Out of the box Gallery Server uses a self-contained set of user accounts, exposing functionality for adding, editing, and removing them in a set of admin pages. This works great when you want to keep them separate or your gallery is primarily used by anonymous users. But in many cases you want to integrate with an existing set of users, whether they’re in a home-grown user table, a 3rd party membership system, or Active Directory.
All these scenarios are possible because Gallery Server uses the provider model for storing users and roles. Just drop in a DLL containing a membership-compatible class in the bin directory, update web.config to point to it, and you’re all set.
In this post we’ll focus on configuring a gallery to use Active Directory for membership. For other scenarios, check out the Membership Configuration section in the Administrator’s Guide. If you’re not familiar with the ASP.NET Membership Provider model, you may want to bone up on that as well.
Microsoft provides built-in support for Active Directory integration in System.Web.dll, which is installed with the .NET Framework. All we have to do is make sure the supporting tables are in the SQL Server database and then point the gallery to it.
First let’s create the tables in the SQL Server database that is necessary to store the membership-related data and the roles. Fortunately, there’s a tool included in .NET that makes this easy. It’s called aspnet_regsql.exe and by default is stored at C:\Windows\Microsoft.NET\Framework\v4.0.30319. Fire it up and the first screen looks like this:
Go ahead and step through the wizard, selecting the same SQL Server database you store your gallery in. It can be a different database, but be sure you update the connection string associated with the roles provider in web.config if you do. When you’re done you have a set of new tables that begin with aspnet_:
Now you can tweak the web.config file in the root of your Gallery Server web application to use the Active Directory membership provider. Open web.config in a text editor and replace the <membership> and <roleManager> sections with this:
<membership defaultProvider="AspNetActiveDirectoryMembershipProvider"> <providers> <clear /> <add name="AspNetActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConnection" enableSearchMethods="true" attributeMapUsername="sAMAccountName" applicationName="Gallery Server" /> </providers> </membership> <roleManager enabled="true" cacheRolesInCookie="true" cookieProtection="Validation" defaultProvider="SqlRoleProvider"> <providers> <clear /> <add name="SqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="GalleryDb" applicationName="Gallery Server" /> </providers> </roleManager>
You also need to add a connection string to your Active Directory, so in the <connectionStrings> section add something like this:
<add name="ADConnection" connectionString="LDAP://192.168.1.1/CN=users,DC=mydomain,DC=techinfosystems,DC=com"/>
Of course, your connection string will be different. If you have trouble getting the syntax right, google/bing it and you’ll find a lot of help.
Almost done! Don’t actually do this, but if you navigate to your gallery now, you should be able to log in as an Active Directory user but you’ll get a message about how you don’t have permission to view any media objects. So before you do that, choose one of your AD accounts to be the administrator of your gallery. Then open install.txt in the App_Data directory of your gallery (create an empty text file if there isn’t one) and give it one line of text containing the username:
NOW you can use your browser to navigate to the gallery and log in as an Active Directory user. Because we specified attributeMapUsername=”sAMAccountName” in web.config, you don’t need to specify the domain name when you log in. That is, the username from the above example is GalleryAdmin instead of mydomain\GalleryAdmin.
If you still get the message about not being able to see any objects, try recycling the application pool and trying again. You’ll know Gallery Server processed the install.txt file when it disappears from the App_Data directory.
A few final notes:
- The current version of Gallery Server does not support auto-logon of Active Directory accounts, but it will be supported in version 4. That is, web.config must have authentication mode=”Forms”; authentication mode=”Windows” is not supported.
- The application pool identity must have read access to AD. If necessary, change the identity of the application pool in IIS Manager to an account with AD read permission.
- More details about Active Directory are in the Administrator’s Guide.