The Knowledge you need

Ask and you shall receive:

Active Directory Integration

March 6, 2019

Applies to: Carousel 7.0.+

Note: This article is intended for server administrators as it involves changing connection strings and working with Active Directory settings and configuration. We will not explain concepts of LDAP or Active Directory in this article. Tightrope Support is unable to provide direct support of this process, only direction. We do offer a paid Active Directory assistance package if you wish for a guided setup with a member of our team, contact your dealer or sales contact.

Integration Explanation

FrontDoor by default creates users locally using the TrmsMembershipProvider which stores all users locally in the SQL database. For ease of user management in large or corporate environments there is an option to connect to an already existing Active Directory by using the ADMembershipProvider and creating specific groups. You can switch membership providers at any time, but you will be unable to use the accounts of the non-used provider. For example, if you went to ADMembershipProvider any local accounts made in TrmsMembershipProvider, including the default admin account, would not able to log in. We use ASP.NET forms-based authentication with custom Active Directory authentication in the background, instead of IIS’s built-in NT Integrated Authentication. We do this because the IIS Integrated only works if you are using Internet Explorer on a Windows machine. With the forms-based authentication we can still use the domain to authenticate users, but are also compatible with all web browsers and platforms. Since forms-based authentication uses cleartext passwords, to increase security you can install a TLS/SSL certificate on the web server and run HTTPS.

Active Directory Settings

To connect to Active Directory we first need to create a service account that can query the domain controller and be used to run the IIS application pools. For this article I will use an account called CarouselSA as an example, but it can be named anything. This service account does not need to be part of any groups and should not be a domain admin. If you would like for the service account to run all aspects of Carousel on the server see this article on "How to run Carousel under a Service Account."


Next, create the following AD groups (note that these are hard-coded and are case sensitive):

TRMS_Users

TRMS_Admins


Make any users that should have access to log into Carousel members of TRMS_Users. For any users that need to have full administrator rights make them members of both TRMS_Users and TRMS_Admins.

Carousel Server Settings

1. Join the Carousel Server to your Domain.

2. Run the IIS ApplicationPools for all sites as the CarouselSA service account.

      Open "Internet Information Services (IIS) Manager" (or Run inetmgr).

      Expand the server under the connection pane on the left and click ApplicationPools.

      Find any ApplicationPools that are running Applications as indicated by the "Applications" column.

      Right-click the first ApplicationPool that's running an application and select "Advanced Settings."

      Scroll down to the "Process Model" section, click "Identity" and press the [...] icon.

      Change the Application Pool Identity to Custom Account and press set.

      The User Name will be your domain\account, so for this example TRMS\CarouselSA - input the accounts AD password twice. Press OK until all dialog boxes are closed.

      Repeat for any remaining ApplicationPools that are running Applications as indicated by the "Applications" column.

      Restart IIS by clicking the server name in the connection pane on the left then click Restart under the actions pane on the right.

3. Modify the C:\TRMS\Configuration\connectionStrings.config file with the correct LDAP server

      Specifically change ad.example.com found in this line <add name="ADConnectionString" connectionString="LDAP://ad.example.com" providerName="System.Data.SqlClient" />

      If you need to use LDAPS add port 636 to the connection like so "LDAP://ad.example.com:636"

      If your users are not located in the default Users location in AD, you'll need to modify your connection string with the correct location. Base changes off this example:

<add name="ADConnectionString" connectionString="LDAP://ad.corp.example.com/OU=Users,DC=AD,DC=Corp,DC=Example,DC=com" providerName="System.Data.SqlClient" />

   

    - please review online resources for additional AD connection string requirements.

4. Modify the C:\TRMS\Configuration\membership.config file to switch membership providers

      Change <membership defaultProvider="TrmsMembershipProvider"> to <membership defaultProvider="ADMembershipProvider">

      Remove the following lines:

                  <!-- Sample Active Directory Membership Config

                   connectionUsername="test@trms.com"

                   connectionPassword="trms140"

                   -->

      The connectionUsername and connectionPassword are used if you don't run the ApplicationPools as your service account. This method of putting the username and password       in the membership do work, but would be plaintext and is not advised.

5. Save your changes to your connectionStrings.config and membership.config if you haven't already and attempt to log into FrontDoor using the format username@domain.com

Additional settings and options

By default, users log into FrontDoor using their UserPrincipalName, such as “bob.johnson@mydomain.com”. If you would prefer, you can set FrontDoor to use the SAMAccountName. To enable this, add attributeMapUsername="sAMAccountName" to the ADMembershipProvider section of the membership.config file.

If your setup requires it, add the following two lines to the membership.config file in the ADMembershipProvider section:

minRequiredPasswordLength=“8”

minRequiredNonAlphanumericCharacters=“0”

Additional Information / Troubleshooting

When FrontDoor authenticates using Active Directory it enumerates all the users in the TRMS_Users and TRMS_Admins groups. There are several fields that FrontDoor requires to be set on all of the users. If you experience problems with Active Directory integration, ensure that all the users have the fields below populated:

  • DistinguishedName
  • UserPrincipalName
  • GivenName
  • SN

FrontDoor is pulling the user’s First name and Last name from Active Directory using the givenName and sn fields. All users in TRMS_Users and TRMS_Admins (Active Directory User Groups) must have the First and Last Name (givenName and sn) populated.


You can continue to edit and save your connectionStrings.config and membership.config files and try logging in again if you make a mistake, there is no need to restart IIS nor the services as the changes take effect right away.

Download File: