For internal communities that need to sync members with Active Directory, Windows authentication can be enabled using this guide.
The Windows SSO Module is configured through the communityserver.config file. As an alternative to directly editing this file (because applying a future upgrade to Telligent Community will wipe out changes), we can make our changes through an external communityserver_override.config file. (Note: Out of the box, Telligent Community does not include a communityserver_override.config file.
To enable the Windows Authentication module, we'll set the extensionModules's enabled attribute to true by adding an Override entry into the communityserver_override.config file:
<Override xpath="/CommunityServer/Core/extensionModules" mode = "change" name="enabled" value="true" />
The following options may be configured. To configure a particular option, add the provided override into your communityserver_override.config file. If you want to use a different value for the option than used in the example, replace the highlighted section of the overrides with your own value. Copy your changed communityserver_override.config file into your Telligent Job Service directory, overwriting the pre-packaged override file if one exists. The default path for this file is C:\Program Files\Telligent\Job Service.
C:\Program Files\Telligent\Job Service
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="allowAutoUserRegistration" value="false" />
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="adminWindowsGroupIsSystemAdministrator" value="false" />
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="adminWindowsGroup" value="MyAdministrativeGroup" />
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="stripDomainName" value="false" />
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="emailDomain" value="@Telligent.com" />
<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']" mode="change" name="profileRefreshInterval" value="1" />
By default, Telligent Community only allows the most common characters to be used in a user name. Usernames are limited to:
If the user names in your Active Directory include characters other than these, you must explicitly configure Telligent Community to allow nonstandard characters in user names in Administration > Authentication > Authentication Options.
Open up the web.config file and find the line which looks like:
and change it to
Internet Information Services (IIS), by default, allows anonymous users to access your community without being required to log in. Disable anonymous authentication within IIS on every web server in your environment, preventing users who aren't already logged into the network from being recognized. You also need to configure IIS to accept Windows credentials:
At this point you can now authenticate against Active Directory.
It's important to test it from another computer or virtual machine. Occasionally Microsoft IIS can get into an infinite loop when you try to view a Windows Auth protected site from the same computer that is hosting that site. If you encounter authentication errors when using Windows Authentication against localhost, refer to Microsoft's KB 896861.
Telligent Community supports the use of LDAP for syncing Role and Profile information between your community and Active Directory. While this setup is not neccessary to simply authenticate against Active Directory, setting up the synchronization job enables the user profile and user roles to be synchronized.
All steps must be followed before LDAP will work on your community.
Open the Packages.config file in both community's web directory, and Job Server (by default).
Out of the box, you should have the following in your packages.config file. However, if you do not see this section, add it verbatim:
<?xml version="1.0" encoding="utf-8"?><!-- This file determines which packages have been added to Telligent Community --><Packages> <Package Name="Evolution" Version="1.0" DateInstalled="2009-03-09" Id="12994783-22B4-47fe-822A-B71B6F1B6C83" /></Packages>
The package is required and should not be removed.
To configure LDAP authentication, you will need to add (not substitute) the following line between the “<Packages>” tags in the XML:
<Package Name="Ldap" Version="1.0" DateInstalled="2009-03-09" Id="4BF1091D-376C-42b2-B375-E2FE9480E845" />
This file is case-sensitive, so if you use "name" instead of "Name" then you will have issues with your configuration. Also, the "Id" must be a unique number across all of the package entries.
Update the LDAP.config file with your the mappings of Telligent to AD profile fields. See How do I control which Active Directory (AD) fields are synchronized and editable on member profiles? for details on configuring the LDAP.config file.
Supply your LDAP connection details to Telligent Community by doing the following:
Open both the web.config file in your web directory, and Telligent.Jobs.Server.exe.config in your Job Server directory.
<configSections> <section name="LdapConnection" type="System.Configuration.NameValueSectionHandler" /> </configSections>
Add the section below right after the closing tag of </configSections> (so that it's between </configSections> and <appSettings>).
<add key="Server" value="LDAP://" />
<add key="Port" value="389" />
<add key="Authentication" value="Secure" />
The attributes of an LDAP connection provide the following elements:
Save the web.config file.
You should now be able to sync LDAP roles to Telligent Community as well as the profile fields configured in ldap.config
To configure LDAP to work in a multi-domain environment, you need to point Telligent Community to the top-level domain's Global Catalog server. To do this, you need to change the server and port settings in the LdapConnection section of your web.config. You should change the Server to use GC:// instead of LDAP://. When using just LDAP://, Telligent Community will only be able to look up users within that specific domain. By using the Global Catalog, it is able to look up users and groups in any child domains as well. Use port 3268 instead of port 389.
<LdapConnection> <add key="Server" value="GC://mycompany.com" /> <add key="Port" value="3268" /> <add key="Authentication" value="Secure" /></LdapConnection>
The server setting is case-sensitive. Be sure that the server in the GC://mycompany.com setting is the name of the root domain in the forest.
Currently when using a multi-domain environment, Telligent Community won't be able to allow profile updates. The Global Catalog is read-only, and Telligent Community doesn't support issuing updates to the individual domain controllers within the environment. To avoid any issues, it is recommended to edit the ldap.config and change the AccessLevel settings to "ReadOnly" for all Attribute entries.
With a multi-domain environment, take special care about potential naming conflicts across domains. If there are two users with the username "jdoe" across two domains, Telligent Community may have issues knowing which user to retrieve from LDAP.