Active Directory Authorization Module for Orchard
Orchard is a powerful, free, open source content management system (CMS) for the .NET platform. Orchard uses modules to provide reusable sets of components that can be enabled to give additional features to your CMS. These modules can be thought of as mini ASP.NET MVC projects that provide a specific feature for the CMS. We have been using Orchard in a recent project and it is impressive how much can be done with it, and I don't even feel like I have even begun to scratch the surface. We (Moov2) were using Orchard for an Intranet that needed to use the users and roles of the client's Active Directory server to authorize if a user should be able to access the administration area within Orchard. Unfortunately Orchard doesn't handle interaction with Active Directory out of the box, so we implemented our own module to handle authorization.
What is great about Orchard is that it is very community driven, and the community provides tonnes of modules that can be easily enabled on your instance of Orchard. As dealing with active directory isn't something that comes out of the box with Orchard the first thing I did was to look to see if anyone had created a module that does something similar to what I was after. After not having any luck using the built in module search, I was able to hunt down a couple of modules that deal with active directory to some extent online.
The first module, Active Directory for Orchard, was by Ventajou. My first attempt to install the module using the documentation provided was unsuccessful and nothing happened. I managed to solve this problem that was probably caused by myself, by including the module into the modules solution (within the Orchard source) inside Visual Studio. Doing this I noticed that none of the files were being included in the project. Once I included all the .cs files, Module.txt and added a couple of references, the project was able to compile successfully. In Orchard I could now see the features that Ventajou's module brought to the table, however they weren't quite what we were after. The module provided the ability to specify a domain, users and handle authentication. For our requirements, the user would already be set on the context and the authentication would already be done. What we need was the ability to authorize.
I didn't even try the second module, Orchard LDAP Module. The lack of documentation, number of downloads and the fact it was created over a year and a half ago didn't enthuse confidence that it was going to work. The beauty of Orchard is that if a feature is needed in your CMS, you can create a custom module that will fulfill that feature. The other great thing about Orchard is that your module can override the default functionality provided by another module. What our module needed to do was override the authorization process so it verified the user based on the active logged in user and their associated roles. If the user had a specific role in active directory then they would be granted access to the administration area.
With there not being anything out there that fit our needs, we decided to implement our own module to deal with our problem. This module is available from a repository on the Moov2 Github page. The module uses windows authentication to retrieve the active directory username and roles for current logged in user. Roles should be added to the active directory users in order to manage what features they can access on the CMS, if any at all. If you already have existing roles, then these must be added via the users section in the admin area. It is important that the role names match up, the module still uses the default role authorization, however the means of accessing the current users roles is different.
Any users that have permission to access the admin area has a user created in Orchard for them, view-able in the users section of the admin area. This is so that the users can add content. Content in Orchard expects an author, which is stored on the content in the form of a numerical id. Instead of re-writing the core of Orchard, we went with the approach that an active directory users that has permission to access the admin area will have an Orchard user with the same username, thus giving the user an id. It should be noted, that even though the users appear in the users section there roles should still be managed via active directory and not the Orchard CMS.
Add any known roles from active directory that should define an admin user into Orchard. To do this go to the admin area in your Orchard install, then go to Users section, then click the Roles tab where you will find an "add a role" button on the right hand side.
Next step is to download the latest .nupkg file from the downloads section of the projects Github repository. This file is a NuGet package that is used to install the module.
Next you should install the module on your instance of Orchard. To do this simply go to the administration area of your Orchard install, go to the Modules section and click the Installed tab. On this tab there is a button to Install a module from your computer, click this button and browse to where you saved the .nupkg file when downloading. This will install and enable the module.
Now the module is installed you need to make sure the authentication settings in IIS are set properly for the module to be able to access what it needs. Open IIS on the machine that is hosting your Orchard install and navigate to the website responsible for the Orchard install. Select the "Authentication" option, make sure that only the "Windows Authentication" option is enabled, any others that are currently enabled should be disabled.
The final step is to update the authentication settings in the Web.config inside the websites root. Simply replace the current Forms authentication settings with the authentication settings shown below. These settings confirm that Windows authentication will be used, and also allows access to the roles associated to the active directory user.
<authentication mode="Windows" /> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
That's all! At the moment the module isn't hosted on Orchards module gallery, but we do have plans to do this in the not so distant future, this will erase steps two & three, as the downloading and installation will all be handled by Orchard.
The module was created to fit the needs of our client, so it may not fit for your particular need. If this is the case please open an issue in the Github repository and tell us what you would like the module to do, as we are looking to expand it to fulfill others requirements as well as our own. If you have any issues with getting the module up and running, please open an issue in Github or send me an email to firstname.lastname@example.org.