otp server iis integration module: episerver ad membership … · 2.1.1 windows server windows 2003...
TRANSCRIPT
OTP ServerIIS Integration Module
Nordic Edge AD Membership Provider for Microsoft ASP.NET(EPiServer)Version 2.0, rev. 1 Nordic Edge2010-10-12 Summary:Installation guide for an EPiServer CMS Web Site
Content
1 Overview1.1 Integration Overview
1.1.1 Nordic Edge™ AD Membership Provider for ASP.NET - Components2 Requirements
2.1 Minimum Requirements2.1.1 Windows Server2.1.2 Nordic Edge One Time Password Server
3 Installing the Integration Module3.1 Copy Files to the EPiServer Web Site3.2 Installing DLL Files in the Global Assembly Cache
4 Configuration – EPiServer CMS Site4.1.2 Edit the connectionStrings.config File4.1.3 Edit the Web.config File
5 Restarting the IIS Web Server5.1 Restarting IIS
6 User and Group Permissions6.1 Granting Permissions to Users and Groups (Roles)
6.1.1 The Membership Seeder Tool7 Testing the Web Application
7.1 Running the EPiServer with the Nordic Edge AD Membership Provider8 Appendix
8.1 Troubleshooting8.1.1 Troubleshooting & Support
9 Appendix B9.1 Document History
About Nordic Edge™Nordic Edge is a leading provider of trusted Identity and Access Management (IAM) solutions that enable organisations to secure and manage their digital identities. With Nordic Edge's solutions, organisations can improve business processes and meet regulatory compliance requirements. The offering includes two-factor authentication, role based delegated user administration, synchronization and provisioning. More than 10 million identities are being administered by Nordic Edge's solutions and over 1 million users securely login with Nordic Edge’s products each month. Nordic Edge was founded 2001 in Sweden and has customers in more than 25 countries.
1 Overview Nordic Edge One Time Password Server ™ adds an extra security layer to protect your applications. When the user id and password is successfully verified, a “One-Time Password” is sent to the user’s mailbox or mobile phone through SMS (Short Message Services). This “One-Time Password” will be verified and only then will the user be authenticated to the application.
1.1 Integration Overview
ASP.NET offers the opportunity to create a custom membership provider, which you might do to link to the membership system. Once you have a custom membership provider, you can configure your application to use that provider in the same way that you configure the application to use an ASP.NET provider. The Membership class will automatically invoke your custom provider to communicate with your authentication data source.
1.1.1 Nordic Edge™ AD Membership Provider for ASP.NET - Components
Two custom aspx pages are required to use Nordic Edge AD Membership Provider. The pages are called CustomLogin.aspx and OTPLogin.aspx and will be accessed and handled by the Nordic Edge AD Membership Provider. The provider itself contains of three dll files which remains on the server.Except from the Nordic Edge AD Membership Provider this package also include an Role Provider supporting Microsoft Active Directory.
2 Requirements2.1 Minimum Requirements
This section describes the installation of the Nordic Edge AD Membership Provider for ASP.NET
2.1.1 Windows Server
● Windows 2003 Server or later
2.1.2 Nordic Edge One Time Password Server
● OTP Server 1.6 (Build 2471) or later
The OTP Server must be configured before the integration module can be used. See the OTP Server Administration Manual for more information and how to configure this.
3 Installing the Integration ModuleThis chapter describes what’s needed for the installation. These are the steps you have to go through:
1. Copy files to the web site2. Register DLL files into the Global Assembly Cache3. Edit the connectionStrings.config4. Configure Nordic Edge Membership Provider in the web.config file5. Restart the IIS6. Granting permissions to an administrator
3.1 Copy Files to the EPiServer Web Site
● Unzip the file Install_(EPiServer)_NE_ASP.NET_ADMembershipProvider_x.x.zip to an appropriate temporary location.
● Copy the contents from MySite folder into your Web site.
Installation files for a EPiServer web site:Folder FilesSite root CustomLogin.aspx
OTPLogin.aspxEPiServer_sections_to web.configEPiServerSample_web.config
\bin NordicEdge.ActiveDirectoryRoleProvider.dllNordicEdge.OTP.ADMembershipProvider.dllNordicEdge.OTP.ASPAuthentication.dllNordicEdgeOTP.dll
\css opacus.css
\images A couple of image files
Figure: EPiServer site file structure
3.2 Installing DLL Files in the Global Assembly Cache
The DLL files are signed with Strong Names. You have to add these files to the GAC.
Install the dll files below in the GAC (.NET Global Assembly Cache):
● NordicEdge.ActiveDirectoryRoleProvider.dll● NordicEdge.OTP.ADMembershipProvider.dll● NordicEdge.OTP.ASPAuthentication.dll● NordicEdgeOTP.dll
This may be done with Explorer by drag'n drop the dll files to the Assembly in c:\%Windir%\assembly (below)
Figure: The GAC assembly
OR use the gaqutil.exe (resides in C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin)
Example: gacutil -i NordicEdgeOTP.dll
Figure: Gacutil.exe
4 Configuration – EPiServer CMS Site4.1 Installation and Integration NOTE: When you’re done with this chapter, go to the chapter "Restart the Web Server"This section describes how to configure a Web Site that uses Nordic Edge AD Membership Provider.
4.1.2 Edit the connectionStrings.config File
Add the following row to the connectionStrings.config. The file is found in EPiServer root directory. This setting is used by the Role Provider. <add name="ActiveDirectoryProviderConnection" connectionString="LDAP://ad.NordicEdge.se/dc=ad,dc=nordicedge,dc=se" />
Example:<connectionStrings> <clear /> <add name="EPiServerDB" connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=dbExampleEPiServerSite;Integrated Security=False;User ID=dbUserExampleEPiServerSite;Password=connected;Connect Timeout=10" providerName="System.Data.SqlClient" /> <add name="ActiveDirectoryProviderConnection"
connectionString="LDAP://ad.NordicEdge.se/dc=ad,dc=nordicedge,dc=se" /> </connectionStrings>
4.1.3 Edit the Web.config File
The web.config file has to be configured before you can use Nordic Edge AD Membership Provider.
In the first step you must configure the forms authentication mode. After you have configured the authentication mode you have to configure the membership provider for the application by adding the <membership> section to your web.config file.
Before you make any changes: ● Make a copy of the current web.config file
NOTE:There is a file called ~\ EPiServer_sections_to web.config from which you can copy and paste the desired settings into your web.config file.
In the same folder you will find a configured web.config sample file called EPiServerSample_web.config that might be useful as an example.
<?xml version="1.0"?><configuration> <system.web>
<!-- The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <authentication mode="Forms"> <forms loginUrl="CustomLogin.aspx" /> </authentication>
<!--The <membership> section enables the Nordic Edge ASP.NET Membership Provider. -->
Please modify the values for:● connectionStringName ● ldapSearchBase ● ldapRoleSearchBase● ldapUserSearchBase
Keep = Keep the given valueModify = Modify the value to suit your environmentKeep/modify = The value may be edited though the default value is recommended
Learn more about the Role Provider here.
Membership Provider
Action Variable Value NoteKeep applicationName "/" Default value
Modify connectionStringName "127.0.0.1:3100" Your OTP Server IP address:Port
Keep/modify name "NordicEdgeRoleProvider" If you change this name, you also have to change defaultProvider="new name
Keep type "NordicEdge.OTP.Provider.ADMember...
Modify ldapSearchBase "cn=users,dc=ad..." Where to find the users in the AD Directory. In other words the users context
Keep ldapEmailAttribute "mail"
Keep ldapUsernameAttribute "sAMAccountName" To be modified if you use userPrincipalName as user name attribute. The OTP Server must search for userPrincipalName in this case.
Keep/modify ldapDisplayNameAttribute "displayName"
Keep/modify ldapSearchScope "SUB" BASE, ONE or SUB
Keep/modify ldapProxyUsername "" Built in privileges are used by default. If you want you’re your own proxy user, insert values for a user account with appropriate privileges.
Keep/modify ldapProxyPassword "" See above
Role Provider
Action Variable Value NoteKeep enabled "true"
Keep/modify defaultProvider "EPiServerADRoleProvider"
Keep/modify cacheRolesInCookie "true" If you don’t want roles to be cached in a cookie, set the value to = false
Keep/modify cookieName ".ASPXROLES"
Keep/modify cookiePath "/"
Keep/modify cookieTimeout "30" Minutes
Keep/modify cookieRequireSSL "false"
Keep/modify cookieSlidingExpiration "true"
Keep/modify createPersistentCookie "false"
Keep/modify cookieProtection "All"
Keep applicationName "/"
Keep/modify attributeMapUsername "sAMAccountName" If you want to authenticate with the User Principal Name instead, add the attribute attributeMapUsername="userPrincipalName" to the provider configuration.
Keep/modify connectionStringName "ActiveDirectoryProviderConnection"
Modify connectionUsername "administrator" ... or "DOMAIN\administrator"
Modify connectionPassword "admPassword"
Keep/modify name "EPiServerADRoleProvider" If you change this name, you also have to change defaultProvider="new name"
Keep/modify type "EPiServer.Security.ActiveDirectoryRole..."
<membership defaultProvider="NordicEdgeADMembershipProvider"> <providers> <clear />
<add name ="MultiplexingMembershipProvider" type ="EPiServer.Security.MultiplexingMembershipProvider,
EPiServer" provider1="NordicEdgeADMembershipProvider" provider2="AspNetActiveDirectoryMembershipProvider" />
<add applicationName="/" connectionStringName="127.0.0.1:3100" name="NordicEdgeADMembershipProvider" type="NordicEdge.Web.Provider.ADMembershipProvider,
NordicEdgeADMembershipProvider, Version=2.0.0.0, Culture=neutral, PublicKeyToken=a27fc70f1b8f276c"
ldapSearchBase= "cn=users,dc=ad,dc=nordicedge,dc=se" ldapObjectClass = "user" ldapEmailAttribute = "mail" ldapUsernameAttribute = "sAMAccountName" ldapDisplayNameAttribute = "displayName"
ldapSearchScope = "SUB" ldapProxyUsername ="" ldapProxyPassword ="" /> <!-- The ActiveDirectoryMembershipProvider below is just added to the configuration as an example in order to demonstrate how to use the EPiServer MultiplexingMembershipProvider. Remove the section if you're not going to use it. Also remove the line provider2="AspNetActiveDirectoryMembershipProvider" from the MultiplexingMembershipProvider section above.-->
<add attributeMapUsername="sAMAccountName" name="AspNetActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="ad.NordicEdge.se\administrator" connectionPassword="connected"
enableSearchMethods="true" />
</providers> </membership> <roleManager
enabled="true" defaultProvider="EPiServerADRoleProvider"
cacheRolesInCookie="true" cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All"
>
<providers> <clear /> <add
applicationName="/"
attributeMapUsername= "sAMAccountName"
connectionStringName="ActiveDirectoryProviderConnection"
connectionUsername="administrator" connectionPassword="connected"
name="EPiServerADRoleProvider" type= "EPiServer.Security.ActiveDirectoryRoleProvider, NordicEdge.ActiveDirectoryRoleProvider, Version=1.0.1.0,
Culture=neutral, PublicKeyToken=a27fc70f1b8f276c"
/> </providers>
</roleManager>
<!—Appsettings in the <configuration> section --> <appSettings> <add key="loginFailure" value="The user name or the password is incorrect. Please try again."/> <add key="otpFailure" value="The OTP was incorrect. Please reenter your user name and password."/> <add key="otpError" value="There is no connection with the OTP Server. Please contact your system administrator."/> <add key="loginText" value="Sign In"/> <add key="changeADPasswordURL" value=""/> <add key="cachedAuthCookie" value="true"/> </appSettings></configuration>
5 Restarting the IIS Web Server
5.1 Restarting IIS
Before you can use the Membership Provider, you have to restart the IIS.● Open a command prompt and type iisreset to restart the Internet
Information System.
Figure: Restarting IIS
6 User and Group Permissions6.1 Granting Permissions to Users and Groups (Roles)
Before you can use the EPiServer together with the Nordic Edge Membership Provider you also have to grant permissions to a user or a group in EPiServer.
EPiServer ships with some standard defined groups, for instance the group WebAdmins. A member of the WebAdmins group will get administrative rights to administer the EPiServer site.
Example:
● Create the group WebAdmins in the user database and add a user to the group.
● Login with user (chapter 7. Testing the Web Application)
[Optional] If you're missing an administrative tool to achive this, you can use the simple tool "MembershipSeeder" that you'll find in the installation package.
6.1.1 The Membership Seeder Tool
Figure: The MembershipSeeder tool
Configuration:
● Open the MembershipSeeder.exe.config with an editor (Notepad.exe)● Configure the connectionString.config for your environment
<connectionStrings> <add name="EPiServerDB"
connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=dbExampleEPiServerSite;Integrated Security=False;User ID=dbUserExampleEPiServerSite;Password=connected;Connect Timeout=10" providerName="System.Data.SqlClient" />
</connectionStrings>● Make the MembershipUser member of the Administrators group (or
another group with administration privileges)
For additional information about the MembershipSeeder, read the article from Microsoft written by Steve Peschka:http://msdn.microsoft.com/en-us/library/bb975136.aspx
This article discuss Forms Authentication to SharePoint and includes a section about user/group permissions in a SQL database. Search for “Managing Users and Roles” and you’ll find the section.
7 Testing the Web Application7.1 Running the EPiServer with the Nordic Edge AD Membership Provider
To test the web application in your browser, type the required URL such as: http://EPiServer.domain:portnr/UI/admin
Figure: Login page
Figure: OTP page
Figure: Logged in to the EPiServer system
8 Appendix8.1 Troubleshooting
8.1.1 Troubleshooting & Support
For troubleshooting and support, please go to http://www.nordicedge.se or send an email to [email protected]
9 Appendix B
9.1 Document History
Version 2.0.0october 2010
Version 0.8.1 BetaAugust 2010 -
Version 0.8.0 BetaJanuari 2010 - Initial version