Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


How the InstantKB Active Directory Module Works

This article explains at a high level how the InstantForum & InstantKB Active Directory module work once installed.The authentication process will differ depending on how you configure and install the Active Directory module .

When installing the Active Directory module there are two ways this can be configured.With Integrated Windows Authentication or without Integrated Windows Authentication You'll find further information on how authentication works with and without integrated windows authentication enabled below.

Integrated Windows Authentication Enabled

If you enable Integrated Windows Authentication users will be seamlessly logged into InstantForum or InstantKB upon there first visit & subsequent visits if they are already authenticated on your Active Directory domain.

This is achieved by first checking if the user is already authenticated within InstantForum or InstantKB using a standard ASP.NET forms authentication cookie. If the user is not authenticated they are automatically redirected to "WinLogin/WinLogin.aspx" which is provided as part of our Active Directory Module download.

When the user lands on WinLogin/WinLogin.aspx we obtain there current windows workstation username. WinLogin.aspx will then query your domain controller and try to find a user with a matching Common Name (CN) or SAMAccountName. You can configure if InstantForum or InstantKB should use the CN or SAMAccountName for this look up via the web.config UseCommonName application setting.

Note: The WinLogin folder has anonymous access disabled with forms & windows authentication enabled within IIS so it's possible to obtain the current windows username. If anonymous access is left enabled to the WinLogin folder InstantForum or InstantKB won't be able to determine your windows username and authentication will fail. 
WinLogin.aspx will then attempt to connect to your domain controller using the query  account defined within the InstantForum or InstantKB web.cnfig settings to look up the user. If we find a matching CN or SAMAccountName on your domain controller we first check to see if a local InstantForum or InstantKB account already exits with a matching CN or SAMAccountName within the InstantASP_Users.LDAPUsername database field.

If WinLogin.aspx finds a match within the InstantASP_Users.LDAPUsername field for the current windows username a ASP.NET forms authentication cookie is created for the existing user and the user is authenticated within InstantForum or InstantKB and returned back to the originally requested page.

If no user exists within InstantForum or InstantKB with a matching CN or SAMAccountName within the InstantASP_Users.LDAPUsername field but we did find a match on your domain controller a new local account will be created automatically within InstantForum or InstantKB and the LDAPUsername field within the InstantASP_Users table will be populated with the users CN or SAMAccountName for future authentication.

For every Active Directory account we create a local account within the InstantForum or InstantKB databases. This local account is the account the user is actually authenticated as within our software once the Active Directory authentication checks are successful.

We simply use Active Directory for authentication but still manage local accounts in our database so you can take advantage of roles, permissions & other features within our software.

Local user accounts within InstantForum or InstantKB are paired / mapped to specific Active Directory account via the LDAPUsername field within the InstantASP_Users database table. Once you've installed the Active Directory module you can edit the LDAPUsername value for each user within the InstantForum or InstantKB Admin Control Panels.

Password: We never store the Active Directory password within our database.If your using Active Directory for authentication the users password within the InstantASP_Users table for InstantForum or InstantKB will always be blank / empty. We have no need to store the password as the authentication is handled by Active Directory. A password may be present for local accounts - those accounts created out side of your network or without integrated windows authentication enabled.

Integrated Windows Authentication Not Enabled

If you don't have Integrated Windows Authentication enabled users will need to manually register and login via the InstantForum or InstantKB web interface. Accounts will need to be created manually be registering within our software.

When the Active Directory module is installed a number of additional options are displayed on the InstantForum & InstantKB Registration & Login Pages.

You will first need to create a local account within InstantForum or InstantKB that is paired to your Active Directory account. To do this simply visit the Register page for InstantForum or InstantKB.

With the Active Directory module installed you'll notice you can provide your Windows username and password during the registration process as well as a username and password for a local InstantForum or InstantKB account.

Complete the registration form and ensure you provide valid credentials for your windows account.

When you submit the registration form InstantForum or InstantKB will validate the windows credentials you providing by trying to establish a connection with your domain controller using the windows credentials provided during registration.

If a connection is established successfully with your domain controller using the supplied windows credentials a local account within InstantKB or InstantForum will be created and the InstantASP_Users.LDAPUsername field for the local account will be be populated with the users Active directory CN or SAMAccountNAme (i.e. the usernamethey use to login to workstations).

Once the account has been created and paired with an Active Directory account you can then use your local credentials or your windows credentials to login on future visits by checking or  un-checking the LDAP Login check box shown on the InstantForum or InstantKB login pag.

To login using your Active Directory credentials either in or outside your network you can visit the InstantForum or InstantKB login page. Supply your active directory credentials and ensure the LDAP Login check box is ticked.

With this check box ticked when the user attempts to login InstantForum or InstantKB will attempt to connect to your domain controller using the users username and password. If the credentials are accepted and the connection established successfully with your domain controller 

General Notes

The active directory module can be configured to work in several different ways. For example you can choose to allow logins from both local accounts and active directory accounts or force users to always login using the active directory credentials.

If you know users will always be accessing InstantForum or InstantKB whilst on your domain we would certainly suggest enabling integrated windows authentication to ensure users are logged in automatically into InstantForum or InstantKB. This will allow you to disable the InstantForum or InstantKB registration & login pages.

If your users will be accessing InstantForum or InstantKB from both inside and outside the domain we would suggest leaving the login page enabled to allow users to login whilst not on your domain using there active directory or local account credentials on the InstantForum or InstantKB login page.