Open topic with navigation
Active Directory lets you retrieve user and user group information from the Microsoft Windows Active Directory (AD) into Ektron. As a result, you can administer user information from 1 place, and users need to remember only 1 username/password combination to sign on to the network and Ektron.
IMPORTANT: Ektron strongly recommends configuring SSLSecure Sockets Layer (https), especially if you are using Active Directory Integration. SSL encrypts passwords that are otherwise sent as clear text to the Ektron server. See also: Updating web.config to Use SSL.
You can set up Active Directory in the following ways:
web.configfile and entering information in the Workarea. Use this method if:
web.config. Use this method if you are using auto discovery.
web.configfile to the following values:
<add key="ek_ADEnabled" value="true"/>
<add key="ek_ADAdvancedconfig" value="true"/>
<add key="ek_AUTH_Protocol" value="LDAP"/>
NOTE: When using the Advanced Domains Method, the domains screen's credentials are used.
To access that utility, go to the Windows Start menu > All Programs > Ektron > current release > Utilities > Encrypt Email Password.
If you're using Windows 8 or 2012, press the Windows key ()/Q then enter Encrypt Email Password.
ek_ADEnabledelement to true. It should look like this:
<add key="ek_ADEnabled" value="true"/>
ek_ADAdvancedconfigelement is set to False. (This is the default value.)
ek_AUTH_Protocolelement to GC. It should look like this:
<add key="ek_AUTH_Protocol" value="GC"/>
<add key="ek_ADUsername" value="[username]@domain" />
<add key="ek_ADPassword" value="YourPasswordHere" />
authenticationelement, change the value of the
impersonateattribute to False. It should look like this:
<identity impersonate="false" userName="" password=""/>
You can implement Active Directory in 1 of 2 modes.
Active Directory Integration maintains consistent user and user group information between AD and Ektron. First, user information is imported from AD into Ektron. When this is complete, user group information is imported.
Ektron does not write to Active Directory; it only reads from it. This changes the way Ektron manages user and user group information.
Integration requires Read Membership Group Permissions within Active Directory.
When using Integration, you must select a Administrator group. (There can only be one admin group per Ektron site.) Click the search option and select Domain users or an admin group created in AD specifically for Ektron.
Ektron imports the following AD user information.
Corresponding Ektron Field
User logon name (pre-Windows 2000)
Domain and Username
NOTE: Users and user groups can share a name in different domains, for example, firstname.lastname@example.org and email@example.com. Otherwise, user names must be unique.
The following diagram illustrates the Active Directory feature's components.
The Active Directory feature uses multiple Ektron screens to edit domains, set up Active Directory, display AD status, and view and search for users and user groups.
Use the Edit Domains screen to identify each network domain you will use with Ektron's Active Directory Integration. The screen lets you add new domains, modify existing ones, or delete obsolete ones. Use this screen to define domains, as opposed to using auto discovery to find them.
While signing on, users must select a domain in addition to username and password. Domains are also referenced when defining AD users and user groups that map to the Ektron users and groups.
web.configas explained in Setting Up Active Directory via the Advanced Domains Method .
- Your NetBIOS and setting, if it is different from your domain name. Contact your server administrator for this information.
- Your domain’s DNS. Contact your server administrator for this information.
To add a new domain:
The Active Directory Setup screen lets you enable or disable AD and manage other AD settings, such as whether users and groups are automatically updated.
To enable AD and manage settings:
Active Directory Installed
User Property Association
givenName, but you can change it to any AD property.
sn, but you can change it to any AD property.
For more information on user properties, see MSDN Library
User Object User Interface Mapping (Windows).
Ektron Administrator Group Association
Also, if any Ektron user or group names include a domain (for example, firstname.lastname@example.org) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain.
Active Directory Authentication is Enabled and Requires More Configuration—Some Ektron users are not associated with AD users. Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated.
Active Directory Authentication is disabled, but needs further configuration—Some Ektron users and/or groups are no longer unique. This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, 2 users or groups can no longer share a name—each must be unique.
Use the Active Directory Status screen to identify and resolve discrepancies between Ektron and AD.
Any combination of messages may appear, depending on which issues require resolution. The following procedure provides steps to resolve all 3 issues.
If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.
The screen also displays the following buttons.
If you cannot easily find users on the View Users screen, use the search function.
The View User Groups Screen displays all AD user groups that have been imported to Ektron.
This section explains importing AD user information when integration is first enabled and on an ongoing basis.
AD user information is initially imported to Ektron in different ways depending on whether:
For a populated Ektron database:
Eng.Example.comand JDoe in
Mkt.Example.com) and that username (JDoe) also exists in Ektron, the Active Directory Setup and Active Directory Status screens indicate this discrepancy via this message: CMS users need to be associated with Active Directory users.
For a Ektron database with only a few users, go to the Search Active Directory for Users screen and select AD users that will use Ektron. You can only select AD users that do not exist in Ektron. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.When you add a user, AD information is imported to Ektron. See also: Viewing and Searching for Users.
You can also manually add AD users to Ektron:
When AD integration has been established, new AD user information is imported to Ektron when either of these events occurs:
Maintenance tasks include:
If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see Editing the Builtin Username and Password.
This section explains how a user’s group membership is imported from AD to Ektron after integration is enabled. When assigned to a group, the user automatically receives all Ektron permissions and
NOTE: Active Directory has 2 kinds of user groups: security and distribution. Ektron does not distinguish between them. As long as a user is a member of either kind of group, group information can be imported to Ektron.
NOTE: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.
Users' membership in AD Groups are imported to Ektron in different ways depending on the state of existing Ektron user groups.
In the case of a discrepancy between AD and Ektron user groups:
Alternatively, if Enable automatic addition of user to groups field is unchecked, you can add the user to (or remove the user from) groups independently of AD group memberships.
On the Active Directory Setup screen, you identify the AD group that maps to the Ektron Administrator group using a syntax of AD group name@AD domain. Members of this group receive administrator privileges.See also: Administrator Role Privileges.
If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.
Note that only one AD group can be mapped to the Ektron Administrator group. You cannot have an AD administrator group within each AD domain.
NOTE: Unlike other Ektron user groups, whose names are imported from AD, the Ektron Administrator and Everyone group names cannot be changed.
Maintenance tasks include:
When you disable AD integration, domain names are dropped, which may cause user and user group names to not be unique. For example, 2 users are named
JJackson@example.com. When AD is enabled, domain names make the users and user groups unique. However, when AD is disabled and domain names are dropped, the names are now identical. You need to make the users and user groups unique.
To disable AD authentication or integration:
In user authentication mode, AD is used only to authenticate users logging in to Ektron. User groups are managed within Ektron, not AD.
Ektron does not write to AD; it only reads from it. This changes how usernames, domains, and passwords are handled in Ektron.
Ektron refers to the following AD authentication information during sign-in: password, user logon name, and domain. Ektron does not store the password; Ektron only refers to it during sign-in.
Adding user information in user authentication mode is the same as in AD integration mode.
If a user’s logon name changes in AD, it no longer matches the Ektron logon name. This discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. Go to the Associate CMS Users to Active Directory Users screen, where you can update the user information.
Alternatively, you could:
See also: Maintaining AD User Information.
Ektron does not write to AD. This means that you can only change the Username and Domain fields from AD. You can edit the following fields on the Ektron Edit User screen:
IMPORTANT: If you replace a user in user authentication-only mode, the user’s first name, last name, and email address are not overwritten with information in AD.
Because the scope of user authentication mode is limited to authentication, only some fields on AD Integration screens are used:
The Single Sign On feature retrieves a user’s Active Directory login information to authenticate access to Ektron. The user does not need to enter a password. Upon clicking Login, the user is immediately logged in.
Single Sign On uses a variable called
User.Identity.Name. This maintains the user's account and domain in Active Directory and has the format
[domain]\[username]. For example,
EKTRON1\ssmith. The variable's value is set when a user authenticates against a Windows server.
When a user clicks the Login server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified., if the variable passes successfully and Active Directory is enabled, the server control opens the
autologin.aspx page. Next, the opening window refreshes like a normal login, except the user is not prompted for a username, password, and domain.
However, if the user‘s computer is not on a domain, not on the same domain as Ektron, or does not include the Ektron server as a trusted site, a login screen appears.
If Active Directory is not enabled, the normal
login.aspx page appears.
Single Sign On also uses the
autologin.aspx page in the
workarea/SSO directory. When set up, user authentication is enabled from any domain that this server can reach. For example, if Ektron is located in a third-level domain, users from third, second, and first level domains can authenticate.
NOTE: Single Sign On may not work directly on servers, due to security settings on the server and its browser. Try a different machine and make sure it works elsewhere before troubleshooting further.
After completing the procedures in this section, enable Active Directory within Ektron (if it isn’t already enabled). See also: Setting Up Active Directory. Within that, enable the automatic addition of users and groups.
To allow membership users to use Single Sign On, see Authenticating Membership Users with AD or LDAP. When enabling this functionality, create one login page for Ektron users and another for membership users. For example, use the membership user login as the front-facing login, and then secure a
/cmslogin.aspx for Ektron users. Next, secure the login with IIS security because Windows authentication only allows the Ektron administrators group in AD to read permissions on the
Follow these procedures to set up Single Sign On.
ek_AUTH_protocolelement and change its value to LDAP.
<add key="ek_AUTH_Protocol" value="LDAP" />
authenticationelement and change the value of
authentication modeto Windows.
<authentication mode="Windows" />
<identity impersonate="false" userName="" password=""/>
If the status of Windows Authentication is Not Installed, click Add Role Services. The Add Role Services screen appears.
This sample shows how to modify the Login server controla server control uses API language to interact with the CMS and Framework UI to display the output. A server control can be dragged and dropped onto a Web form and then modified. to accommodate Single Sign On.
<cms:login runat="server" AutoLogin="True" AutoAddType="Author" id="cmslogin" />
If you want to use Active Directory in a multi-site environment, set the value of the
true. When this setting is enabled, a user can log into one site then immediately access other sites without having to log in again.
If subdomains are deeply nested (for example,
uk.store.mycompany.com), Ektron may be unable to identify the parent domain. In this case, users cannot use single sign on to access subdomains.
If that happens, use the
ek_UseDomain to explicitly specify the parent domain. Precede the parent domain value with a period (.). For example,
<add key=”ek_UseDomain” value=”.mycompany.com” />.
When troubleshooting user login with Single Sign On, use the following code-behind. If this .NET code cannot get the user login, then Ektron cannot either.
Response.Write("UserName:" & Request.ServerVariables ("LOGON_USER"))
An Active Directory configuration does not get synchronized.
In an eSync environment, add all users to one environment. Then, sync the users if multiple servers are using AD login.
Open topic with navigation