Verint | Telligent Community
Verint | Telligent Community
  • Site
  • User
  • Site
  • Search
  • User
Telligent Community 10.x
  • Verint Community
Telligent Community 10.x
User Documentation How can I enable authentication via Windows / Active Directory (AD)?
  • Ask the Community
  • User Documentation
  • API Documentation
  • Manager Training
  • Developer Training
  • Tags
  • More
  • Cancel
  • New
  • +Telligent Community 10.x User Documentation
  • Changing system terminology
  • Community and GDPR
  • How are wiki page editing conflicts handled?
  • How can I adjust what makes a thread popular within forums?
  • How can I administer available emoticons and emoji?
  • How can I allow members to customize their homepage/dashboard?
  • How can I allow users to delete their own accounts?
  • How can I change the requirements for requesting friendships?
  • How can I configure how members can join the site and their initial experience?
  • How can I control the RSS feeds that are provided for a blog?
  • How can I control the types and sizes of files that members can upload?
  • How can I control types, number, and total storage allowance for files in a media gallery?
  • How can I control whether forum thread and reply authors can edit or delete their own posts?
  • How can I control which actions members can perform on a blog?
  • How can I control which actions members can perform within a forum?
  • How can I control which actions members can perform within a media gallery?
  • How can I control which types of files can be embedded within forum threads and replies?
  • How can I customize messaging to new members?
  • How can I customize the content in aggregate blog RSS feeds?
  • How can I customize the content or delivery time of email digest?
  • How can I customize the fields available on members’ profiles?
  • How can I diagnose a problem or get help?
  • How can I enable a guest blogger on a blog?
  • How can I enable authentication via Windows / Active Directory (AD)?
  • How can I enable multiple members to manage a single blog?
  • How can I enable single sign-on (SSO) with another Microsoft .net-based website?
  • How can I enable single sign-on (SSO)?
  • How can I enable support for emailing to start or reply to a forum thread?
  • How can I enable visitors to authenticate through Facebook?
  • How can I enable visitors to authenticate through Google?
  • How can I enable visitors to authenticate through LinkedIn?
  • How can I enable visitors to authenticate through Live Connect?
  • How can I enable visitors to authenticate through Salesforce?
  • How can I enable visitors to authenticate through Twitter?
  • How can I enable visitors to contact the owners of a group?
  • How can I hide a member's forum posts from the community?
  • How can I identify abuse or SPAM within the community?
  • How can I impersonate a user to act on their behalf?
  • How can I include forum behavior in an external website?
  • How can I integrate my community with other websites and services?
  • How can I join a group?
  • How can I limit who or when someone can comment or trackback on a blog post?
  • How can I make a thread stick to the top of the thread list within a forum?
  • How can I manage blog posts with Open Live Writer (formerly Windows Live Writer)?
  • How can I mirror content from another blog or RSS feed?
  • How can I moderate tags within an application?
  • How can I move content from one area of my community to another?
  • How can I prevent SPAM accounts from being created using the ReCaptcha service?
  • How can I prevent spam content from being shown on my community?
  • How can I provide new members with a default set of friends?
  • How can I rebrand my community in an upgrade-safe way?
  • How can I render previews of documents (Word, Excel, PowerPoint, PDFs) in my community?
  • How can I require acceptance of terms of service before member registration?
  • How can I set the default theme and theme selection options for all blogs?
  • How can I set the default theme and theme selection options for all groups?
  • How can I show or require additional profile fields to be completed when members join my community?
  • How can I specify which types of member avatars are allowed and the default member avatar?
  • How can I split a forum thread into multiple threads?
  • How can I start or stop the job service?
  • How can I stop receiving updates from a forum thread?
  • How can I synchronize Active Directory (AD) groups with Telligent Community roles?
  • How can I uninstall the job service?
  • How can I use snippets within blogs to save time or reuse content when writing posts?
  • How can I use the REST API to automate data migrations or data modifications?
  • How can I write blog posts using email?
  • How do I add a community member?
  • How do I add an Achievement?
  • How do I add an idea to an ideation?
  • How do I add or upload a file to a media gallery?
  • How do I administer members?
  • How do I allow users to export their data?
  • How do I ask a question or start a discussion in a forum?
  • How do I automatically create a blog for each new member of the community?
  • How do I ban or disapprove a member?
  • How do I cancel an event in a calendar?
  • How do I capture a forum thread to a wiki?
  • How do I change my avatar?
  • How do I change the types of threads or thread answer and auto-locking configuration for a forum?
  • How do I chat with another member?
  • How do I compare wiki page revisions?
  • How do I configure email integration?
  • How do I configure Telligent Community to meet the privacy requirement of my locale?
  • How do I connect my community to my Verint Knowledge Management site?
  • How do I control the type and functionality of content that can be posted on my community?
  • How do I control types and sizes of files that members can upload?
  • How do I control whether members can post status messages within a group?
  • How do I control which Active Directory (AD) fields are synchronized and editable on member profiles?
  • How do I create a custom page within a theme?
  • How do I create a group?
  • How do I create a Knowledge Collection?
  • How do I create a wiki page?
  • How do I create an application?
  • How do I create an event in a calendar?
  • How do I create rules to automate my community?
  • How do I customize direct communication options such as email, notifications, and private messages?
  • How do I customize email sent from the community?
  • How do I customize the look and feel of my community?
  • How do I delete a blog post?
  • How do I delete a group?
  • How do I delete a Wiki Page?
  • How do I delete an application?
  • How do I delete an event from a calendar?
  • How Do I Deploy my Site to Microsoft Azure?
  • How do I edit a blog post?
  • How do I edit a file or URL in a media gallery?
  • How do I edit a forum thread or reply?
  • How do I edit a wiki page?
  • How do I edit an Achievement?
  • How do I embed custom forms in my community?
  • How do I enable moderation within a forum?
  • How do I enable moderation within a media gallery?
  • How do I enable visitors to contact me through my blog?
  • How do I export my data?
  • How do I get to the administration panel?
  • How do I get to the contextual management panel?
  • How do I implement single sign-on (SSO) with an existing authentication system using cookies?
  • How do I insert a poll into content?
  • How do I install chat support?
  • How do I install Telligent Community?
  • How do I lock a wiki page?
  • How do I manage advertisements in my community?
  • How do I manage comments?
  • How do I manage licenses?
  • How do I manage membership within a group?
  • How do I manage registrations for a calendar event?
  • How do I manage roles and permissions to control what members can do on the community?
  • How Do I Migrate My Existing File Storage to Azure?
  • How do I moderate a forum to move, split, merge, lock threads?
  • How do I moderate content a member creates?
  • How do I monitor the health of my community?
  • How do I preview UI changes in the community?
  • How do I register for an event?
  • How do I rename, change the avatar, or move a group?
  • How do I revert to a previous version of a wiki page?
  • How do I see download counts of files in a media gallery?
  • How do I send an ad-hoc mass email to community members?
  • How do I set the default timezone and date/time formats for my community?
  • How do I setup an about page for a blog?
  • How do I store some files in different locations than others?
  • How do I translate my community?
  • How do I update the status of an idea?
  • How do I upgrade Telligent Community?
  • How do I upgrade the user experience of my community?
  • How do I use the content editor?
  • How do I use wiki link syntax?
  • +How do I view reports?
  • How do I vote on ideas?
  • How do I write a blog post?
  • How does moderation and abuse work?
  • How does Telligent Community support mobile devices?
  • How does Telligent ensure the quality of Telligent Community?
  • How should I define groups and applications in my community?
  • How should I store user contributed media?
  • How should I support multiple languages on my community?
  • Release Notes
  • What are jobs?
  • +What are the system requirements?
  • What best practices should be followed when customizing the user interface?
  • What is a blog?
  • What is a calendar?
  • What is a forum thread?
  • What is a forum?
  • What is a gallery?
  • What is a group?
  • What is a hashtag?
  • What is a Knowledge Document?
  • What is a mention?
  • What is a theme?
  • What is a wiki?
  • What is an Achievement?
  • What is an activity stream?
  • What is an application?
  • What is chat?
  • What is document preview?
  • What is featured content?
  • What is friending and following?
  • What is ideation?
  • What is liking?
  • What is private messaging?
  • What is RSS?
  • What is the question and answer workflow in forums?
  • What type of video files can I embed in my community?
  • What types of videos can I embed in or attach to content?

How can I enable authentication via Windows / Active Directory (AD)?

If you want to authenticate to an external Active Directory, we recommend using SAML with ADFS instead of Windows / Active Directory authentication as outlined in this document. 

For internal communities that need to sync members with Active Directory, Windows authentication can be enabled using this guide.

[toc]

Configure Telligent Community for Windows Authentication

The Windows SSO Module is configured through the communityserver.config file. As an alternative to directly editing this file (because applying a future upgrade to Telligent Community will wipe out changes), we can make our changes through an external communityserver_override.config file. (Note: Out of the box, Telligent Community does not include a communityserver_override.config file. 

Enable the Windows Authentication Module

To enable the Windows Authentication module, we'll set the extensionModules's enabled attribute to true by adding an Override entry into the communityserver_override.config file: 

<Override xpath="/CommunityServer/Core/extensionModules"
mode = "change"
name="enabled"
value="true" />

Configure the Windows Authentication Module

The following options may be configured. To configure a particular option, add the provided override into your communityserver_override.config file. If you want to use a different value for the option than used in the example, replace the highlighted section of the overrides with your own value. Copy your changed communityserver_override.config file into your Telligent Job Service directory, overwriting the pre-packaged override file if one exists. The default path for this file is C:\Program Files\Telligent\Job Service.

  1. allowAutoUserRegistration (Default: true)
    Determines whether you want Telligent Community to automatically create new accounts if an authenticated user who doesn't already have an account accesses Telligent Community. To turn this setting off, use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="allowAutoUserRegistration"
    value="false" />
  2. adminWindowsGroupIsSystemAdministrator (Default: true)
    Controls whether members of the Administrators group are automatically treated as administrators by Telligent Community. To turn this setting off, use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="adminWindowsGroupIsSystemAdministrator"
    value="false" />
  3. adminwindowsGroup (Default Administrators)
    If adminWindowsGroupIsSystemAdministrator is set to true, this specifies the role which will be automatically added as an administrator in Telligent Community. To change this role to MyAdministrativeGroup, use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="adminWindowsGroup"
    value="MyAdministrativeGroup" />
  4. stripDomainName (Default: true)
    Windows usernames are normally in the form DOMAIN\UserNameNAME. By default, Telligent Community strips the domain name from a user's username when creating the user. If you do not want to strip the domain name, use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="stripDomainName"
    value="false" />
  5. emailDomain (Default: @TempURI.org)
    Specifies the domain name that is appended to a user's username when creating the user in Telligent Community. To change this to Telligent.com, use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="emailDomain"
    value="@Telligent.com" />
  6. profileRefreshInterval (Default: 7)
    Specifies the interval (in days) after which Telligent Community will refresh users. To change this value to occurring every day (every 24 hours), use the following override:
    <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
    mode="change"
    name="profileRefreshInterval"
    value="1" />

Validate the Username Pattern

By default, Telligent Community only allows the most common characters to be used in a user name. Usernames are limited to:

  • Alphanumeric characters (A-z, 0-9)
  • Underscores (_)
  • Hyphens (-)
  • Periods (.)
  • At signs (@)
  • Spaces

If the user names in your Active Directory include characters other than these, you must explicitly configure Telligent Community to allow nonstandard characters in user names in Administration > Authentication > Authentication Options.

Change the Authentication Mode to Windows

Open up the web.config file and find the line which looks like:

<authentication mode="Forms">

and change it to 

<authentication mode="Windows">

Configure IIS

Internet Information Services (IIS), by default, allows anonymous users to access your community without being required to log in. Disable anonymous authentication within IIS on every web server in your environment, preventing users who aren't already logged into the network from being recognized. You also need to configure IIS to accept Windows credentials:

  1. Open IIS Manager.
  2. Browse to your Telligent Community website in the Connections pane.
  3. In the IIS section of the right pane, in Features View, double-click Authentication.
  4. Disable all authentication types except Windows Authentication, leaving Windows Authentication as the only enabled authentication type.

At this point you can now authenticate against Active Directory.  

It's important to test it from another computer or virtual machine. Occasionally Microsoft IIS can get into an infinite loop when you try to view a Windows Auth protected site from the same computer that is hosting that site. If you encounter authentication errors when using Windows Authentication against localhost, refer to Microsoft's KB 896861.

Setup the Role and Profile Synchronization Job

Telligent Community supports the use of LDAP for syncing Role and Profile information between your community and Active Directory. While this setup is not neccessary to simply authenticate against Active Directory, setting up the synchronization job enables the user profile and user roles to be synchronized.

Install the LDAP Package

All steps must be followed before LDAP will work on your community.

  1. Open the Packages.config file in both community's web directory, and Job Server (by default).

    Out of the box, you should have the following in your packages.config file. However, if you do not see this section, add it verbatim:

    <?xml version="1.0" encoding="utf-8"?>
    <!-- This file determines which packages have been added to Telligent Community -->
    <Packages>
       <Package Name="Evolution" Version="1.0" DateInstalled="2009-03-09" Id="12994783-22B4-47fe-822A-B71B6F1B6C83" />
    </Packages>

    The package is required and should not be removed.

  2. To configure LDAP authentication, you will need to add (not substitute) the following line between the “<Packages>” tags in the XML:

    <Package Name="Ldap" Version="1.0" DateInstalled="2009-03-09" Id="4BF1091D-376C-42b2-B375-E2FE9480E845" />

    This file is case-sensitive, so if you use "name" instead of "Name" then you will have issues with your configuration. Also, the "Id" must be a unique number across all of the package entries.

Configuring LDAP Connection Details

  1. Update the LDAP.config file with your the mappings of Telligent to AD profile fields. See How do I control which Active Directory (AD) fields are synchronized and editable on member profiles? for details on configuring the LDAP.config file.

  2. Supply your LDAP connection details to Telligent Community by doing the following:

    1. Open both the web.config file in your web directory, and Telligent.Jobs.Server.exe.config in your Job Server directory.

    2. Locate the line that says <configSections>. In this top section, add the following line:
      <section name="LdapConnection" type="System.Configuration.NameValueSectionHandler" />
      This section does not go in any of the existing section groups. Place the line right before the closing tag of <configSections>as in the following example:
       <configSections>
             <section name="LdapConnection" type="System.Configuration.NameValueSectionHandler" />
       </configSections>
    3. Add the section below right after the closing tag of </configSections> (so that it's between </configSections> and <appSettings>).

      <LdapConnection>
         <add key="Server" value="LDAP://" />
         <add key="Port" value="389" />
         <add key="Authentication" value="Secure" />
      </LdapConnection>

      The attributes of an LDAP connection provide the following elements:

      Attribute Name Attribute Description
      Server The address where the LDAP server can be found.  If configured with "LDAP:\\" or "GC:\\", then the directory servers are auto detected based on teh current machine's Active Directory domain memberhsip.
      Port The port number where the LDAP server is listening for requests.
      BaseDN The base Distinguished Name.

      UserDN

      The Distinguished Name for the user that will be used by Community Server to connect to the LDAP server.  If not specified, will connect as your Application Pool Identity.

      Password

      The password that will be used by Community Server to connect to the LDAP server.  If not specified, will connect as your Application Pool Identity.

      Authentication

      The authentication type that will be used on the connection. Default is Secure. A value of Secure will result in NTLM authentication being used. A value of SecureSocketsLayer will result in an SSL- encrypted authentication being used. More values can be found in the "Members" table here.

       

    4.  Save the web.config file.

  3. You should now be able to sync LDAP roles to Telligent Community as well as the profile fields configured in ldap.config

Considerations for a Multi-Domain Environment

To configure LDAP to work in a multi-domain environment, you need to point Telligent Community to the top-level domain's Global Catalog server. To do this, you need to change the server and port settings in the LdapConnection section of your web.config. You should change the Server to use GC:// instead of LDAP://. When using just LDAP://, Telligent Community will only be able to look up users within that specific domain. By using the Global Catalog, it is able to look up users and groups in any child domains as well. Use port 3268 instead of port 389.

<LdapConnection>
   <add key="Server" value="GC://mycompany.com" />
   <add key="Port" value="3268" />
   <add key="Authentication" value="Secure" />
</LdapConnection>

The server setting is case-sensitive. Be sure that the server in the GC://mycompany.com setting is the name of the root domain in the forest.

Currently when using a multi-domain environment, Telligent Community won't be able to allow profile updates. The Global Catalog is read-only, and Telligent Community doesn't support issuing updates to the individual domain controllers within the environment. To avoid any issues, it is recommended to edit the ldap.config and change the AccessLevel settings to "ReadOnly" for all Attribute entries.

With a multi-domain environment, take special care about potential naming conflicts across domains. If there are two users with the username "jdoe" across two domains, Telligent Community may have issues knowing which user to retrieve from LDAP.

  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Telligent
  • Professional Services
  • Submit a Support Ticket
  • Become a Partner
  • Request a Demo
  • Contact Us

About
Privacy Policy
Terms of use
Copyright 2022 Verint, Inc.
Powered by Verint Community