If you are going to be using Active Directory for authenticating your users there are a few things you need to do to set up the environment.



Quick Start Steps

  • IIS Manager
    • Disable all authentication except Windows
    • Optionally set up other site with anonymous / forms authentication for non-AD processes (importers, exporters, etc.)
  • web.config 
    • authentication mode = "Windows"
  • Active Directory
    • Add AD Group named "DocMgt" and make sure all users to auto-authenticate are in that group
    • Add AD Group named "dmAdmin" and make sure all ADMIN users are in that group
    • Add AD Group named "dmReporting" and make sure all REPORTING users are in that group





Full Instructions


Internet Information Services (IIS) Manager 

In the IIS Manager console, go to your web site and set your Authentication to disable all authentication methods except for Windows authentication.


** NOTE: If you do not see the Windows Authentication option in your IIS Manager you will need to install it from your Server Manager. 



Edit the web.config file


Set Authentication Mode

Copy your C:\Inetpub\wwwroot\docMgt\web.config file to your desktop so you can edit and save it. Keep another copy as a clean backup in case you wish to revert back to the installed version. Open the file with Notepad, Notepad++ or similar text editor. Search for the <authentication mode="Forms"> node and change "Forms" to "Windows". 





Set Domain Options

In the web.config file there is a section named appSettings. In this section there are some settings that will need to be edited or added. The following settings should be configured.



LDAPServer

LDAPServer is the name of your server for the AD integration. This is typically the name of one of the AD servers in your domain. You can also try the domain name itself but that is not always sufficient. If you are integrating at the Machine level instead of the Domain level then this is the name of the server.


LDAPMode

Set this to "Machine" to authenticate using just the web server's local Users/Groups. 

Set this to "Domain" to authenticate using Active Directory. "Domain" is assumed if the setting does not exist or if the setting is blank.


LDAPGroupMode

Set this to "Simple" to synchronize only the immediate Security Groups for the users. "Simple" is assumed if the setting does not exist or if the setting is blank.

Set this to "Full" to synchronize all Security Groups for the user - even nested ones. This is slower but is sometimes required.


LDAPGroup

The AD sync will only allow users to authenticate when they are the member of a specific AD security group. This allows you to immediately segment the users that can get into the system. Set this setting to the name of the group that is allowed to access the server. If this setting does not exist or is blank then "docMgt" is assumed. You will need a group of this name for users to be able to authenticate.


LDAPLog

To enable more logging information in the Windows Event Viewer, set the LDAPLog setting to "true". This will add more logging so only set this when you are troubleshooting.



Sample web.config settings



Copy the Web.config file you have been editing back into the wwwroot\docMgt folder and then attempt to load your browser.


REMEMBER! For the AD integration to work you need to ensure your IIS Manager settings are correct, your Web.config settings are correct and you have configured your AD Users and Groups with the settings above in mind.



INSTALLATION NOTE!

To make upgrades easier, you can place your custom appSettings entries into a new file named "customweb.config" and place it next to the web.config file in the root of the web site. This file will not be removed or replaced by the installer so your custom settings will not be lost on each upgrade.

More information from Microsoft: https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/appsettings/




Client Settings

In order to allow browsers to automatically authenticate users you will need to ensure your DocMgt site is in all users' Local Intranet sites lists. Here is a link to an article that explains how to do that. https://itkb.csulb.edu/display/help/Adding+Sites+to+Local+Intranet+in+Browser+Settings. This can also be done using GPO for mass updating as this article shows: https://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/



Security Details

Any user who authenticates via Active Directory will be secured as follows:

    • Only those users in the LDAPGroup (see above) will be authenticated. Anyone not in that group will be denied.
    • Anyone in the dmAdmin group in AD will be set as an Admin in DocMgt. Even if the user is later set up as an Admin in the DocMgt interface, that setting will be changed the next time the user authenticates.
    • Anyone in the dmReporting group in AD will be set as a Reporting User in DocMgt. Even if the user is later set up as a Reporting User in the DocMgt interface, that setting will be changed the next time the user authenticates.
    • The AD Security Groups that the user is in will be used to set them up in DocMgt Teams. The logic is as follows:
      • For each AD Group for that user see if there is a matching DocMgt Team. 
        • If no match then skip
        • If match then see if the user is in the Team
          • If yes then move on
          • If not then add the user to that Team
      • For each DocMgt Team for that user see if there is a matching AD Group. 
        • If no match then skip
        • If match then see if the user is in the AD Group
          • If yes then move on
          • If not then add then remove that user from that Team




It is likely that you will need to add the URL of the server to your Intranet Sites list for IE users to automatically log in without a prompt. Here is one article that shows you how to do that. You can do it manually for each workstation although it is typically easier with a Group Policy:

http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/



If you still get a user/password prompt from the browser then check this article:

https://support.microsoft.com/en-us/help/303650/intranet-site-is-identified-as-an-internet-site-when-you-use-an-fqdn-o



Multi-Mode Logins

If you wish to be able to authenticate some users via AD and some via normal logins (including Importer and Exporter) you can create a new web site or Web Application to authenticate normal users. You would have to manually copy the wwwroot\docmgt folder and set its web.config settings back to normal. Then in the web site you would change to Anonymous Authentication instead of Windows authentication.


The non-AD users would use a different URL but they would be logging into the same server with the same data and documents.


Contact support if you wish to do this and need assistance.



Suggested Configuration

If you will be using multi-mode logins, we suggest using the main install directory (wwwroot\docmgt) for your NON-AD login URL. This will greatly simplify upgrades. Install as normal and make sure you can login without AD. Then copy that install folder to another folder. Set up the new folder with AD.