How can I enable authentication via Windows / Active Directory (AD)?

For internal communities that need to sync members with Active Directory, Windows authentication can be enabled using this guide.

[toc]

Configure Telligent Community for Windows Authentication

The Windows SSO Module is configured through the communityserver.config file. As an alternative to directly editing this file (because applying a future upgrade to Telligent Community will wipe out changes), we can make our changes through an external communityserver_override.config file. (Note: Out of the box, Telligent Community does not include a communityserver_override.config file. 

Enable the Windows Authentication Module

To enable the Windows Authentication module, we'll set the extensionModules's enabled attribute to true by adding an Override entry into the communityserver_override.config file: 

<Override xpath="/CommunityServer/Core/extensionModules"
    mode = "change"
    name="enabled"
    value="true" />

Configure the Windows Authentication Module

The following options may be configured. To configure a particular option, add the provided override into your communityserver_override.config file. If you want to use a different value for the option than used in the example, replace the highlighted section of the overrides with your own value. Copy your changed communityserver_override.config file into your Telligent Job Service directory, overwriting the pre-packaged override file if one exists. The default path for this file is C:\Program Files\Telligent\Job Service.

1. allowAutoUserRegistration (Default: true)
   Determines whether you want Telligent Community to automatically create new accounts if an authenticated user who doesn't already have an account accesses Telligent Community. To turn this setting off, use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="allowAutoUserRegistration"
       value="false" />

2. adminWindowsGroupIsSystemAdministrator (Default: true)
   Controls whether members of the Administrators group are automatically treated as administrators by Telligent Community. To turn this setting off, use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="adminWindowsGroupIsSystemAdministrator"
       value="false" />

3. adminwindowsGroup (Default Administrators)
   If adminWindowsGroupIsSystemAdministrator is set to true, this specifies the role which will be automatically added as an administrator in Telligent Community. To change this role to MyAdministrativeGroup, use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="adminWindowsGroup"
       value="MyAdministrativeGroup" />

4. stripDomainName (Default: true)
   Windows usernames are normally in the form DOMAIN\UserNameNAME. By default, Telligent Community strips the domain name from a user's username when creating the user. If you do not want to strip the domain name, use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="stripDomainName"
       value="false" />

5. emailDomain (Default: @TempURI.org)
   Specifies the domain name that is appended to a user's username when creating the user in Telligent Community. To change this to Telligent.com, use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="emailDomain"
       value="@Telligent.com" />

6. profileRefreshInterval (Default: 7)
   Specifies the interval (in days) after which Telligent Community will refresh users. To change this value to occurring every day (every 24 hours), use the following override:

   <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
       mode="change"
       name="profileRefreshInterval"
       value="1" />

Validate the Username Pattern

By default, Telligent Community only allows the most common characters to be used in a user name. Usernames are limited to:

• Alphanumeric characters (A-z, 0-9)
• Underscores (_)
• Hyphens (-)
• Periods (.)
• At signs (@)
• Spaces

If the user names in your Active Directory include characters other than these, you must explicitly configure Telligent Community to allow nonstandard characters in user names in Administration > Authentication > Authentication Options.

Change the Authentication Mode to Windows

Open up the web.config file and find the line which looks like:

<authentication mode="Forms">

and change it to 

<authentication mode="Windows">

Configure IIS

Internet Information Services (IIS), by default, allows anonymous users to access your community without being required to log in. Disable anonymous authentication within IIS on every web server in your environment, preventing users who aren't already logged into the network from being recognized. You also need to configure IIS to accept Windows credentials:

1. Open IIS Manager.
2. Browse to your Telligent Community website in the Connections pane.
3. In the IIS section of the right pane, in Features View, double-click Authentication.
4. Disable all authentication types except Windows Authentication, leaving Windows Authentication as the only enabled authentication type.

At this point you can now authenticate against Active Directory.  

It's important to test it from another computer or virtual machine. Occasionally Microsoft IIS can get into an infinite loop when you try to view a Windows Auth protected site from the same computer that is hosting that site. If you encounter authentication errors when using Windows Authentication against localhost, refer to Microsoft's KB 896861.

Setup the Role and Profile Synchronization Job

Telligent Community supports the use of LDAP for syncing Role and Profile information between your community and Active Directory. While this setup is not neccessary to simply authenticate against Active Directory, setting up the synchronization job enables the user profile and user roles to be synchronized.

Install the LDAP Package

All steps must be followed before LDAP will work on your community.

1. Open the Packages.config file in both community's web directory, and Job Server (by default).

   Out of the box, you should have the following in your packages.config file. However, if you do not see this section, add it verbatim:

   <?xml version="1.0" encoding="utf-8"?>
   <!-- This file determines which packages have been added to Telligent Community -->
   <Packages>
      <Package Name="Evolution" Version="1.0" DateInstalled="2009-03-09" Id="12994783-22B4-47fe-822A-B71B6F1B6C83" />
   </Packages>

   The package is required and should not be removed.

2. To configure LDAP authentication, you will need to add (not substitute) the following line between the “<Packages>” tags in the XML:

   <Package Name="Ldap" Version="1.0" DateInstalled="2009-03-09" Id="4BF1091D-376C-42b2-B375-E2FE9480E845" />

   This file is case-sensitive, so if you use "name" instead of "Name" then you will have issues with your configuration. Also, the "Id" must be a unique number across all of the package entries.

Configuring LDAP Connection Details

1. Update the LDAP.config file with your the mappings of Telligent to AD profile fields. See How do I control which Active Directory (AD) fields are synchronized and editable on member profiles? for details on configuring the LDAP.config file.

2. Supply your LDAP connection details to Telligent Community by doing the following:

   1. Open both the web.config file in your web directory, and Telligent.Jobs.Server.exe.config in your Job Server directory.

   2. Locate the line that says <configSections>. In this top section, add the following line:
      <section name="LdapConnection" type="System.Configuration.NameValueSectionHandler" />
      This section does not go in any of the existing section groups. Place the line right before the closing tag of <configSections>as in the following example:

       <configSections>
             <section name="LdapConnection" type="System.Configuration.NameValueSectionHandler" />
       </configSections>

   3. Add the section below right after the closing tag of </configSections> (so that it's between </configSections> and <appSettings>).

      <LdapConnection>
         <add key="Server" value="LDAP://" />
         <add key="Port" value="389" />
         <add key="Authentication" value="Secure" />
      </LdapConnection>

      The attributes of an LDAP connection provide the following elements:

      Attribute Name	Attribute Description
      Server	The address where the LDAP server can be found.  If configured with "LDAP:\\" or "GC:\\", then the directory servers are auto detected based on teh current machine's Active Directory domain memberhsip.
      Port	The port number where the LDAP server is listening for requests.
      BaseDN	The base Distinguished Name.
      UserDN	The Distinguished Name for the user that will be used by Community Server to connect to the LDAP server.  If not specified, will connect as your Application Pool Identity.
      Password	The password that will be used by Community Server to connect to the LDAP server.  If not specified, will connect as your Application Pool Identity.
      Authentication	The authentication type that will be used on the connection. Default is Secure. A value of Secure will result in NTLM authentication being used. A value of SecureSocketsLayer will result in an SSL- encrypted authentication being used. More values can be found in the "Members" table here.

       

   4.  Save the web.config file.

3. You should now be able to sync LDAP roles to Telligent Community as well as the profile fields configured in ldap.config

Considerations for a Multi-Domain Environment

To configure LDAP to work in a multi-domain environment, you need to point Telligent Community to the top-level domain's Global Catalog server. To do this, you need to change the server and port settings in the LdapConnection section of your web.config. You should change the Server to use GC:// instead of LDAP://. When using just LDAP://, Telligent Community will only be able to look up users within that specific domain. By using the Global Catalog, it is able to look up users and groups in any child domains as well. Use port 3268 instead of port 389.

<LdapConnection>
   <add key="Server" value="GC://mycompany.com" />
   <add key="Port" value="3268" />
   <add key="Authentication" value="Secure" />
</LdapConnection>

The server setting is case-sensitive. Be sure that the server in the GC://mycompany.com setting is the name of the root domain in the forest.

Currently when using a multi-domain environment, Telligent Community won't be able to allow profile updates. The Global Catalog is read-only, and Telligent Community doesn't support issuing updates to the individual domain controllers within the environment. To avoid any issues, it is recommended to edit the ldap.config and change the AccessLevel settings to "ReadOnly" for all Attribute entries.

With a multi-domain environment, take special care about potential naming conflicts across domains. If there are two users with the username "jdoe" across two domains, Telligent Community may have issues knowing which user to retrieve from LDAP.