Developer forum

In management center, System, System setup apply the FQDN of the domain controller.

In GlobalSettings.aspx make sure that in <Users> section

that setting looks like this:
<UseExtendedComponent>False</UseExtendedComponent>

On a pages properties, the advanced tab in ribbon, you should find a button called "AD permissions". There you can set rights for that page in frontend.

FQDN is set for the DC.
UseExtendedComponent is set to false
AD permissions button is available on the ribbon bar, but still it does not work..

Is this somrthing we can get support on ?

We have found that iisreset and/or recycle AppPool can do the trick to get users and groups loaded into the DW solution.

That did not do the trick :( tried both iisreset and apppool recycle.

We are using IIS 7.5 on a Windows Server 2008 R2

When i look into our setup the ADSI-Domain XML-node in GlobalSettings.aspx has eliminated all whitespaces
<ADSI-Domain>msdemo.local</ADSI-Domain>

If I remember it correctly the standard node looks like this
<ADSI-Domain>
</ADSI-Domain>

Try to eliminate all whitespaces inside the node. And run a iisrestart

(We have just set this up on a IIS 7.5 Win2k8 R2 with version 19.1.0.5)

Mine looks like this:
<ActiveDirectory>
      <ADSI-Domain>heimdalur.shey-nam.lan</ADSI-Domain>
      <UserName></UserName>
      <Password></Password>
      <ADSI-Domain2></ADSI-Domain2>
    </ActiveDirectory>

Shouldn't you enter the domain name like this ?
<ADSI-Domain>shey-nam.lan</ADSI-Domain>

The issue with this is usually a permission problem.

The webserver you have installed Dynamicweb on is of course member of the domain controller you are trying to query?

Also - the w3wp.exe runs under a user - that user needs read access to the dc. If the webserver is member of a tree node in the DC, you probably runs into a security issue.

From the webserver in a command window, try querying the domain using the same user as w3wp.exe is running as. See http://technet.microsoft.com/en-us/library/cc757170(WS.10).aspx.

Also note that IIS (w3wp.exe) under 2008 R2 runs with a different user than on earlier versions of Windows - security has been tightened, so you probably need to get hold of the AD administrator to make sure that the user has read access to the domain.

 

Just tried it on a default installation of 2008 R2 x64 server which is member of the domain - it can query the AD just fine.

It works both with heimdalur.shey-nam.lan and shey-nam.lan

How is your Authentication setup in IIS ?

Windows authentication.

But that has only something to do with how the user logs into the website. To get the list of security groups from the domain, the authentication has no impact.

After enabling windoes authentication, the users entering the website will be prompted for a username and password to the domain (or logged in autotically). You can add &ShowAD=True to the querystring and view source - then you can see what user has been logged in and which groups the user is member of.

The webserver (web.shey-nam.lan) is a member of Computers, which is in the shey-nam.lan tree.

My AD user magnih (pwd 12345, is only a temporary user) is a member of shey-nam/Brúkarar/Næmingar/Stud2010. Stud2010 is also a member of shey-nam.lan

http://dw.shey.fo/Default.aspx?ID=77

Yes, the webserver (web.shey-nam.lan) is connected to the DC.

The w3wp.exe service uses the built-in user ApplicationPoolIdentity as its user. Should i choose another one ? This user is not available in mmc.

I got the administrator user, so i can make the changes in AD.
What user should i set read access for ?

Would it be easier if i reported this case to dw service desk ?

This is not a DW thing - it is a DC thing, and i'm affraid I cannot give you any more information.

The key issue is that ApplicationPoolIdentity user does not have access to query the DC for information - that is my best guess. It can be a policy, a setting, permissions on the user, domain trust rules, something else... The administrator of the DC would be able to help you on this.

Rule is - that the user under which the w3wp.exe runs as, need read access to the DC - how to set that up is very different depening on the environment. It works 'out of the box' with normal MS setup - so I'm quite sure the DC admin knows what to touch.

Otherwise create a new domain user and have the worker process run as that user.

BR Nicolai

I will contact customers network administrator. I will let your know, if we find the solution.

Jeg har prøvet at lave et custom module login med LDAP og det virker super. Det er kun gennem DW, det ikke virker. Så der er hul og read access ind til AD. 

Dynamicweb uses the WinNT protocol - that might be the difference. I know it is 2 different protocols for AD operations that can be used along with DirectoryServices - I'm not aware of the difference when it comes to this issue.

This is a bit over my head. We have not decided yet what to do, but i have to choose something that works. We will proably do this login the CM way using the FQDN from CPL.

Later this month i will make our custom module marketplace page on sendistovan.fo, were this AD login is to be found. I can send you this link later if you want.

I'd like that - allways good to see other peoples solutions.