OTP ServerIIS Integration Module 

Nordic Edge AD Membership Provider for Microsoft ASP.NET(EPiServer)Version 2.0, rev. 1 Nordic Edge2010-10-12   Summary:Installation guide for an EPiServer CMS Web Site

 

    

Content

1 Overview1.1 Integration Overview

1.1.1 Nordic Edge™ AD Membership Provider for ASP.NET - Components2 Requirements

2.1 Minimum Requirements2.1.1 Windows Server2.1.2 Nordic Edge One Time Password Server

3 Installing the Integration Module3.1 Copy Files to the EPiServer Web Site3.2 Installing DLL Files in the Global Assembly Cache

4 Configuration – EPiServer CMS Site4.1.2 Edit the connectionStrings.config File4.1.3 Edit the Web.config File

5 Restarting the IIS Web Server5.1 Restarting IIS

6 User and Group Permissions6.1 Granting Permissions to Users and Groups (Roles)

6.1.1 The Membership Seeder Tool7 Testing the Web Application

7.1 Running the EPiServer with the Nordic Edge AD Membership Provider8 Appendix

8.1 Troubleshooting8.1.1 Troubleshooting & Support

9 Appendix B9.1 Document History

 

About Nordic Edge™Nordic Edge is a leading provider of trusted Identity and Access Management (IAM) solutions that enable organisations to secure and manage their digital identities. With Nordic Edge's solutions, organisations can improve business processes and meet regulatory compliance requirements. The offering includes two-factor authentication, role based delegated user administration, synchronization and provisioning. More than 10 million identities are being administered by Nordic Edge's solutions and over 1 million users securely login with Nordic Edge’s products each month. Nordic Edge was founded 2001 in Sweden and has customers in more than 25 countries.

1 Overview Nordic Edge One Time Password Server ™ adds an extra security layer to protect your applications. When the user id and password is successfully verified, a “One-Time Password” is sent to the user’s mailbox or mobile phone through SMS (Short Message Services). This “One-Time Password” will be verified and only then will the user be authenticated to the application.  

1.1 Integration Overview

ASP.NET offers the opportunity to create a custom membership provider, which you might do to link to the membership system. Once you have a custom membership provider, you can configure your application to use that provider in the same way that you configure the application to use an ASP.NET provider. The Membership class will automatically invoke your custom provider to communicate with your authentication data source. 

1.1.1 Nordic Edge™ AD Membership Provider for ASP.NET - Components

Two custom aspx pages are required to use Nordic Edge AD Membership Provider. The pages are called CustomLogin.aspx and OTPLogin.aspx and will be accessed and handled by the Nordic Edge AD Membership Provider. The provider itself contains of three dll files which remains on the server.Except from the Nordic Edge AD Membership Provider this package also include an Role Provider supporting Microsoft Active Directory.

  

2 Requirements2.1 Minimum Requirements

This section describes the installation of the Nordic Edge AD Membership Provider for ASP.NET

2.1.1 Windows Server

● Windows 2003 Server or later

2.1.2 Nordic Edge One Time Password Server

● OTP Server 1.6 (Build 2471) or later

 The OTP Server must be configured before the integration module can be used. See the OTP Server Administration Manual for more information and how to configure this.  

3 Installing the Integration ModuleThis chapter describes what’s needed for the installation. These are the steps you have to go through: 

1. Copy files to the web site2. Register DLL files into the Global Assembly Cache3. Edit the connectionStrings.config4. Configure Nordic Edge Membership Provider in the web.config file5. Restart the IIS6. Granting permissions to an administrator

3.1 Copy Files to the EPiServer Web Site

● Unzip the file Install_(EPiServer)_NE_ASP.NET_ADMembershipProvider_x.x.zip to an appropriate temporary location.

● Copy the contents from MySite folder into your Web site.

Installation files for a EPiServer web site:Folder FilesSite root CustomLogin.aspx

OTPLogin.aspxEPiServer_sections_to web.configEPiServerSample_web.config

\bin NordicEdge.ActiveDirectoryRoleProvider.dllNordicEdge.OTP.ADMembershipProvider.dllNordicEdge.OTP.ASPAuthentication.dllNordicEdgeOTP.dll 

\css  opacus.css

\images  A couple of image files

 

Figure: EPiServer site file structure

 

 

3.2 Installing DLL Files in the Global Assembly Cache

The DLL files are signed with Strong Names. You have to add these files to the GAC.

Install the dll files below in the GAC (.NET Global Assembly Cache):

● NordicEdge.ActiveDirectoryRoleProvider.dll● NordicEdge.OTP.ADMembershipProvider.dll● NordicEdge.OTP.ASPAuthentication.dll● NordicEdgeOTP.dll

 This may be done with Explorer by drag'n drop the dll files to the Assembly in c:\%Windir%\assembly (below)

Figure: The GAC assembly

OR use the gaqutil.exe (resides in C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin)

Example: gacutil -i NordicEdgeOTP.dll

Figure: Gacutil.exe

4 Configuration – EPiServer CMS Site4.1 Installation and Integration NOTE: When you’re done with this chapter, go to the chapter "Restart the Web Server"This section describes how to configure a Web Site that uses Nordic Edge AD Membership Provider.

4.1.2 Edit the connectionStrings.config File

Add the following row to the connectionStrings.config. The file is found in EPiServer root directory. This setting is used by the Role Provider. <add name="ActiveDirectoryProviderConnection"   connectionString="LDAP://ad.NordicEdge.se/dc=ad,dc=nordicedge,dc=se" />

Example:<connectionStrings>  <clear />  <add name="EPiServerDB" connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=dbExampleEPiServerSite;Integrated Security=False;User ID=dbUserExampleEPiServerSite;Password=connected;Connect Timeout=10" providerName="System.Data.SqlClient" />  <add name="ActiveDirectoryProviderConnection" 

 connectionString="LDAP://ad.NordicEdge.se/dc=ad,dc=nordicedge,dc=se" /> </connectionStrings>

4.1.3 Edit the Web.config File

The web.config file has to be configured before you can use Nordic Edge AD Membership Provider.

In the first step you must configure the forms authentication mode. After you have configured the authentication mode you have to configure the membership provider for the application by adding the <membership> section to your web.config file.

Before you make any changes: ● Make a copy of the current web.config file

NOTE:There is a file called ~\ EPiServer_sections_to web.config from which you can copy and paste the desired settings into your web.config file.

In the same folder you will find a configured web.config sample file called EPiServerSample_web.config that might be useful as an example.

<?xml version="1.0"?><configuration>    <system.web>

<!-- The <authentication> section enables configuration of the security authentication mode used by ASP.NET to identify an incoming user. --> <authentication mode="Forms">          <forms loginUrl="CustomLogin.aspx" />        </authentication>

<!--The <membership> section enables the Nordic Edge ASP.NET Membership Provider. -->

Please modify the values for:● connectionStringName ● ldapSearchBase ● ldapRoleSearchBase● ldapUserSearchBase

Keep = Keep the given valueModify = Modify the value to suit your environmentKeep/modify = The value may be edited though the default value is recommended

Learn more about the Role Provider here.

Membership Provider

Action Variable Value NoteKeep applicationName "/" Default value

Modify connectionStringName "127.0.0.1:3100" Your OTP Server IP address:Port

Keep/modify name "NordicEdgeRoleProvider" If you change this name, you also have to change defaultProvider="new name

Keep type "NordicEdge.OTP.Provider.ADMember... 

Modify ldapSearchBase "cn=users,dc=ad..." Where to find the users in the AD Directory. In other words the users context

Keep ldapEmailAttribute "mail"

Keep ldapUsernameAttribute "sAMAccountName" To be modified if you use userPrincipalName as user name attribute. The OTP Server must search for userPrincipalName in this case.

Keep/modify ldapDisplayNameAttribute "displayName"

Keep/modify ldapSearchScope "SUB" BASE, ONE or SUB

Keep/modify ldapProxyUsername "" Built in privileges are used by default. If you want you’re your own proxy user, insert values for a user account with appropriate privileges.

Keep/modify ldapProxyPassword "" See above

Role Provider

Action Variable Value NoteKeep enabled "true"

Keep/modify defaultProvider "EPiServerADRoleProvider"

Keep/modify cacheRolesInCookie "true" If you don’t want roles to be cached in a cookie, set the value to = false

Keep/modify cookieName ".ASPXROLES"

Keep/modify cookiePath "/"

Keep/modify cookieTimeout "30" Minutes

Keep/modify cookieRequireSSL "false"

Keep/modify cookieSlidingExpiration "true"

Keep/modify createPersistentCookie "false"

Keep/modify cookieProtection "All"

Keep applicationName "/"

Keep/modify attributeMapUsername "sAMAccountName" If you want to authenticate with the User Principal Name instead, add the attribute attributeMapUsername="userPrincipalName" to the provider configuration.

Keep/modify connectionStringName "ActiveDirectoryProviderConnection" 

Modify connectionUsername "administrator"  ... or "DOMAIN\administrator"

Modify connectionPassword "admPassword"

Keep/modify name "EPiServerADRoleProvider" If you change this name, you also have to change defaultProvider="new name"

Keep/modify type "EPiServer.Security.ActiveDirectoryRole..."

      <membership defaultProvider="NordicEdgeADMembershipProvider">        <providers>          <clear />

<add          name ="MultiplexingMembershipProvider"         type ="EPiServer.Security.MultiplexingMembershipProvider, 

EPiServer"  provider1="NordicEdgeADMembershipProvider"  provider2="AspNetActiveDirectoryMembershipProvider"                  />

          <add applicationName="/" connectionStringName="127.0.0.1:3100" name="NordicEdgeADMembershipProvider" type="NordicEdge.Web.Provider.ADMembershipProvider,

NordicEdgeADMembershipProvider, Version=2.0.0.0, Culture=neutral, PublicKeyToken=a27fc70f1b8f276c"

ldapSearchBase= "cn=users,dc=ad,dc=nordicedge,dc=se" ldapObjectClass = "user" ldapEmailAttribute = "mail" ldapUsernameAttribute = "sAMAccountName" ldapDisplayNameAttribute = "displayName"

ldapSearchScope = "SUB" ldapProxyUsername =""      ldapProxyPassword ="" /> <!-- The ActiveDirectoryMembershipProvider below is just added to the configuration as an example in order to demonstrate how to use the EPiServer MultiplexingMembershipProvider. Remove the section if you're not going to use it. Also remove the line provider2="AspNetActiveDirectoryMembershipProvider" from the MultiplexingMembershipProvider section above.-->  

   <add   attributeMapUsername="sAMAccountName"  name="AspNetActiveDirectoryMembershipProvider"

         type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

         connectionStringName="ActiveDirectoryProviderConnection"         connectionUsername="ad.NordicEdge.se\administrator"         connectionPassword="connected"

 enableSearchMethods="true"       />        

        </providers>      </membership>       <roleManager

enabled="true" defaultProvider="EPiServerADRoleProvider"

cacheRolesInCookie="true" cookieName=".ASPXROLES" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All"

>

<providers>           <clear />           <add

applicationName="/"

attributeMapUsername= "sAMAccountName"

connectionStringName="ActiveDirectoryProviderConnection"

connectionUsername="administrator" connectionPassword="connected"

name="EPiServerADRoleProvider" type= "EPiServer.Security.ActiveDirectoryRoleProvider,               NordicEdge.ActiveDirectoryRoleProvider, Version=1.0.1.0, 

Culture=neutral, PublicKeyToken=a27fc70f1b8f276c"

/>        </providers>

      </roleManager>

<!—Appsettings in the <configuration> section -->   <appSettings>      <add key="loginFailure" value="The user name or the password is incorrect. Please try again."/>      <add key="otpFailure" value="The OTP was incorrect. Please reenter your user name and password."/>      <add key="otpError" value="There is no connection with the OTP Server. Please contact your system administrator."/>      <add key="loginText" value="Sign In"/>      <add key="changeADPasswordURL" value=""/>       <add key="cachedAuthCookie" value="true"/>     </appSettings></configuration>

5 Restarting the IIS Web Server

5.1 Restarting IIS

Before you can use the Membership Provider, you have to restart the IIS.● Open a command prompt and type iisreset to restart the Internet

Information System.

Figure: Restarting IIS

6 User and Group Permissions6.1 Granting Permissions to Users and Groups (Roles)

Before you can use the EPiServer together with the Nordic Edge Membership Provider you also have to grant permissions to a user or a group in EPiServer.

EPiServer ships with some standard defined groups, for instance the group WebAdmins. A member of the WebAdmins group will get administrative rights to administer the EPiServer site.

Example:

● Create the group WebAdmins in the user database and add a user to the group.

● Login with user (chapter 7. Testing the Web Application)

[Optional] If you're missing an administrative tool to achive this, you can use the simple tool "MembershipSeeder" that you'll find in the installation package.

6.1.1 The Membership Seeder Tool

Figure: The MembershipSeeder tool

Configuration:

● Open the MembershipSeeder.exe.config with an editor (Notepad.exe)● Configure the connectionString.config for your environment

   <connectionStrings>    <add name="EPiServerDB"

connectionString="Data Source=(local)\SQLEXPRESS;Initial Catalog=dbExampleEPiServerSite;Integrated Security=False;User ID=dbUserExampleEPiServerSite;Password=connected;Connect Timeout=10" providerName="System.Data.SqlClient" />

  </connectionStrings>● Make the MembershipUser member of the Administrators group (or

another group with administration privileges)

For additional information about the MembershipSeeder, read the article from Microsoft written by Steve Peschka:http://msdn.microsoft.com/en-us/library/bb975136.aspx

This article discuss Forms Authentication to SharePoint and includes a section about user/group permissions in a SQL database. Search for “Managing Users and Roles” and you’ll find the section.

7 Testing the Web Application7.1 Running the EPiServer with the Nordic Edge AD Membership Provider

To test the web application in your browser, type the required URL such as: http://EPiServer.domain:portnr/UI/admin

Figure: Login page

Figure: OTP page 

Figure: Logged in to the EPiServer system

8 Appendix8.1 Troubleshooting

8.1.1 Troubleshooting & Support

For troubleshooting and support, please go to http://www.nordicedge.se or send an email to support@nordicedge.se

9 Appendix B

9.1 Document History

Version 2.0.0october 2010

Version 0.8.1 BetaAugust 2010 -

Version 0.8.0 BetaJanuari 2010 - Initial version