Ektron CMS400.Net Reference
For setup instructions for Active Directory, go to Setup Guidelines.
Ektron CMS400.NET does not write to Active Directory – it only reads from it. This results in the following changes to the way Ektron CMS400.NET manages user and user group information.
After you enable AD integration, many changes to user and user group information must be made in AD -- several fields on the Edit User and User Group screens become view-only.
When adding new users or groups, you can only select from users and groups in AD. If a user or group does not exist in AD, create it there then import it to Ektron CMS400.NET.
Ektron CMS400.NET imports the following AD user information.
Authentication (user logon name and domain) for signing in to Ektron CMS400.NET.
Note: The AD password is not stored in Ektron CMS400.NET– CMS only refers to it during sign in.
User information, listed in the following table
Field in AD |
AD Attribute |
Corresponding Field in Ektron CMS400.NET |
---|---|---|
User logon name (pre-Windows 2000) |
sAMAccountName |
Domain and Username Note: Users can share a name in different domains. For example, [email protected] and [email protected]. Otherwise, user names must be unique. |
Last Name |
sn |
Lastname |
First Name |
givenName |
Firstname |
|
|
email Address |
User group information, listed in the following table.
Field in AD |
AD Attribute |
Corresponding Field in Ektron CMS400.NET |
---|---|---|
Group Name (pre-Windows 2000) |
cn |
Domain and User group name Note: User groups can share a name in different domains. For example, [email protected] and [email protected]. Otherwise, user group names must be unique. |
The following diagram illustrates the components of the Active Directory feature.
The Active Directory feature uses these Ektron CMS400.NET screens:
The Active Directory Setup Screen
The Active Directory Status Screen
This section explains each screen.
Use this screen to identify each network domain you will use with Ektron CMS400.NET’s Active Directory Integration. Use this to define domains, as opposed to using auto discovery to find them. This feature is described through these topics.
Enabling the Edit Domains Screen
Accessing the Edit Domains Screen
Fields of the Edit Domains Screen
See Also: Active Directory Feature
To have the Edit Domains screen appear, adjust web.config as explained in Setting Up Active Directory via the Advanced Domains Method.
Access the Edit Domains screen by going to Workarea > Settings > Configuration > Active Directory > Domains. Below is a sample of the screen.
The screen lets you add new domains, modify existing ones, or delete obsolete ones.
When defining a domain, enter the following information.
Field |
Description |
Domain DNS |
Enter the domain’s DNS. Contact your server administrator for this information. For example, corp.example.com. |
NetBIOS |
If your NetBios is the same as your domain name, leave the checkbox box checked. Otherwise, uncheck the box and enter your NetBIOS setting. Contact your server administrator for this information. |
Username |
Enter the name of the user with permission to sign on to the domain server. The name is in the format username@domainDNS. For example, [email protected]. |
Password |
Enter the password of the user identified above. |
Domain Controller IP |
Enter the IP address or DNS name of your domain controller. Note: If using Active Directory with LDAP across a firewall, the IP address should be that of the firewall. On the firewall, traffic on port 389 (LDAP) should be allowed. |
Domains are used during signon. In addition to username and password, users must select a domain.
Domains are referenced when defining the users and user group that map to the Ektron CMS400.NET users and groups. See Also: Active Directory Integration
For example, while defining a user group, first select a domain. Ektron CMS400.NET then provides a list of Active Directory user groups in that domain.
The Ektron CMS400.NET Active Directory Setup screen (illustrated below) lets you enable or disable AD and manage other AD issues, such as whether users and groups are automatically updated.
To access the screen, click Settings > Configuration > Active Directory > Setup.
The following table describes the fields on the screen.
See Also: Messages Near the Top of the Active Directory Setup Screen
Field |
Description |
For more information, see |
Active Directory Installed |
||
Disable Active Directory and LDAP Authentication |
Disables the use of Active Directory and LDAP Authentication. |
|
Enable LDAP Authentication |
If enabled, you must complete the following fields. |
|
LDAP Server |
Explained in LDAP Authentication chapter. |
|
Port |
Explained in LDAP Authentication chapter. |
|
Organization |
Explained in LDAP Authentication chapter. |
|
Domain |
Explained in LDAP Authentication chapter. |
|
Attribute |
Explained in LDAP Authentication chapter. |
|
Use SSL | Explained in LDAP Authentication chapter. | |
Path | Explained in LDAP Authentication chapter. | |
Enable Active Directory Authentication |
If enabled, user authentication is functional, and you can enable the following three fields. If you do not enable the following three fields, you are using User Authentication Only Mode. |
For information on LDAP, see LDAP Authentication |
Enable Active Directory Integration |
If enabled, the Active Directory Integration feature is functional. Note: Can only be enabled if Enable Active Directory Authentication is enabled. |
|
Enable automatic addition of user from AD |
If enabled, user information is imported from AD to Ektron CMS400.NET when that user logs in or when the user is added to Ektron CMS400.NET. Note: Can only be enabled if Enable Active Directory Authentication is enabled. |
|
Enable automatic addition of user to groups |
If enabled, a user’s group membership is first imported from AD when a user logs in or is added. Note: Can only be enabled if Enable Active Directory Authentication is enabled. |
|
User Property Association |
||
EmailAddr1 |
Enter the Active Directory property that maps to the user’s last name in Ektron CMS400.NET. By default, this is mail, but you can change it to any AD property. |
same reference as FirstName (above) |
FirstName |
Enter the Active Directory property that maps to the user’s first name in Ektron CMS400.NET. By default, this is givenName, but you can change it to any AD property. |
MSDN Library http://msdn.microsoft.com/en-us/library/aa746433%28VS.85%29.aspx. |
LastName |
Enter the Active Directory property that maps to the user’s last name in Ektron CMS400.NET. By default, this is sn, but you can change it to any AD property. |
same reference as FirstName (above) |
CMS Administrator Group Association |
||
AD Group Name @ AD Domain |
Enter the Active Directory user group and domain name that map to the Ektron CMS400.NET administrator group. If your AD does not have a user group that includes all Ektron CMS400.NET administrators, you should create one then enter it here. |
|
Domain |
If you want to restrict the search of new users and groups to one AD domain, select that domain. If you do, the Search Active Directory for Users and Search Active Directory for Groups screens let you search the selected domain only. Also, if any Ektron CMS400.NET user or group names include a domain (for example, [email protected]) that is excluded by your selection, those users/groups are flagged on the Active Directory Setup and Active Directory Status screens because the names include an invalid domain. |
|
Message |
Explanation |
Active Directory Authentication is Enabled and Requires More Configuration. |
Some Ektron CMS400.NET users are not associated with AD users. Also, if you are using full active directory integration mode, user groups and/or user group relationships may not be associated. |
Active Directory Authentication is disabled, but needs further configuration |
Some Ektron CMS400.NET users and/or groups are no longer unique. This happens because, in AD, users and groups can share a logon name as long as their domains are different. But, if AD authentication is disabled, two Ektron CMS400.NET users or groups can no longer share a name -- each must be unique. |
If you see either message, click it. You proceed to the Active Directory Status screen, which helps you resolve the discrepancies. See Also: The Active Directory Status Screen
Use the Active Directory Status screen to resolve these discrepancies between Ektron CMS400.NET and AD.
Ektron CMS400.NET user needs to be associated with an AD user
Ektron CMS400.NET user group needs to be associated with an AD user group
Ektron CMS400.NET user’s group membership need to be associated with the same AD user’s group membership
To access the screen from the Ektron CMS400.NET Workarea, click Settings > Configuration > Active Directory > Status.
There are several reasons why such discrepancies may occur. To learn more about why
an Ektron CMS400.NET user is not associated with an AD user, read Active Directory Integration.
an Ektron CMS400.NET user’s group membership is not associated with his AD group membership, read Importing a User’s AD Group Information into Ektron CMS400.NET
an Ektron CMS400.NET group is not associated with an AD group, read Resolving Discrepancies between Groups
If you click a link on the Active Directory Status screen, a new screen lets you resolve the discrepancy. For information on these screens, see the following topics.
Associating Ektron CMS400.NET Users with Active Directory Users
Associating User Group Membership with Active Directory Membership
Associating CMS Groups with Active Directory Groups
If you click CMS users need to be associated with Active Directory users on the Active Directory Status screen, the Associate Ektron CMS400.NET Users with Active Directory Users screen appears (illustrated below). Use this screen to associate Ektron CMS400.NET users with AD users.
If a user with the same username exists in AD, that name and domain appear in the AD Username and AD Domain fields. If the user exists in more than one AD domain, select a domain from the pull-down list.
If there is no default and you know the AD user name to associate with an Ektron CMS400.NET user, enter that in the AD Username and AD Domain fields. If you do not know the AD username, click Search to find the user in AD.
If you decide to change the username in AD to match the Ektron CMS400.NET username, make the change in AD. Then, click Refresh () to update Ektron CMS400.NET and resolve the discrepancy.
Finally, if a user should not exist in Ektron CMS400.NET, click the Delete box.
After you complete the changes, click Save ().
If you click CMS relationships need to be associated with Active Directory relationships on the Active Directory Status screen, the Associate Ektron CMS400.NET Relationships with Active Directory Relationships screen appears (illustrated below). Use this screen to coordinate Ektron CMS400.NET user group membership with AD user group membership.
The screen displays a user’s group membership that exists in Ektron CMS400.NET, but does not exist in AD.
See Also: Importing a User’s AD Group Information into Ektron CMS400.NET
After viewing the discrepancy, you have two choices:
To associate the user with the same user group in AD, go to AD and assign the user to the group. Then, return to this screen and click Refresh () to update user group information in Ektron CMS400.NET.
To remove the user’s group membership in Ektron CMS400.NET, check the Delete box and click Save ().
If you click CMS groups need to be associated with Active Directory groups on the Active Directory Status screen, the Associate Ektron CMS400.NET User Groups with Active Directory Groups screen appears (illustrated below). Use this screen to associate Ektron CMS400.NET groups with AD groups.
If there is no default and you know the AD group name to associate with an Ektron CMS400.NET group, enter that in the AD Group Name and AD Domain fields. If you do not know the AD group name, click Search to find the group in AD.
Finally, if this group should not exist in Ektron CMS400.NET, click the box under the Delete column to delete the group.
After you make all necessary changes, click Save ().
The View Users screen (illustrated below) lists all users in Ektron CMS400.NET. To access the screen, click Settings > Users from the Ektron CMS400.NET Workarea. To view more information for a user, click that user to move to the View User Information screen.
If you are using user authentication mode, Username and Domain can only be edited in AD. You can edit all other fields on this screen.
If you are using full AD Integration mode, Username, Domain, First Name, Last Name, and email Address can only be edited in AD. You can edit all other fields on this screen.
The screen also displays the following buttons.
Button |
Description |
|
Edit information on screen |
|
Delete user. See Also: Deleting Users |
|
Retrieve latest information from AD into Ektron CMS400.NET See Also: Active Directory Integration Note: This toolbar button does not appear if you are using user authentication mode. |
|
Replace user. See Also: Active Directory Integration |
|
Return to previous screen |
The View Users screen has a toolbar button () that lets you add AD users to Ektron CMS400.NET. When you click it, the Search Active Directory for Users screen appears.
Enter as many search criteria as you know to reduce the number of users that the search returns. For example, if you know the user’s last name is Jackson and he is in the planets domain, enter those criteria to get fewer results.
When the Active Directory Users screen appears, check the box next to users you want to add to Ektron CMS400.NET. Then, click Save ().
The View User Groups Screen displays all AD user groups that have been imported to Ektron CMS400.NET. (See Importing AD User Groups to Ektron CMS400.NET)
To access the screen, click Settings > User groups from the Ektron CMS400.NET Workarea.
To view more information for a group, click it and you move to the View Users in Group screen. That screen provides a toolbar button () that lets you add AD groups to Ektron CMS400.NET. When you click the button, the Search Active Directory for Groups screen appears.
The View Users in Group Screen displays, for each user in the group
username and domain
first and last name
language
The screen also displays these buttons.
Button |
Description |
|
Replace group. See Also: Replacing a User Group |
|
Return to previous screen |
Use this screen to add AD groups to Ektron CMS400.NET. Enter as many search criteria as you know to reduce the number of groups that the search returns.
Note: You can only select AD groups that do not exist in Ektron CMS400.NET. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for groups in that domain.
For example, if you know that a group begins with "S" and is in the planets domain, enter those criteria to get fewer results. After you click Search, a new screen lists all AD groups that satisfy the search criteria. Click the box next to groups you want to create in Ektron CMS400.NET. Then, click Save () to import their information.
Active Directory Integration strives to maintain consistent user and user group information between AD and Ektron CMS400.NET. This section describes how to work with users and user groups in Active Directory Integration Mode.
Initial Import of AD User Information
Importing AD User Group Information to Ektron CMS400.NET
This section explains the import of AD user information when integration is first enabled and on an ongoing basis. This section covers the following topics.
Initial Import of AD User Information
Ongoing Import of User Information
Manually Adding AD Users to Ektron CMS400.NET
Editing User Information in Ektron CMS400.NET
This section explains how AD user information is imported to Ektron CMS400.NET. The subtopics describe how this is handled under these circumstances.
The Ektron CMS400.NET database has already been populated with users - see Ektron CMS400.NET Database Already Completed
The Ektron CMS400.NET database has not yet been populated with users - see Only a Few Users in Ektron CMS400.NET Database
If Enable automatic addition of user from AD is checked on the Active Directory Setup screen, user information is imported from AD to Ektron CMS400.NET when that user logs in or is added to Ektron CMS400.NET. See Also: The Active Directory Setup Screen
At that time, AD information overwrites all Ektron CMS400.NET information. To learn how information is updated from then on, see Active Directory Integration.
If two or more AD users have the same Ektron CMS400.NET user logon name but different domains (for example, JDoe in Eng.Example.com and JDoe in Mkt.Example.com) and that username (JDoe) also exists in Ektron CMS400.NET, the Active Directory Setup and Active Directory Status screens indicate this discrepancy via this message:
CMS users need to be associated with Active Directory users.
Click the message to proceed to the Associate Ektron CMS400.NET Users to Active Directory Users screen. From there, you can link an AD user to the Ektron CMS400.NET user. See Also: Associating Ektron CMS400.NET Users with Active Directory Users
Go to the Search Active Directory for Users screen and select AD users that will use Ektron CMS400.NET. When you add a user, his AD information is imported to Ektron CMS400.NET.
See Also: The Search Active Directory for Users Screen
Note: You can only select AD users that do not exist in Ektron CMS400.NET. Also, the Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search for users in that domain.
AD user information is imported to Ektron CMS400.NET when either of these events occurs:
the user logs in
someone clicks Refresh () on the user’s View User Information screen
See Also: The View User Information Screen
Before using AD integration, add to Ektron CMS400.NET all AD users that will use your Web site. This can be done automatically, as explained Initial Import of AD User Information.
If you want to manually add an AD user to Ektron CMS400.NET, follow these steps.
1. From the Workarea, click Settings > Users.
2. Click Add Users ().
3. The Active Directory Users screen appears.
4. From the Domain pull-down list, select the domain from which you want to add a user.
5. Enter as much information as you know into the other fields.
6. Click Search.
7. A screen displays all users that satisfy the search criteria.
8. Check the box next to each user you want to add.
9. Click Save ().
Because Ektron CMS400.NET does not write to AD, you can only change some fields on the Edit User screen. You must edit the read-only fields from AD.
If a user is deleted in AD, Ektron CMS400.NET does not delete him. However, his login fails because he cannot be authenticated.
The user remains in Ektron CMS400.NET. You can delete the user from Ektron CMS400.NET using the Delete User function. See Also: Deleting a User
Note: If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see BuiltIn User.
If you associate the wrong AD user with an Ektron CMS400.NET user, you can replace the user. If you do, all Ektron CMS400.NET privileges and workflow responsibilities transfer from the old to the new user.
Follow these steps to associate an Ektron CMS400.NET user with a new AD user.
1. From the Workarea, click Settings > Users.
2. Click the user you want to replace.
3. Click Associate CMS User with Different AD User ().
4. Select a user to replace the user you selected in Step 2.
5. Click Save ().
When you complete this procedure, the first user is deleted from Ektron CMS400.NET.
This section explains how a user’s group membership is imported from AD to Ektron CMS400.NET after integration is enabled. Once assigned to a group, the user automatically receives all Ektron CMS400.NET privileges and workflow responsibilities associated with it.
Note: Active Directory has two kinds of user groups: security and distribution. Ektron CMS400.NET does not distinguish between them – as long as a user is a member of either kind of group, group information can be imported to Ektron CMS400.NET.
This section explains the following topics.
Importing AD User Groups to Ektron CMS400.NET
Importing a User’s AD Group Information into Ektron CMS400.NET
Resolving Discrepancies between Groups
Before using AD integration, import all AD groups you will use into Ektron CMS400.NET. To do that, follow these steps.
1. From the Ektron CMS400.NETWorkarea, choose Settings > User Groups.
2. Click Add Groups ().
3. The Search Active Directory for Groups screen appears.
4. From the Domain drop-down list, select the domain of the user group you want to add.
Note: The Active Directory Setup screen can restrict AD integration to one domain. If it does, you can only search within that domain.
5. Enter as much information as you know into the Active Directory Group field.
6. Click Search.
7. A screen displays all groups that satisfy the search criteria.
8. Check the box to the left of each group you want to import to Ektron CMS400.NET.
9. Click Save ().
This section explains how users' membership in AD Groups is imported to Ektron CMS400.NET. The three subtopics describe how this process is handled under these circumstances.
Initially, if one or more Ektron CMS400.NET user groups have been created - see Ektron CMS400.NET User Groups Already Set up
Initially, if only default Ektron CMS400.NET user groups exist - see Only Default User Groups Exist
On an ongoing basis - see After AD Integration is Enabled
If Enable automatic addition of user to groups is checked on the Active Directory Setup screen, a user’s group membership is imported from AD to Ektron CMS400.NET when a user first logs in or is added. At this time, any AD group memberships overwrite Ektron CMS400.NET group memberships except the Everyone group, to which all users belong.
Note: The Everyone group, unlike other Ektron CMS400.NET groups, is not associated with an AD group. It is an all-encompassing group with no special permissions.
If a user belongs to an AD user group that does not exist in Ektron CMS400.NET, nothing happens. The AD Integration feature assumes that not all AD groups are meaningful in Ektron CMS400.NET.
If a user belongs to an Ektron CMS400.NET user group that does not exist in AD, the discrepancy is flagged on the Active Directory Setup and Active Directory Status screens. From these screens, you can import AD group information into Ektron CMS400.NET.
See Also: Associating User Group Membership with Active Directory Membership and Associating CMS Groups with Active Directory Groups
To learn how membership is updated from then on, see After AD Integration is Enabled.
Follow the procedure described in Importing AD User Groups to Ektron CMS400.NETto import AD user groups to Ektron CMS400.NET. Then, as users in those groups are added to Ektron CMS400.NET, their group memberships are applied.
A user’s group memberships in Ektron CMS400.NET are updated when all of the following are true:
The Enable automatic addition of user to groups field is checked on the Active Directory Setup screen
A user is added to Ektron CMS400.NET or his AD group membership changes
The user logs in or someone clicks Refresh () on the user’s View User Information screen
On the other hand, if Enable automatic addition of user to groups field is unchecked, you can add the user to groups and remove him from groups independently of his AD group memberships.
On the Active Directory Setup screen, you identify the AD user group that maps to the Ektron CMS400.NET Administrator group. Members of this group receive administrator privileges. See Also: List of Administrator Privileges
If such a group does not exist in AD, create it, then assign it on the Active Directory Setup screen.
Note that only one AD group can be mapped to the Ektron CMS400.NET Administrator group -- you cannot have an AD administrator group within each AD domain.
Note: Unlike other Ektron CMS400.NET user groups, whose names are imported from AD, the Ektron CMS400.NET Administrator and Everyone group names cannot be changed.
See Also: The Active Directory Setup Screen
If user is assigned to an AD user group that does not exist in Ektron CMS400.NET, nothing happens. The AD integration feature assumes that an Ektron CMS400.NET administrator only maintains user groups that are meaningful within Ektron CMS400.NET.
Note: If a user belongs to a user group that is given Membership permissions, but also to a group that has CMS permissions, the user only receives Membership permissions if logged into Ektron CMS400.NET.
If a user was a member of an Ektron CMS400.NET user group before integration was enabled, but does not belong to that group in AD, this discrepancy is flagged on the Active Directory Setup and Active Directory Status screens.
If the user should belong to the AD group, add the group membership within AD. Then, refresh the user on the View User Information screen to import AD group information into Ektron CMS400.NET.
See Also: Associating CMS Groups with Active Directory Groups
If you delete a user from an AD group, the user is removed from the associated Ektron CMS400.NET group the next time his information is updated.
If AD integration is enabled, you can only add user groups in AD. Once that is done, log on to Ektron CMS400.NET and use the Search Active Directory for Groups screen to import the AD user group to Ektron CMS400.NET. This procedure is described in Importing AD User Groups to Ektron CMS400.NET.
You cannot add a user to a user group within Ektron CMS400.NET - you must do so in Active Directory.
If you associated the wrong AD user group with an Ektron CMS400.NET user group, you can replace the user group. Follow these steps to do so.
1. From the Workarea, click Settings > User Groups.
2. Click the user group that you want to replace.
3. Click Associate Ektron CMS400.NET Group with Different AD Group ().
4. Select a group to replace the group you selected in Step 2.
5. Click Save ().
If you delete a user group in AD and users are assigned to the group within Ektron CMS400.NET, the group is not deleted in Ektron CMS400.NET. However, any Ektron CMS400.NET users who were members of the group are no longer members the next time their Ektron CMS400.NET information is updated. The discrepancy is flagged on the Active Directory Setup and Active Directory Status screens.
If you delete a user group in Ektron CMS400.NET and users are assigned to that group within AD, nothing happens. This is because AD Integration assumes that the Ektron CMS400.NET administrator only maintains user groups that are meaningful to Ektron CMS400.NET, and some AD groups are not meaningful to Ektron CMS400.NET.
To disable AD authentication or integration, edit the Active Directory Setup screen and check Disable Active Directory and LDAP Authentication. See Also: The Active Directory Setup Screen
If you do this, and any users or groups have the same name with different domains, the following message appears.
Active Directory Authentication is disabled, but needs further configuration
For example, two users are named [email protected]
and [email protected]
. When AD was enabled, the domain names made the users unique. However, when you disable integration, domain names are dropped, so the names are now identical. You need to make the users unique.
If you click the message (above) on the Active Directory Setup screen, you move to the Active Directory Status screen. The following messages may appear.
Click the message to proceed to the Make Ektron CMS400.NET Users Unique screen (illustrated below).
This screen lists users whose user names are not unique and suggests a new, unique username. The new name consists of the user name, underscore, at sign (@), underscore, domain name. So, for example, [email protected]
becomes JJackson_@_example.net
.
The same is true for user groups. For example, there were two groups named Account Operators, one in the example.com domain, and the other in the saturn.example.com domain. In this case, the Make Ektron CMS400.NET Groups Unique screen would look like this.
Ektron recommends that you accept the suggested new names. Click Save () to do so.
One advantage of the suggested name format is that, if you later decide to re-enable AD integration, the software can automatically associate AD and Ektron CMS400.NET users or groups.