help.axcms.netAxinom Logo
Home
User Guide
Basic Concepts
Installation & Configuration
Quick Start
System Requirements
Installation
Configuration
Files & Permissions
IIS (Internet Information Server)
SQL Server
Application Configuration
AxCMS.Service
WebDAV
Exception Management
Active Directory
Licensing
Scaling
Maintenance
Security
Upgrade
Developer Guide
Template Projects
Modules
Knowledge base
FAQs
White Papers
Forum
Blog
Twitter
Save Save Chapter Send Feedback

Active Directory

The integration and configuration of Active Directory with AxCMS.net

The Concept

If the users of your Management System are managed with Active Directory, you can reduce the management efforts by integrating AxCMS.net with Active Directory (AD). Using the integration you can manage user accounts and their authorization information in Active Directory and AxCMS.net will automatically take advantage of this information.

 

To setup up AD integration:

  • Import the AD groups you want to synchronize with into AxCMS.net
  • Import users from these groups
  • Setup the necessary roles and rights for the groups in AxCMS.net
  • (optionally) Setup automatic synchronization with AD, so the changes in AD are visible in AxCMS.net

While using Active Directory it makes sense to switch to Windows Authentication so the users can profit from the Single Sign On. Read more about it under Securing AxCMS.net.

Active Directory Integration

Configuring Active Directory Integration

First of all you turn on Active Directory integration. It will allow you to import AD-groups into MS:

<!-- 0 is OFF, 1 is ON -->
<add key="ActiveDirectory" value="1" />

To access Active Directory you need to supply AxCMS.net with an user account which can access Active Directory. This user needs no special permissions - just to access AD. You config this user in MS web.config like this:

<add key="ActiveDirectoryUserName" value="MyDomain\UserName" />
<add key="ActiveDirectoryUserPassword" value="password" />

Example:

<add key="ActiveDirectoryUserName" value="axinom\someemployee" />
<add key="ActiveDirectoryUserPassword" value="eeyolpmeemos" />

To take over the profiles of the Users from the AD to the AxCMS.net, you need to set ADProfile=1. If set to "0" user account is synchronized with AxCMS.net but it's profile is not taken over. It allows you to manage user profiles in AxCMS.net independent from Active Directory.

<add key="ADProfile" value ="1" />

To enable the automatical synchronization of AD users, profiles and group membership there are two possible ways: on demand or scheduled.

On demand will start a synchronization each time a user logs in into MS (for this particular user). If authenticated user is not known in MS yet, a new user profile is created in MS. If user's groups in AD changed, this changes are updated in MS. If the user was removed from every synchonized AD-group, its profile is locked in MS. To activate on demand synchronization, add this key to the web.config:

<add key=“ADSyncMembershipOnLogin“ value=“1“ />

A disadvantage of the on demand approach is a small delay on login. To avoid it you can turn of on demand synchronization:

<add key=“ADSyncMembershipOnLogin“ value=“0“ />

And synchronize all user accounts as a scheduled task. For this schedule a task Axinom.AECMS.UserManagement.ImportAxUsersFromADTask to run inside AxCMS.Service at least nightly. Read AxCMS.Service to learn how how to schedule tasks with AxCMS.Service. Basically you add a record to AxServiceTask table.

Profile Fields Mapping

Here is a mapping of the fields in the AD Profile and AxCMS.net User Profile:

  • Domain + "\" + SAMAccountName : Username
  • givenName : FirstName
  • sn : Name
  • c : CountryCode
  • l : City
  • postalCode : Zip
  • company : Company
  • streetAddress : Street
  • mail : EMail
  • homePhone : Phone
  • mobile : Mobile
  • facsimileTelephoneNumber : Fax
  • description : Comment

 

Setting Up Synchronized Groups in Management System

In MS go to Admin / User Groups. In the left column you will see a list of groups in AD. Select a group you want to synchronize and click Add. A new user group is created in MS. It stores the AD-GUID for synchronization purpose.

Now you can give necessary roles and rights to the group. In group properties click on "Manage permissions" and give the roles and rights as usual. All users in this group will inherit these permissions. The users will be  imported from AD.

You can import users from selected groups ad hoc by clicking the "Import Users" button on the User Groups overview page. Every user is imported only once, even it belongs to multiple groups. Passwords from AD are obviously not taken over. For a user to log in into MS use Windows Authentication as described above. (Alternatively you can setup a password manually and login via Forms Authentication.) You can user this "Import Users" button for manual AD-synchronization, but we recommend setting up automaticall synchronization either on demand or scheduled as described above.

Active Directory Integration in Live System

Out-of-the box Active Directory integration is implemented only in Management System. Technically there is no problem to implement AD integration also in Live System.

 

See Also
Copyright © 2001-2012 Axinom GmbH. All rights reserved. Powered by AxCMS.net 9.2.0.25715.
Axinom International | AxCMS.net | Imprint