[toc]
We recommend using Windows Authentication if you are configuring Telligent Community within an internal Active Directory. If you need to authenticate against an external Active Directory, we recommend use SAML with ADFS instead. Your members can then access Telligent Community with the same credentials as they use to login to Windows (and in many cases will be seamlessly logged in).
- Alphanumeric characters (A-z, 0-9)
- Underscores (_)
- Hyphens (-)
- Periods (.)
- At signs (@)
- Spaces
Configure Telligent Community for Windows Authentication
The Windows SSO Module is configured through the communityserver.config
file. As an alternative to directly editing this file (because applying a future upgrade to Telligent Community will wipe out changes), we can make our changes through an external communityserver_override.config
file. (Note: Out of the box, Telligent Community does not include a communityserver_override.config
file. You need to create and modify this file yourself. A sample is located here.
Enable the Windows Authentication Module
To enable the Windows Authentication module, we'll set the extensionModules's enabled
attribute to true
by adding an Override entry into the communityserver_override.config
file:
<Override xpath="/CommunityServer/Core/extensionModules"
mode = "change"
name="enabled"
value="true" />
Configure the Windows Authentication Module
The following options may be configured. To configure a particular option, add the provided override into your communityserver_override.config
file. If you want to use a different value for the option than used in the example, replace the highlighted section of the overrides with your own value. Copy your changed communityserver_override.config
file into your Telligent Job Service directory, overwriting the pre-packaged override file if one exists. The default path for this file is C:\Program Files\Telligent\Job Service
.
- allowAutoUserRegistration (Default: true)
Determines whether you want Telligent Community to automatically create new accounts if an authenticated user who doesn't already have an account accesses Telligent Community. To turn this setting off, use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="allowAutoUserRegistration"
value="false" /> - adminWindowsGroupIsSystemAdministrator (Default: true)
Controls whether members of the Administrators group are automatically treated as administrators by Telligent Community. To turn this setting off, use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="adminWindowsGroupIsSystemAdministrator"
value="false" /> - adminwindowsGroup (Default Administrators)
If adminWindowsGroupIsSystemAdministrator is set to true, this specifies the role which will be automatically added as an administrator in Telligent Community. To change this role to MyAdministrativeGroup, use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="adminWindowsGroup"
value="MyAdministrativeGroup" /> - stripDomainName (Default: true)
Windows usernames are normally in the form DOMAIN\UserNameNAME. By default, Telligent Community strips the domain name from a user's username when creating the user. If you do not want to strip the domain name, use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="stripDomainName"
value="false" /> - emailDomain (Default: @TempURI.org)
Specifies the domain name that is appended to a user's username when creating the user in Telligent Community. To change this to Telligent.com, use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="emailDomain"
value="@Telligent.com" /> - profileRefreshInterval (Default: 7)
Specifies the interval (in days) after which Telligent Community will refresh users. To change this value to occurring every day (every 24 hours), use the following override:<Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
mode="change"
name="profileRefreshInterval"
value="1" />
Mapping Active Directory groups to Telligent Community roles
If you want to map Active Directory groups to Telligent Community roles, you'll need to configure Active Directory group mappings.
Change the Authentication Mode to Windows
Open up the web.config
file and find the line which looks like:
<authentication mode="Forms">
and change it to
<authentication mode="Windows">
Configure IIS
Internet Information Services (IIS), by default, allows anonymous users to access your community without being required to log in. Disable anonymous authentication within IIS on every web server in your environment, preventing users who aren't already logged into the network from being recognized. You also need to configure IIS to accept Windows credentials:
- Open IIS Manager.
- Browse to your Telligent Community website in the Connections pane.
- In the IIS section of the right pane, in Features View, double-click Authentication.
- Disable all authentication types except Windows Authentication, leaving Windows Authentication as the only enabled authentication type.