Saturday, October 5, 2013
Configuring Active Directory Membership

Code On Time web application generator allows using Microsoft Active Directory for authentication and role membership.

Configuring Active Directory Authentication

Create a new Web Site Factory application. When configuring the Authentication and Membership screen, click the checkbox next to “Enable Active Directory authentication…”. The Active Directory Configuration textbox will be displayed below the checkbox with a sample configuration.

Enabling Active Directory authentication and role provider and specifying the configuration properties.

Replace the highlighted values in the picture above with the address of the server and login details of the administrative account that will be used for interaction with the Active Directory.

An example of an actual Active Directory configuration.

Specify the type of the store which the principal belongs (ApplicationDirectory, Domain, or Machine) by adding the “Context Type = [Type]” line. If not specified, a context type of Machine will be assumed.

Additional Active Directory Membership Provider  configuration properties may also be specified in the format “Property Name = Value”.

Continue to generate the web application. You may now log in using your AD credentials. Note that the first login may take some time to complete. A dynamic wait indicator will be displayed as the request is being processed.

Logging into the web app using AD credentials.

User Roles

Interactions with the Active Directory may be time-consuming. The application will cache roles obtained from the Active Directory for 10 minutes by default.

You can also specify a custom blacklist and whitelist to limit the roles that are recognized by the application.

The following configuration properties control role management.

Property Description Default Value
Enable Role Cache This property will enable or disable caching of user roles. True
Role Cache Time In Minutes This property specifies the length of expiration for cached user roles. 10
Role Blacklist Specifies an optional list of roles that will not be recognized by the application.  
Role Whitelist Specifies an optional list of roles. The application will recognize only the roles listed in the whitelist if this list is not empty.  

The properties can be specified in the Active Directory configuration as shown in the picture below:

Example of role configuration properties.

The following Active Directory roles assigned to user accounts are blacklisted by default. The property Role Blacklist will extend the default exceptions.

Domain Guests
Domain Computers
Group Policy Creator Owners
Guests
Domain Users
Pre-Windows 200 Compatible Access
Exchange Domain Servers
Schema Admins
Enterprise Admins
Domain Admins
Cert Publishers
Backup Operators
WINS Users
DnsAdmins
DnsUpdateProxy
DHCP Users
DHCP Administrators
Exchange Services
Exchange Enterprise Servers
Remote Desktop Users
Network Configuration Operators
Incoming Forest Trust Builders
Performance Monitor Users
Performance Log Users
Windows Authorization Access Group
Terminal Server License Servers
Distributed COM Users
MTS Impersonators
Everyone
LOCAL
Authenticated Users