prevent the automatic entry in the Windows Authentication scenario.  The major problem is that our child domain users are not allowed access to the website, but are considered Authenticated Users on our network.  The LDAP security model has the option to uncheck "Automatically Add LDAP users on first login?".  I was hoping for the same thing with Windows.  Could this be an enhancement request?

I thought I could change the  <deny users="?" />  to  <deny users="*" /> and that if users weren't in the allowed roles entries that it would deny them.  I've done this on other asp.net apps.  But when I use the asterisk instead of the question mark on mojoPortal it kills all access.

Just to be clear.  The child domain users are getting denied entry to the site, but are getting inserted into the database.

Thanks again,

Rob

3/2/2012 12:35:27 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Windows Authentication - Add Users

The user is only created in the mp_Sites table if an existing user is not found in that table.

If we did not do this errors would happen because the siteUser object would be null.

LDAP is different because it uses forms authentication so we can prevent the user from being authenticated if auto creation of the user is disabled and he does not already exist. But we have no control over that with Windows auth the user is going to appear as authenticated no matter what we do, and if we don't automatically create a siteUser he's going to get lots of null reference exceptions because a siteUser is expected when a user is authenticated.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.