Hexagon Geospatial
MENU

WebGIS

Need a push in the right direction when configuring WebMap, Portal or SDI services? Looking for hints and tips, or just looking for Ideas and information? The WebGIS discussion board is where you start those discussions, connect and share information.
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Super Contributor
Posts: 388
Registered: ‎10-12-2015

Portal - forms login with AD authentication example

[ Edited ]

An example. I have limited domain knowledge and only tested against one organisation. Will hopefully help someone else setup faster.

 

Geospatial Portal can be configured with a forms login requiring users to authenticate to access the portal.

The forms login can use various membership providers to authenticate against.

This authentication membership provider example: ActiveDirectory

Once a user is authenticated the site runs under the anonymous user (application pool user).

 

Note: when using forms authentication ensure site is using https binding and SSL settings has 'Require SSL' checked

Passing authentication typically involves clear text username/password or token that an unfriendly user could compromise. Using https / ssl ensures the password and tokens are secure.
Once Require SSL is set likely find can't configure the portal site via AdminConsole unless SSL required is turned off again.

 

 

Example config:

 

  1. IIS, choose portal site
    1. Authentication
      1. Anonymous Authentication and Forms Authentication should be enabled.
      2. All others should be Disabled 
        (Normally default for most portal sites)
  2. Edit portal site web.config
    1. Open C:\Program Files\Common Files\Hexagon\Services\Instances\TestGSPortal_BasicAuth2\web.config in notepad++
    2. Find <connectionStrings>
    3. Replace with LDAP connection for your AD. examples: 

  <connectionStrings>

    <add name="ADService" connectionString="LDAP://domain.com/OU=Area Name,DC=domain,DC=com" />

  </connectionStrings>
 

Or

 

  <connectionStrings>

    <add name="ADService" connectionString="LDAP://domain.com/CN=Users,DC=domain,DC=com" />

  </connectionStrings>

 

Note: normally the default is to use CN=Users rather than OU=Area Name. Whether using CN=Users or OU=Something depends on the organisation AD Configuration.

Note: The full LDAP connection string to the primary ad is ADServername.domain.com. Normally LDAP://domain.com should resolve fine. Only add the primary domain server name if base name does not resolve.

 

3. Setup authentication section

  • Locate 'out of the box' authentication section
    something like

    <authentication mode="Forms" />

    <membership defaultProvider="Disk" hashAlgorithmType="SHA1">

      <providers>

        <add name="Disk" type="Intergraph.WebSolutions.Core.WebClient.Platform.Security.DiskMemberhipProvider" />

      </providers>

    </membership>

 

  • Replace with ActiveDirectory authentication

<authentication mode="Forms">

    <forms loginUrl="~/LoginForm.aspx" timeout="20" />

</authentication>

<authorization>

    <deny users="?" />

    <allow users="*" />

</authorization>

    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider" hashAlgorithmType="SHA1">

      <providers>

        <add name="AspNetActiveDirectoryMembershipProvider"

type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Version=4.0.0.0, Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a"

connectionStringName="ADService"

enableSearchMethods="true"

attributeMapUsername="sAMAccountName"

connectionUsername="serviceAccount"

connectionPassword="******"

applicationName="TestGSPortal_BasicAuth2"

description="Geospatial Portal auth testing"

/>       

      </providers>

    </membership>

 

 4. Test

  • Launch site and should show portal login form.
  • Enter credentials, username without domain name.
    e.g. myname rather than domain\myname or myname@domain.com

  

Determining values to use.

  1. Connection string.

Connection string is specific to the organisation AD configuration

 

connectionString="LDAP://domain.com/OU=Area Name,DC=domain,DC=com"

 

Resource: http://aspalliance.com/1658_Using_Forms_Authentication_with_Membership_Providers_in_ASPNET_20.2, listing one


A method for determining LDAP connection string:

  1. For Windows Server 2008R2 or 2012 install Feature 'Remote Server Administration Tools'>Role Administration Tools'>'AD DS and AD LDS Tools' 
  2. From command prompt, launch ADSIEDIT.MSC
  3. Action, Connect To, enter details (should be filled in by default)
    LDAP Path should be shown - copy that to put in the connection string 
    Note: Can normally remove the actual ad servername from the start of the path. e.g. LDAP://domain.com rather than  LDAP://ADServername.domain.com
  4. Expand the connection, should see the DC=xxxx,DC=yyyy,DC=zzzz
    That is last part of the connection string 
  5. Expand the node and find where the user accounts are held.
    The example uses OU= Area Name.
    Default location is normally CN=Users
    Depends on how the AD is setup for the organisation. 
  6. Combine above to form the LDAP connection string
    connectionString="LDAP://domain.com/OU=Area Name,DC=domain,DC=com" 

 

  1. Provider setting options.
    1. Refer https://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider(v=vs.... for full list of options
    2. connectionStringName must match the name of the LDAP connection in <connectionStrings>
    3. enableSearchMethods - I just set to TRUE, have not played
    4. attributeMapUsername, either sAMAccountName or userPrincipalName
      1. userPrincipalName is the default.
        When user logs in, types in username as username@domain.com
      2. sAMAccountName means simple username, so can type in just username
    5. connectionUsername is username can connect to AD with.
      connectionPassword is password can connect to AD with (must be populated if connectionUsername is provided).
      Alternatively setup the Portal application pool to run under a domain service account that can login to the AD. (by default portal application pool is an IUSR account that probably can't connect to the domain and access AD)
    6. applicationName and description are optional, gives administrators an idea who is hitting the AD

 

Note: Do not add an authorisation rule that denies anonymous users, otherwise message similar to '401 - Unauthorized: Access is denied due to invalid credentials.' will be shown.

 

  1. <forms loginUrl="~/LoginForm.aspx" timeout="20" />
    1. Timeout should probably match the site timeout for best security (see msdn for details)
    2. MSDN recommends requireSSL be set to true.
      Also recommends if requireSSL is false then slidingExpiration should be false
      For me, setting requireSSL to either value caused authentication to fail, have not determined why.
      I am assuming since I have my site set to require SSL should be ok.
      See https://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.requiressl(v=vs.110...

 

 

 

Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.