Applies to: Carousel 7.5.5+
Note: This article is intended for server and security administrators as it involves changing connection strings, changing SQL account permissions, and working with Active Directory settings and configuration. We will not explain concepts of LDAP or Active Directory in this article. Carousel Support is unable to provide direct support for this process, only direction. We do offer a paid Active Directory assistance package if you wish for a guided setup with a member of our team please contact sales.
Integration Explanation
Carousel 7's built-in authentication (out-of-the-box) creates users locally using the TrmsMembershipProvider; this stores all the users in your SQL database. For ease of user management in large or corporate environments there is an option to connect Carousel with an existing Active Directory environment by using the ADMembershipProvider and creating/configuring specific groups. You can switch membership providers at any time, but you can't use both providers at the same time. Carousel 7 uses ASP.NET forms-based authentication with custom Active Directory authentication in the background instead of IIS’s built-in NT Integrated Authentication. We do this because the IIS Integrated Authentication only works with Internet Explorer on a Windows machine. With forms-based authentication we can still use a domain to authenticate users, but it's also compatible with all web browsers and operating systems. Since forms-based authentication uses cleartext passwords we recommend installing a certificate and configuring HTTPS if your network is at all vulnerable.
Active Directory Settings
To connect to Active Directory we first need to create a service account (in AD). This account must have permission to poll Users and Groups and the ability to read the userAccountControl attribute of other accounts in AD. This account also will need to be a database owner in SQL for your Carousel50 and Frontdoor50 databases, and have read/write access to the entire TRMS folder directory on the Web Server. If you have a SQL admin, let them know after provisioning the AD account so they can make the permissions change on both databases. If you don't have a SQL admin and SQL is hosted on your Carousel Web Server (default), you will have to open SQL Management Studio (SSMS.exe) and grant these permissions.
Let's use an account called CarouselSA as an example, the account itself can be named anything to match your organizational naming conventions. If you would like the service account to run all aspects of Carousel on the Web Server (Services, permissions, etc.), refer to this article: How to run Carousel under a Service Account
Next, create the following groups in Active Directory and make them Universal Security Groups (the group names are both hard-coded and case sensitive):
TRMS_Users
TRMS_Admins
Regular Carousel users should be direct members of TRMS_Users. Carousel administrators need to be direct members of both TRMS_Users and TRMS_Admins.
You cannot nest groups in these groups. For example, if you have a group already named Staff with several users in it, you can't add the group Staff to TRMS_Users to skip adding all the users individually. Also note the service account doesn't need to be in these groups, they are strictly for Carousel user and admin permissions. The service account just needs permission to get User and Group information from Active Directory to sync up.
Carousel Web Server Steps
- Join the Carousel Server to your Domain (if it's not already)
- Run the IIS ApplicationPools for all sites as the CarouselSA service account
- Open "Internet Information Services (IIS) Manager" (or Run inetmgr).
- Expand the server under the connection pane on the left and click ApplicationPools.
- Find any ApplicationPools that are running Applications as indicated by the "Applications" column.
- Right-click the first ApplicationPool that's running an application and select "Advanced Settings."
- Scroll down to the "Process Model" section, click "Identity" and press the [...] icon.
- Change the Application Pool Identity to Custom Account and press set.
- The User Name will be your domain\account, so for this example hut\CarouselSA - input the password twice (as pictured above). Press OK until all dialog boxes are closed.
- Repeat for any remaining ApplicationPools that are running Applications as indicated by the "Applications" column.
- Restart IIS by clicking the server name in the connection pane on the left then click Restart under the actions pane on the right.
- Modify the C:\TRMS\Configuration\connectionStrings.config file with the correct LDAP server
- Specifically change ad.example.com found in this line <add name="ADConnectionString" connectionString="LDAP://ad.example.com" providerName="System.Data.SqlClient" />
- If you need to use LDAPS (and your environment supports it) add port 636 to the connection like so "LDAP://ad.example.com:636"
- Modify the C:\TRMS\Configuration\membership.config file to switch membership providers
- Change <membership defaultProvider="TrmsMembershipProvider"> to <membership defaultProvider="ADMembershipProvider">
- Remove the following lines:
- <!-- Sample Active Directory Membership Config
- connectionUsername="test@trms.com"
- connectionPassword="trms140"
- -->
- The connectionUsername and connectionPassword are used if you don't run the ApplicationPools in IIS as your service account. This method of putting the username and password in the membership does work, but would be plaintext and is not advised. IIS hashes and stores passwords using a method that's more secure.
- Save changes to your connectionStrings.config and membership.config if you haven't already and attempt to log into Frontdoor using the userPrincipalName (username@domainname.com) of an account in your new TRMS groups.
Additional settings and options
By default users log into Frontdoor using the account's userPrincipalName, such as “bob.johnson@mydomain.com”. If you would prefer, you can configure Carousel to use the SAMAccountName. To enable this, add attributeMapUsername="sAMAccountName" to the ADMembershipProvider section of the membership.config file like so:
If your environment requires these settings to be configured, you can add the following two lines to the membership.config file in the ADMembershipProvider section:
minRequiredPasswordLength="8"
minRequiredNonAlphanumericCharacters="0"
Additional Information / Troubleshooting
When this is configured, our system will enumerate all the users in the TRMS_Users and TRMS_Admins groups. If you experience problems with Active Directory integration, ensure that all the users in AD have the fields below populated:
- DistinguishedName
- UserPrincipalName
- GivenName
- SN
Frontdoor is pulling the user’s First name and Last name from Active Directory using the givenName and SN fields. All users in TRMS_Users and TRMS_Admins (Active Directory Universal Security Groups) must have the First and Last Name (givenName and SN) populated.