Find a post...

DNN-Connect Blogs

Integrating Active Directory with DNN

Ever wondered what Microsoft Active Directory (AD) is? Or why it matters to DNN? The goal of this paper is to provide you with an overview of what AD is and how it can integrate with your DNN website or intranet to make your life easier in managing your site users and security.


This blog entry is intended for:

  • DNN Platform admins

  • Active Directory admins

Overview

Microsoft Active Directory (AD) is the leading identity management platform for companies. AD has powerful identity management processes that help you manage your users, groups and resources in a centralised, secure corporate directory. Active Directory integrated with DNN gives you powerful, seamless capabilities to control real-time access to your DNN site directly from Active Directory.


The standard approach for managing users in DNN is to use the native, isolated user store that is maintained within the confines of the DNN application. This is what comes out of the box. But if your employees already use AD accounts to access your company network you might want to avoid having two completely disconnected user directories.


When an employee joins, leaves or changes roles within the organization, their accounts and access to applications must be added, removed or modified. When this does not occur in a timely manner, the organization is exposed to the risk of accidental or intentional behaviors that can lead to security breaches or the disclosure of sensitive information. So you really want to control access to all your company websites with a single login  controlled by Active Directory as the single point of truth for user identity. This allows for the automatic provisioning, updating and deleting of user accounts in your DNN site whenever the user logs in, without the need for administrators to make manual changes in your DNN or Evoq  site.

Concept

Below is a simple illustration showing how DNN Platform can integrate with Active Directory. In this solution we are relying on LDAP (Lightweight Directory Access Protocol) to consume information from Active Directory.


  • Active Directory server provides an LDAP protocol that exposes the AD user data store.

  • DNN Platform is hosted on the IIS server that is member of the Active Directory domain.

  • Corporate users (employees) are automatically signed in to the DNN Platform.

  • Clients using Internet connection can still view DNN website as a Guest or a Registered User (if they manually sign in to the DNN).

Advantages

  • Leverage investments in the Active Directory and DNN.

  • One source of authority and group information, which is Active Directory.

  • One password for DNN and Active Directory account means reduced IT workload and increased security. Passwords are not stored in DNN.

  • Self Service Password Reset - when the Active Directory password is expiring, let your users update their own passwords.

  • Centralized audit trail – all sign-in tasks are stored in one place which is Active Directory logs, which simplifies compliance and enables cross-application analysis.

  • Approach leverages Microsoft’s Integrated Windows Authentication to authenticate users to DNN when they are logged in to their office computer. When employees are on the corporate network and signed in with their Windows credentials, they can use Desktop single signon to auto-login (from a PC or Mac) to get one-click access to their web applications. There’s no need for additional usernames or passwords, just like on-premise apps.

  • Increased security and greater peace of mind.

Implementation

All the features mentioned above can be easily implemented in your DNN by the:

  • Paid “AD-Pro Authentication” module.

  • Free “Auth: Active Directory” module.


“AD-Pro Authentication” is an option for customers that have more unique needs.

Corporate Users Need AD-Pro

Below are the few benefits that “AD-Pro Authentication” can provide for your users:

  • New Active Directory users can immediately sign into DNN and start work.

  • When employees or contractors leave the company, corresponding Active Directory user accounts will be disabled, “AD-Pro Authentication” will block access for those users to immediately  prevent unauthorized access and data loss.

  • Active Directory profile fields like username, email address, first name, profile picture are pushed to DNN on sign-in process. You can also easily configure which fields needs to be synced, including custom Active Directory profile fields.

  • You can specify which Active Directory groups should be imported into DNN. This is done via “Role Manager” that allows you to create a advanced mappings between AD groups and DNN roles. For example: if AD user belongs to group “Sales” assign him to DNN role “Employee and Sales”.

  • “Role Manager” allows you to define “Authorization group(s)”. Only AD users who belong to one of the “Authorization Group” will be able to login to DNN.

  • "AD-Pro Authentication" supports Integrated Windows Authentication (IWA) also known as Single Sign On (SSO).

  • "AD-Pro Authentication" allows you to configure DNN with multiple platforms and companies, that's because the module can work with multiple Active Directory domains.

  • When a Active Directory user with an expired password tries to sign into DNN, he is prompted to enter the existing password and a new password. Once that user enters a valid new password, user is signed to DNN.

  • The complexity of a new password is defined by the AD security policies where are defined attributes like: password minimum length, whether the password must contain digits or special characters, how often the password expires and how long to prevent reuse of old passwords.


Note: Active Directory user passwords are never saved in DNN. You can be sure that passwords are not stored anywhere outside the Active Directory.

Summary

Integrating your DNN site with Microsoft Active Directory helps you with:

  • Authenticating users.

  • Creating and deleting user accounts

  • Storing user accounts and passwords.

  • Calling enterprise directories to look up user identity details.

  • Integrating with identity systems from other platforms or companies.


Reference

Auth: Active Directory free DNN plugin

AD-Pro Authentication paid DNN plugin

User Guide with more info about the “AD-Pro Authentication” plugin

For more information on the full suite of modules, visit http://modules.glanton.com/Active-Directory

Automatic Sign On (SSO) https://en.wikipedia.org/wiki/Integrated_Windows_Authentication

Info about LDAP protocol https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol



Comment(s)

Hosting liberally provided by

Daniel Mettler 11317 88
Geoff Barlow 323 4
Philipp Becker 5483 7
DNN-Connect 427 6
Peter Donker 4317 24
Christopher Hammond 614 2
Olivier Jooris 368 1
Clint Patterson 1 1
Jos Richters 65 1
James Rosewell 241 2
Will Strohl 1462 27
Ernst Peter Tamminga 333 4
Barry Waluszko 1336 2
Gifford Watkins 711 9
Torsten Weggen 1646 3