The Knowledge you need

Ask and you shall receive:

Configuring Carousel to Work With Multiple Active Directory Domains

May 7, 2019

Applies to

  • Carousel 7.5.1+
  • Does not apply to Carousel Cloud

Description

Carousel has always supported Active Directory (AD) as a means to authenticate users. However prior to 7.5.1 it would only allow a single AD connection string to be specified.

Starting with 7.5.1 Carousel allows multiple AD connection strings to be specified, which enables user authentication across multiple domains.

How to configure Carousel

Note: The following assumes you installed Carousel Server in the C:\TRMS folder. Please substitute the folder's path as appropriate.

connectionStrings.config file

Edit the c:\trms\configuration\connectionStrings.config file. Input additional entries under the <connectionStrings> section.

  1. The name attribute is reference by the membership.config file to associate the connection string with a membership provider.
  2. The connectionString attribute has to be an LDAP or LDAPS connection string. We do not support GC as a means to authenticate.
  3. You may specify additional parameters in your LDAP string as needed.

connectionStrings.config example:

membership.config file

Edit the c:\trms\configuration\membership.config file.

  1. Add one provider per connection string. Match each provider's connectionStringName to the name as found in connectionStrings.config above.
  2. Specify valid credentials for each domain, so that Carousel may successfully bind to AD.
  3. You may also omit credentials at this time, and instead ensure your Carousel application pool runs under an identity that has access to ALL specified AD domains.

membership.config example:

Creating Carousel users in AD

On each AD domain, create both a TRMS_Admins and TRMS_Users, Domain Local groups. Add any users that need to access Carousel to these groups.

Carousel will not parse sub groups. Users need to be added to the above TRMS_ groups individually.

logging in

Specify the user's principal name (UPN) when logging in to Carousel. ex: joe@us.mycorp.com

Troubleshooting

  • From your Carousel server, use ldp.exe to query the AD domain(s) for available users. Confirm you see all users as expected.
  • Download it from https://support.microsoft.com/en-ca/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems .
  • In the Connections menu, select Connect. Type in your domain (ex: mycorp.com). Press OK. You'll see data from the Root in the output window.
  • In the Connections menu, select Bind. Enter the same credentials used by Carousel (either from the membership.config file, or from the Carousel application pool).
  • In the Browse menu, select Search, type in the following search (use your own domain context). The output should contain TRMS_Admins and TRMS_Users groups. Carousel will look in those group to populate its list of admins and users.


Download File: