Configure Authentication in Ingeniux CMS

Description

Ingeniux CMS uses three files to configure authentication:

• local-appsettings.config
• local-connection-strings.config
• local-membership.config

In these files, it's possible to configure the CMS to authenticate against a number of sources:

• Active Directory (single Windows domain)
• LDAP
• Secure LDAP
• ASP.NET SQL
• Local login

Purpose

This article explains the different configuration options and the differences in configuration between CMS 8.0 and CMS 9.0.

Requirements

It's recommended that CMS administrators consult the appropriate domain, LDAP, or SQL administrators to gather the correct connection string information before beginning. Note that the name and provider types used in the local-connectionstrings.config and local-membership.config files must match. Before making any modifications, CMS administrators should make backups of the .config files in case it's necessary to undo changes.

Note: All instructions below assume that an opening bracket:

<

and a closing bracket:

/>

will be placed around each entry. Thus, the first example below:

add key="userdomain" value="ingeniux"

should appear as such:

Due to formatting concerns, they will not appear in this document.

Step-by-Step

For reference, you may consult generic copies of CMS 8.0 Configuration Files and CMS 9.0 Configuration Files.

I. local-appsettings.config

The primary purpose of this file is to name the domain used for authentication. You will find the following sample:

add key="userdomain" value="ingeniux"

Replace "ingeniux" with the appropriate information for your environment--if no domain is in use, then this option should remain blank. It is not recommended that the remaining options be changed, but their purpose is as follows:

A. V8 and V9

1. add key="tempImageTimeOut" value="30"

This option controls cleanup, in minutes, of the temporary location used for image manipulations such as resizing.

2. add key="redirectToHttpAboutLogin" value="true"

This setting forces a redirect back to HTTP for login if set to true.

3. add key="includeErrorStackTrace" value="false"

If web.config has custom errors set to RemoteOnly or Off, this option causes a stack trace to be shown on error when set to true.

B. V9 only:

4. add key="webpages:Version" value="3.0.0.0"

This sets the version of MVC to use.

5. add key="PreserveLoginUrl" value="true"

This forces the login behavior specified in web.config if set to true.

6. add key="ClientValidationEnabled" value="true"

This allows the browser to validate that appropriate data is entered into fields before submitting requests to the server if set to true.

7. add key="UnobtrusiveJavaScriptEnabled" value="true"

This allows some Javascript to run server-side rather than client-side if set to true.

II. local-connectionstrings.config

Upon opening the file for the first time, the following sample entry will be found:

add name="IGXADConnectionString"
connectionString="LDAP://pdc.ingeniux.com/DC=ingeniux,DC=com"

We will use this as the base for configuring different types of authentication. Remove the sample entry, and choose the correct string from below. Note that these instructions apply to both CMS V8 and V9.

A. LDAP:

For standard LDAP, we will use a string such as the following:

add name="IGXLDAPConnectionString"
connectionString="LDAP://[ServerPathToLDAPServer]/[LDAPSearchBase]"

Consult with your LDAP administrator and replace [ServerPathToLDAPServer] and [LDAPSearchBase] with entries appropriate to your organization.

B. Secure LDAP:

add name="IGXLDAPConnectionString"
connectionString="LDAP://[ServerPathToLDAPServer]:[Port]/[LDAPSearchBase]"

Consult with your LDAP administrator and replace [ServerPathToLDAPServer], [Port], and [LDAPSearchBase] with entries appropriate to your organization.

C. AD:

For AD, we will use a string such as the following:

add name="IGXADConnectionString"
connectionString="LDAP://[ServerPathToADServer]/[ADSearchBase]"

Consult with your LDAP administrator and replace [ServerPathToLDAPServer] and [LDAPSearchBase] with entries appropriate to your organization.

D. ASP.NET SQL:

For SQL authenticaiton, we will use a string such as the following:

add name="[DatabaseName]"
connectionString="Data Source=[DatabaseLocation]; Initial Catalog=[DatabaseObject]; User Id=[userID]; Password=[userPassword];"

Consult with your database administrator and replace [DatabaseName], [DatabaseLocation], [DatabaseObject], [userID], and [userPassword] as appropriate.

III. local-membership.config

As the configuration for V8 and V9 differ, configuration options will be
presented in two sections. Note that the following appears in the second line
of the file:

membership defaultProvider="[providerType]"

You may replace [providerType] with the desired type from below to make it the
default choice at login. In this way, multiple provider types may be
configured simultaneously if necessary.

A. V8:

A default entry will be seen in the generic configuration:

add name="IGXLocalAccountsProvider"
type="IGX.LocalAccountsProvider"

This option is required for using a local login (see Additional Information
below), but may be removed if desired when another authenticaiton method is
enabled.

You will note a sample entry, which will be used as our configuration
base:

add name="GenericADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
attributeMapUsername="sAMAccountName"

1. Active Directory

add name="IGXADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, version=2.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="IGXADConnectionString"
attributeMapUsername="sAMAccountName"

2. Secure LDAP (Note: If using CMS 8 SR6 or earlier, refer to article in Additional Information below):

add name="IGXLDAPMembershipProvider"
type="IGX.LDAPMembershipProvider"
connectionStringName="IGXLDAPConnectionString"
bindUsername="ldapAccount"
bindPassword="ldapAccountPassword"
ldapFilter="(objectClass=*)"
ldapUserAttribute="uid"
connectionSecurity="Anonymous"

3. LDAP (without credentials):

add connectionStringName="IGXLDAPConnectionString"
connectionSecurity="anonymous"
ldapFilter="(objectClass=person)"
name="MyAnonLDAPMembershipProvider"
type="IGX.LDAPMembershipProvider"

4. LDAP (with credentials):

add connectionStringName="IGXLDAPConnectionString"
bindUsername="[bindUserAccount]"
bindPassword="[bindPassword]"
ldapFilter="(objectClass=person)"
ldapUserAttribute="uid"
name="MyLDAPMembershipProvider"
type="IGX.LDAPMembershipProvider"

Consult with your LDAP administrator and replace [bindUserAccount] and [bindPassword] with the appropriate entries.

5. ASP.NET SQL:

machineKey decryption="AES"
decryptionKey="[machineKey]"

and

add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
applicationName="MyCMS"
connectionStringName="SQLMembershipTest"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="6"
passwordFormat="Encrypted"

Reference the system.web section of the web.config file and replace [machineKey] with the appropriate entry.

6. Anonymous LDAP:

add name="IGXAnonLDAPMembershipProvider"
type="IGX.LDAPMembershipProvider"
connectionStringName="IGXTestLDAPConnection"
connectionSecurity="anonymous"
ldapFilter="(objectClass=person)"

B. V9:

A default entry will be seen in the generic configuration:

add name="IGXLocalAccountsProvider" type="Ingeniux.CMS.Models.LocalAccountsProvider"

This option is required for using a local login (see Additional Information
below), but may be removed if desired when another authenticaiton method is
enabled.

You will also note a sample entry, which will be used as our configuration
base:

add name="IGXADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, version=4.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="IGXADConnectionString"
attributeMapUsername="sAMAccountName"

Note: An entry for the RavenDB will be found at the end of the file, and
should not be edited.

1. Active Directory:

add name="IGXADMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, version=4.0.0.0,Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="IGXADConnectionString"
attributeMapUsername="sAMAccountName"

2. Secure LDAP:

add name="IGXLDAPMembershipProvider"
type="Ingeniux.CMS.Models.LDAPMembershipProvider"
connectionStringName="IGXTestLDAPConnection"
connectionType="Secure"
bindUsername="cn=reader,dc=ingeniux,dc=com"
bindPassword="reader"
ldapFilter="(objectClass=person)"
ldapUserAttribute="uid"

3. LDAP:

add name="IGXLDAPMembershipProvider"
type="Ingeniux.CMS.Models.LDAPMembershipProvider"
connectionStringName="IGXTestLDAPConnection"
bindUsername="cn=reader,dc=ingeniux,dc=com"
bindPassword="reader"
ldapFilter="(objectClass=person)"
ldapUserAttribute="uid"

4. Anonymous LDAP:

add name="IGXAnonLDAPMembershipProvider"
type="Ingeniux.CMS.Models.LDAPMembershipProvider"
connectionStringName="IGXTestLDAPConnection"
connectionSecurity="anonymous"
ldapFilter="(objectClass=person)"

5. ASP.NET SQL:

add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
applicationName="MyCMS"
connectionStringName="SQLMembershipTest"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
requiresUniqueEmail="false"
minRequiredNonalphanumericCharacters="0"
minRequiredPasswordLength="6"
passwordFormat="Encrypted"

Additional Information

• When a .config file is changed, the CMS application pool recycles. Configuration changes should be scheduled when interrupting services won't cause problems.
• For configuration of secure LDAP in versions of the CMS prior to CMS 8.0 SR7, refer to this knowledge base article:
  • Authenticate to the CMS using Secure LDAP
• For information on how to configure a local login, refer to this knowledge base article:
  • Create Local Accounts for CMS Authentication