Logging into a System that Uses AD Integration

Because AD usernames and passwords are stored by domain, the AD sign-on procedure requires the user to select a domain. When AD integration is enabled the sign-on screen includes a domain drop-down list. For more information about logging in, see Logging In and Out.

Single sign on

Single Sign On

The Single Sign On feature retrieves a user’s login information from Active Directory to authenticate access to Ektron. The user does not need to enter a password. After clicking Login, he is immediately logged in.

Single Sign On uses a variable called User.Identity.Name. This maintains the user's account and domain in Active Directory, and has the format [domain]\[username]. For example, EKTRON1\ssmith. The variable's value is set when a user authenticates against a Windows server.

When a user clicks the Login server control, if the variable passes successfully and Active Directory is enabled, the server control opens the autologin.aspx page. Next, the opening window refreshes just like a normal login, except the user is not prompted for a username, password, and domain.

However, if the user‘s computer is not on a domain, not on the same domain as Ektron, or does not include the Ektron server as a trusted site, the following login screen appears.

If Active Directory is not enabled, the normal login.aspx page appears.

Single Sign On uses the autologin.aspx file in the workarea/SSO directory. When set up, user authentication is enabled from any domain that this server can reach. For example, if Ektron is located in a third level domain, users from third, second, and first level domains can authenticate.

See Also: Enabling NTLM Authentication (Automatic logon) (http://dev.ektron.com/kb_article.aspx?id=22100).

Use the setup instructions that correspond to the IIS version running on your server:

  • IIS6
  • IIS7 or IIS7.5

After completing these procedures, enable Active Directory within Ektron (if it isn’t already enabled). See Also: Setting Up Active Directory

You should enable the automatic addition of users and groups. See Also: Setting Up Active Directory

Setting up single sign on using IIS6

Setting up Single Sign On Using IIS6

Setting up Single Sign On with IIS 6 involves modifying the web.config file, editing security settings, and adjusting settings for the Login sever control.

Modifying Web.config for single sign on

Modifying Web.config for Single Sign On

  1. Open your site root folder.
  2. Open the Web.config file.
  3. Find the ek_AUTH_protocol element.
  4. Change its value to LDAP. For example:
    <add key="ek_AUTH_Protocol" value="LDAP" />
  5. Find the authentication element.
  6. Change the value of authentication mode to Windows.
  7. Change the value of impersonate to False. It should look like this:
    <authentication mode="Windows" /> 
    <identity impersonate="false" userName="" password=""/>
Adjusting security settings for the site root folder

Adjusting Security Settings for the Site Root Folder

  1. Go to Windows Control Panel > Administrative Tools > Internet Information Services.
  2. Within IIS, go to Web Sites and select your Ektron site.
  3. Right click your Ektron site folder and select Properties.

  4. Click the File/Directory Security tab then the top Edit button.
  5. Uncheck everything except Enable anonymous access and Integrated Windows authentication. The anonymous access account should be a domain account, preferably the root of the Active Directory tree.

Adjusting security settings for autologin.aspx

Adjusting Security Settings for autologin.aspx

  1. Go to Sites > your site root folder > Workarea > SSO > autologin.aspx.
  2. Right click autologin.aspx and select Properties.
  3. Click the File security tab and the top Edit button.

  4. Under Authenticated Access, uncheck all except Integrated Windows authentication. As a result of these settings, autologin.aspx passes credentials from the logged-in user's desktop.

Adjusting the login server control

Adjusting the Login Server Control

In Visual Studio.NET, open the Login server control and set the AutoLogin property to True. See Also: Login Server Control

Setting up single sign on using IIS7 or IIS7.5

Setting up Single Sign On Using IIS7 or IIS7.5

Setting up Single Sign On with IIS 7 or IIS7.5 involves modifying the web.config file and editing security settings.

Modifying Web.config for single sign on

Modifying Web.config for Single Sign On

  1. Open site root/Web.config.
  2. Find the ek_AUTH_protocol element and change its value to LDAP:
    <add key="ek_AUTH_Protocol" value="LDAP" />
  3. Find the authentication element and change the value of authentication mode to Windows.
  4. Change the value of impersonate to False:
    <authentication mode="Windows" /> 
    <identity impersonate="false" userName="" password=""/>
  5. Comment out the MyDigestAuthenticationModule only.
    <modules>
<!--add name="MyDigestAuthenticationModule"
  type="Ektron.ASM.EkHttpDavHandler.Security.DigestAuthenticationModule,
  Ektron.ASM.EkHttpDavHandler" /-->
<add name="ScriptModule" type="System.Web.Handlers.ScriptModule, 
  System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, 
  PublicKeyToken=31bf3856ad364e35" preCondition="integratedMode" />
<add name="EkUrlAliasModule" type="UrlAliasingModule" preCondition="integratedMode" />
</modules>
Adjusting security settings for the site root folder

Adjusting Security Settings for the Site Root Folder

  1. Go to Start menu > Administrative Tools > Internet Information Services.
  2. Within IIS, go to Sites and select your Ektron site.
  3. From the right panel, select Authentication.

  4. On the Authentication screen, enable Anonymous Authentication.

Adjusting security settings for autologin.aspx

Adjusting Security Settings for autologin.aspx

  1. Make sure that Windows Authentication is installed on this server. To do this:
    1. Open Start menu > Administrative Tools > Server Manager.
    2. Click Roles > WebServer (IIS) Role Services > Security > Windows Authentication.

    3. If the status of Windows Authentication is Installed, proceed to Step 2.

      If the status of Windows Authentication is Not Installed, click Add Role Services.

    4. The Add Role Services screen appears.

    5. Check Windows Authentication.
    6. Click Next and follow the prompts to install Windows Authentication.
    7. Close Server Manager.
  2. Open IIS Manager.
  3. Go to Sites > your Web site’s root folder > Workarea > SSO and right click Switch to Content View.

  4. In the center panel, right click autologin.aspx and select Switch to Features View.

  5. In the center panel, click Authentication.
  6. From the center panel, check the status of Windows Authentication. If it is disabled, enable it by selecting it, right clicking, and choosing Enable from the menu.

  7. From the center panel, check the status of Anonymous Authentication. If it is enabled, disable it by selecting it, right clicking, and choosing Disable from the menu. As a result of this procedure, autologin.aspx passes credentials from the logged-in user's desktop.