|
Home > Archive > Microsoft Content Management Server > October 2006 > Requiring authentication on some parts of an MCMS site
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Requiring authentication on some parts of an MCMS site
|
|
| Jay Noffsinger 2006-08-25, 7:21 pm |
| We're in the process of having our site redesigned by a third party who
recommended MCMS for maintiaining the new site. MCMS 2.0 SP2 is in place and
drafts of our site have been uploaded by the designer and imported by us.
As is the case on our current site, we will need to protect some parts of
our site by requiring authentication, for our Intranet, for instance. This
is easy enough to do with a regular FrontPage-generated site by using IIS
Manager (Properties/Directory Security/Authentication and access control).
However, with the new MCMS site the tree structure normally found in IIS
Manager isn't there (as you all probably know).
So, the question is: How do you turn off anonymous access to sections of
the MCMS site, requiring authentication from our domain users as we do on our
current site? Most searches today on this have only turned up advice on
setting MCMS author/editor permissions, not Web site access solutions.
Thank you!
Jay
| |
| Becky VanBruggen 2006-08-25, 7:21 pm |
| Jay,
There are several steps to this configuration.
1.) Open up IIS, right click on your web site application, and click on the
"Security" tab. Check the Windows authentication box and uncheck all the
other boxes. This means only Windows-authenticated users can get to your site.
2.) You web solution should have a file called a web.config file in it.
Inside the web.config file you'll see a node called <authenticationtion />.
You need to change it so it looks like this: <authentication mode="Windows"
/> (and remove any nodes inside that node.)
3.) Last but not least, to grant access to the virtual pages and folders
stored in CMS (the folders we call "Channels" and the pages we call
"Postings" in CMS lingo), you need to open up the desktop client for CMS
called Site Manager. Click on the button for User Roles. The "Subscriber"
role is a essentially a "read only" role, for just looking at the web site,
and not authoring or modifying it in any way. You'll create a new Subscribers
group, and then add the Windows or Active Directory users or groups to this
Subscriber group. The last thing to do is to grant this Subscriber group
access to all the channels or postings you want them to be able to see.
"Jay Noffsinger" wrote:
> We're in the process of having our site redesigned by a third party who
> recommended MCMS for maintiaining the new site. MCMS 2.0 SP2 is in place and
> drafts of our site have been uploaded by the designer and imported by us.
>
> As is the case on our current site, we will need to protect some parts of
> our site by requiring authentication, for our Intranet, for instance. This
> is easy enough to do with a regular FrontPage-generated site by using IIS
> Manager (Properties/Directory Security/Authentication and access control).
>
> However, with the new MCMS site the tree structure normally found in IIS
> Manager isn't there (as you all probably know).
>
> So, the question is: How do you turn off anonymous access to sections of
> the MCMS site, requiring authentication from our domain users as we do on our
> current site? Most searches today on this have only turned up advice on
> setting MCMS author/editor permissions, not Web site access solutions.
>
> Thank you!
> Jay
| |
| Becky VanBruggen 2006-08-25, 7:21 pm |
| I failed to mention when you open up the web site in IIS, you have to select
"Properties" from the menu, *then* select the Security tab.
Also, if you want everyone to have access to the site who is authenticated
with Windows or AD, you can add the AUTHENTICATED USERS group to the
subscriber role.
"Jay Noffsinger" wrote:
> We're in the process of having our site redesigned by a third party who
> recommended MCMS for maintiaining the new site. MCMS 2.0 SP2 is in place and
> drafts of our site have been uploaded by the designer and imported by us.
>
> As is the case on our current site, we will need to protect some parts of
> our site by requiring authentication, for our Intranet, for instance. This
> is easy enough to do with a regular FrontPage-generated site by using IIS
> Manager (Properties/Directory Security/Authentication and access control).
>
> However, with the new MCMS site the tree structure normally found in IIS
> Manager isn't there (as you all probably know).
>
> So, the question is: How do you turn off anonymous access to sections of
> the MCMS site, requiring authentication from our domain users as we do on our
> current site? Most searches today on this have only turned up advice on
> setting MCMS author/editor permissions, not Web site access solutions.
>
> Thank you!
> Jay
| |
| Jay Noffsinger 2006-08-25, 7:21 pm |
| Becky,
Thanks for the detailed response! I am, however, still not clear on how
your solution will set required authentication on only PARTS of our site.
The main page and most of the subpages are public and need to remain that way.
So while http://www.mydomain.com/ should be public,
http://www.mydomain.com/IntranetA/ should be protected by user
authentication. How do I just protect /IntranetA with user authentication?
Before MCMS I would just find that subfolder in IIS Manager, right click it
and go through setting it up as not allowing anonymous access. I can't do
that now in IIS Manager because the 'tree' of our MCMS site is not shown in
IIS Manager.
Maybe I'm wrong, but your solution looked as though it was putting the whole
site behind authentication. But again I'm new to this so excuse me if I
misinterpreted your solution.
In case it matters, we've been using 'Basic Authentication' vice 'Integrated
Windows Authentication' on our current site. Not the most secure solution, I
know, but the Windows authentication has proven to be problematic for us for
whatever reason.
Thanks again!
Jay
As a side note
"Becky VanBruggen" wrote:
[vbcol=seagreen]
> Jay,
> There are several steps to this configuration.
>
> 1.) Open up IIS, right click on your web site application, and click on the
> "Security" tab. Check the Windows authentication box and uncheck all the
> other boxes. This means only Windows-authenticated users can get to your site.
>
> 2.) You web solution should have a file called a web.config file in it.
> Inside the web.config file you'll see a node called <authenticationtion />.
> You need to change it so it looks like this: <authentication mode="Windows"
> /> (and remove any nodes inside that node.)
>
> 3.) Last but not least, to grant access to the virtual pages and folders
> stored in CMS (the folders we call "Channels" and the pages we call
> "Postings" in CMS lingo), you need to open up the desktop client for CMS
> called Site Manager. Click on the button for User Roles. The "Subscriber"
> role is a essentially a "read only" role, for just looking at the web site,
> and not authoring or modifying it in any way. You'll create a new Subscribers
> group, and then add the Windows or Active Directory users or groups to this
> Subscriber group. The last thing to do is to grant this Subscriber group
> access to all the channels or postings you want them to be able to see.
>
> "Jay Noffsinger" wrote:
>
| |
| Jay Noffsinger 2006-08-25, 7:21 pm |
| Thanks again Becky. Did you see my last post?
Jay
"Becky VanBruggen" wrote:
[vbcol=seagreen]
> I failed to mention when you open up the web site in IIS, you have to select
> "Properties" from the menu, *then* select the Security tab.
>
> Also, if you want everyone to have access to the site who is authenticated
> with Windows or AD, you can add the AUTHENTICATED USERS group to the
> subscriber role.
>
> "Jay Noffsinger" wrote:
>
| |
| Stefan [MSFT] 2006-08-28, 7:24 am |
| Hi Jay,
this is done by removing the subscriber group with the guest account from
the desired channels that should not be guest enabled.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"Jay Noffsinger" <JayNoffsinger@discussions.microsoft.com> wrote in message
news:6A2CC577-BA2C-4778-9E10-D9CB5332ABA9@microsoft.com...[vbcol=seagreen]
> Becky,
>
> Thanks for the detailed response! I am, however, still not clear on how
> your solution will set required authentication on only PARTS of our site.
> The main page and most of the subpages are public and need to remain that
> way.
>
> So while http://www.mydomain.com/ should be public,
> http://www.mydomain.com/IntranetA/ should be protected by user
> authentication. How do I just protect /IntranetA with user
> authentication?
> Before MCMS I would just find that subfolder in IIS Manager, right click
> it
> and go through setting it up as not allowing anonymous access. I can't do
> that now in IIS Manager because the 'tree' of our MCMS site is not shown
> in
> IIS Manager.
>
> Maybe I'm wrong, but your solution looked as though it was putting the
> whole
> site behind authentication. But again I'm new to this so excuse me if I
> misinterpreted your solution.
>
> In case it matters, we've been using 'Basic Authentication' vice
> 'Integrated
> Windows Authentication' on our current site. Not the most secure
> solution, I
> know, but the Windows authentication has proven to be problematic for us
> for
> whatever reason.
>
> Thanks again!
> Jay
>
> As a side note
>
> "Becky VanBruggen" wrote:
>
| |
| Jay Noffsinger 2006-08-29, 1:27 pm |
| Stefan and Becky,
Thank you both for your help. We'll follow your guidance and will let you
know how things work out as we work towards a mid-September go-live date for
our site.
Regards, Jay
"Stefan [MSFT]" wrote:
> Hi Jay,
>
> this is done by removing the subscriber group with the guest account from
> the desired channels that should not be guest enabled.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Jay Noffsinger" <JayNoffsinger@discussions.microsoft.com> wrote in message
> news:6A2CC577-BA2C-4778-9E10-D9CB5332ABA9@microsoft.com...
>
>
>
| |
| Mike Buckingham 2006-10-20, 7:19 pm |
| Is there a way to do this using forms authentication?
"Becky VanBruggen" wrote:
[vbcol=seagreen]
> Jay,
> There are several steps to this configuration.
>
> 1.) Open up IIS, right click on your web site application, and click on the
> "Security" tab. Check the Windows authentication box and uncheck all the
> other boxes. This means only Windows-authenticated users can get to your site.
>
> 2.) You web solution should have a file called a web.config file in it.
> Inside the web.config file you'll see a node called <authenticationtion />.
> You need to change it so it looks like this: <authentication mode="Windows"
> /> (and remove any nodes inside that node.)
>
> 3.) Last but not least, to grant access to the virtual pages and folders
> stored in CMS (the folders we call "Channels" and the pages we call
> "Postings" in CMS lingo), you need to open up the desktop client for CMS
> called Site Manager. Click on the button for User Roles. The "Subscriber"
> role is a essentially a "read only" role, for just looking at the web site,
> and not authoring or modifying it in any way. You'll create a new Subscribers
> group, and then add the Windows or Active Directory users or groups to this
> Subscriber group. The last thing to do is to grant this Subscriber group
> access to all the channels or postings you want them to be able to see.
>
> "Jay Noffsinger" wrote:
>
| |
| Stefan [MSFT] 2006-10-23, 7:15 am |
| Yes.
But you would need a "login" link somewhere on your page if you also want to
allow guest users.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"Mike Buckingham" <MikeBuckingham@discussions.microsoft.com> wrote in
message news:8FC7DB05-B91C-4067-B977-A900E0D6D26E@microsoft.com...[vbcol=seagreen]
> Is there a way to do this using forms authentication?
>
> "Becky VanBruggen" wrote:
>
| |
| Mike Buckingham 2006-10-24, 1:15 pm |
| Thanks Stefan. I've got it working. I found this link to be very helpful
http://mcmsbook.packtpub.com/chapter18_preview.htm. Specifically the
following code which is what you need to make MCCMS work with forms
authentication.
try
{
username = txtUsername.Text;
domain = txtDomain.Text.ToUpper();
password = txtPassword.Text;
//string the domain and userName together to get the user's account
user = "winNt://" + domain + "/" + username;
//get a ticket
CmsAuthenticationTicket
ticket=CmsFormsAuthentication.AuthenticateAsUser
(user,password);
}
catch(Exception ex)
{
lblErrorMessage.Text = ex.Message;
}
if(ticket!=null)
{
if(Request.QueryString["ReturnUrl"]!=null)
{
CmsFormsAuthentication. RedirectFromLoginPage(ticket,true,false)
;
}
else
{
CmsFormsAuthentication.SetAuthCookie(ticket,true,false);
Channel root = CmsHttpContext.Current.Searches.GetByPath
("/Channels/TropicalGreen") as Channel;
if(root!=null)
{
Response.Redirect(root.Url);
}
}
}
"Stefan [MSFT]" wrote:
> Yes.
> But you would need a "login" link somewhere on your page if you also want to
> allow guest users.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Mike Buckingham" <MikeBuckingham@discussions.microsoft.com> wrote in
> message news:8FC7DB05-B91C-4067-B977-A900E0D6D26E@microsoft.com...
>
>
>
| |
| Stefan [MSFT] 2006-10-24, 1:15 pm |
| Correct.
Btw: I'm one of the authors of this book.
Cheers,
Stefan
--
This posting is provided "AS IS" with no warranties, and confers no rights
"Mike Buckingham" <MikeBuckingham@discussions.microsoft.com> wrote in
message news:D6EB52F9-EB46-4031-A943-0589A27BA009@microsoft.com...[vbcol=seagreen]
> Thanks Stefan. I've got it working. I found this link to be very helpful
> http://mcmsbook.packtpub.com/chapter18_preview.htm. Specifically the
> following code which is what you need to make MCCMS work with forms
> authentication.
>
> try
>
> {
>
> username = txtUsername.Text;
>
> domain = txtDomain.Text.ToUpper();
>
> password = txtPassword.Text;
>
>
>
> //string the domain and userName together to get the user's account
>
> user = "winNt://" + domain + "/" + username;
>
>
>
> //get a ticket
>
> CmsAuthenticationTicket
> ticket=CmsFormsAuthentication.AuthenticateAsUser
>
> (user,password);
>
> }
>
> catch(Exception ex)
>
> {
>
> lblErrorMessage.Text = ex.Message;
>
> }
>
> if(ticket!=null)
>
> {
>
> if(Request.QueryString["ReturnUrl"]!=null)
>
> {
>
> CmsFormsAuthentication. RedirectFromLoginPage(ticket,true,false)
;
>
> }
>
> else
>
> {
>
> CmsFormsAuthentication.SetAuthCookie(ticket,true,false);
>
> Channel root = CmsHttpContext.Current.Searches.GetByPath
>
> ("/Channels/TropicalGreen") as Channel;
>
> if(root!=null)
>
> {
>
> Response.Redirect(root.Url);
>
> }
>
> }
>
> }
>
>
>
> "Stefan [MSFT]" wrote:
>
| |
| Mike Buckingham 2006-10-24, 1:15 pm |
| No wonder it's so good. I'm ordering a copy now.
Mike
"Stefan [MSFT]" wrote:
> Correct.
> Btw: I'm one of the authors of this book.
>
> Cheers,
> Stefan
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "Mike Buckingham" <MikeBuckingham@discussions.microsoft.com> wrote in
> message news:D6EB52F9-EB46-4031-A943-0589A27BA009@microsoft.com...
>
>
>
|
|
|
|
|