Friday, June 14, 2013

Using Active Directory with GSP 3.0

Some users have reported trouble integrating 3.0 with their Active Directory architecture. Over the last couple of days I had time to fire up my AD virtual machines and dig into this. I have good news and bad news. The good news is that integration is still possible. The bad news is that there are extra steps to make it happen.

I updated the 3.0 Quick Start Guide to include step by step instructions for integrating AD with your gallery. This information will eventually be in the full Admin Guide. When it is complete, the quick start guide will be discontinued.

So what happened?

The additional difficulty in getting GSP 3.0 working with AD comes down to two issues outside of my control:

  • The new role provider is not compatible with Active Directory.
  • The .NET Users applet in IIS Manager does not work with .NET 4.0 or higher.

I came up with workarounds for both issues. It was a pain in the rear figuring out the steps and you’ll do a bit of grumbling implementing them, but in the end they work. To add insult to injury, when I tried to report the role provider incompatibility to Microsoft, I couldn’t find the right place to do it on MS Connect. I’ll have to look harder when I have some extra time – they need to know about it.

There is a silver lining. During my investigation I think I figured out a way to streamline the integration in the future. A lot of the extra work involves adding the first AD account to the System Administrator role so that you can log into the gallery’s admin functions. I can write a function that does this programmatically from code, so it may be possible to temporarily add some kind of trigger (e.g. app setting in web.config) that does this for you.

Also, I should be able to tweak the Manage Users page so that you can edit the role membership of users without requiring the application to have edit permission to AD. Look for these improvements in one of the next releases.

1 comment:

Scott Brickey said...

If this is something gaining attention, I'd also throw out the idea of using Azure Directory Services as an authentication option :)

otherwise, keep up the good work.