How to set up Automatic User Login via Active Directory

Before configuring Single Sign On, it may be useful to review the Easysite Installation guide to ensure that hosting and configuration requirements are met.

To allow users to automatically sign in to Easysite via Single Sign On, the following functions should be enabled and configured:

1. File Permissions in IIS

These can be configured on a file by file basis from within IIS:    

1. From within IIS change authentication  for the autosignin.aspx file.    

2. Select the Easysite web folder and click Content View.   

3. Highlight Autosignin.aspx, right click and select Switch to Features View.

4. Select the AutoSignIn.aspx file in the left hand pane and open the authentication module.

5. Uncheck the Enable Anonymous Access option.   

6. Check the Integrated Windows Authentication option.

Once IIS settings have been applied the authentication connector can be configured within Easysite.

2. Authentication Provider

Easysite supports Active Directory as an authentication provider by default, for other external providers please contact the Service Desk or your Account Manager.

To enable Active Directory go to Administration -> People -> Authentication Connectors.

1. Click Create an External Provider Instance. The following view will be presented:

2. Select Microsoft Active Directory from the External Provider drop down menu and click Select External Provider.

Note: for information on configuring Active Directory as an External Provider see the Active Directory Authentication Provider Help Article.

3. Enable Auto Sign On

Once the Authentication Connector has been configured, go to Administration -> System -> Configuration and check Enable Auto Sign On. The following view will be presented: 

2. Configure the following options:  

    

Force Auto Sign On    

Check to only allow sign on via external provider.          

Repeat Auto-Sign On After Logout            

Check if required.       

Restrict Auto Sign On

If required enter IP address(es) or ranges to restrict sign on to users coming from theses addresses. Note: IP addresses can be added as single addresses, Masks or Ranges:          

Single IP Address    

     

Allows a single IP address to be specified, for example: 192.168.1.1.        

Masks (/)        

Allows an IP mask to be specified, for example: 10.1.1.1/255.255.0.0. This would add a range from 10.1.0.0 to 10.1.255.255.       

Range (-)        

Allows a range of IP Addresses to be specified, for example: 10.0.0.5-10.0.0.20. This adds 10.0.0.5 thru 10.0.0.20.     

Combining the above 

     

Any combination of Single Addresses / Ranges and Ranges can be specified by separating each on with a semi colon (;). For example:  192.168.1.1;192.168.10.11;10.0.0.5-10.0.0.20.        

The above example shows 2 single IP Addresses and a range.   

   

Interim Login Page    

If required, enter the URL of a page anonymous users will be redirected to when attempting to access restricted content.    

Default Account Management Page

Enter the URL of a default 'My Account' page.

Force new user session on login

Check if required.

4. Troubleshooting Single Sign On

If users are not automatically signed in after the Authentication Provider and Single Sign On options are enabled, the following diagnostic steps may be helpful.

Can users login in interactively?

Go to Administration -> System -> Configuration. Remove all settings under Automatic Sign On, and uncheck Enable Auto Sign On.

1. Attempt to log in the site manually by entering your network login credentials via a login page. 

If the login is unsuccessful this indicates that Easysite is not able to communicate with the Active Directory authentication provider. Please review the Active Directory help article.

If the login is successful, this indicates that that Easysite can communicate with the Active Directory authentication provider and the issue relates specifically to single sign on. 

2. Go to Administration -> System -> Configuration. Check Enable Auto Sign On, but do NOT check Force Auto Sign On.

3. Go to People -> Authentication Providers, and check that the external provider is marked as active and Enable Auto Sign On is selected in this interface. if not, check this option.

Is an IP restriction in place? 

An IP Restriction can be placed on the Auto Sign in process, meaning that only a defined range of clients will go through the Challenge / Response cycle. 

This restriction can be configured in 2 places: 

1. In the System Settings -> System Configuration screen. This restriction is system wide across all providers. This controls the range of users that are issued a challenge response.

2. In the People -> External Providers interface. This restriction determines if the provider should attempt to process the result of the Challenge Responses issued in accordance with the restriction in the pervious point. This is only really useful where multiple providers are configured against the same security domain.

 

If an IP. restriction is in place, confirm that ranges or masks have been entered correctly. Also confirm that you accessing the site from an appropriate IP. address.

Is your site in your Trusted or Intranet Browser security zones?

A browser will not transmit your authentication details to any site that is not trusted. Ensure that the site has been added to your trusted sites list. 

Note: in Internet Explorer go to Tools -> Internet Options -> Security. 

Log out and close all browsers, and then try to access the site again. At this point you may be presented with a browser login. If so, enter your network login credentials.  

If this login is successful IIS is permitting access to the EasySite file that facilitates the automated sign in. However the browser does not seem to be sending your authentication details automatically to the web server.  Check your security Zone settings in IE:

If this login attempt was unsuccessful This means that the web server is unable to trust the data being provided from the web browser.  The web server must have a trust with the same Security Domain used by the Active Directory, either by means of being a member of the security domain itself or some other trust (VPN tunnel). Please try the following test.

Can you access a non Easysite file in the web application?

Upload a simple HelloWorld.html file to the EasySiteWeb folder of your web application. Confirm that this can be accessed via http://yoursite/EasySiteWeb/HelloWorld.html   . 

Now change the settings on the helloworld.html file via IIS, and remove anonymous access and enable Windows Authentication. This will mean that only trusted windows users can access the file.

If the file can the file still be accessed there is no reason why you’d get a different result for the Easysite File that performs this function.  Try to access the Easysite directly via http://yoursite/EasySiteWeb/autosignin.aspx - check the settings as above.

If the file can not be accessed this means that the web server is unable to trust the data being provided from the web browser.  The web server must have a trust with the same Security Domain used by the Active Directory, either by means of being a member of the security domain itself or some other trust (VPN tunnel). Discuss this problem with your Network Support Team.

Turning off Single Sign On in SQL

If required S.S.O. can be turned off in SQL:

1.       Open up SQL

2.       Find the table “ESCore_config_SystemConfiguration”

3.       Right click on the table and edit top 200 rows

4.       Click the white square in the top left that says ‘SQL’

5.       Enter onto a new line and type in “where ConfigurationKey like '%sign%'”

6.       Execute (you don’t need to highlight anything when executing)

7.       Find ‘AutoSignInEnabled’

8.       Change the ‘1’ to a ‘0’

9.       Click the row above to commit

10.    Open IIS                       

11.    Recycle the app pool