logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Jake  
#1 Posted : Monday, August 29, 2011 12:59:54 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
NOT SUPPORTED ON LINUX/OSX/MONO. SORRY!

We've implemented simple LDAP membership and role providers. They're read-only, so your users and their role membership are configured elsewhere. It works as kind of a hybrid between our Windows and Forms providers. Only roles can be edited like our Windows auth, but users login through a Form like our forms auth.

Only works in 2.3.1885+

Here is how to configure it:

Code:

  <membership defaultProvider="Default">
   <providers>
    <clear />
    <add name="Default" type="Elsinore.ScreenConnect.LdapMembershipProvider"
      server="ldap.elsitech.local:636"
      useSsl="true"
      serviceUser="CN=ServiceUser,OU=Users,DC=elsitech,DC=local"
      servicePassword="myPassword"
      userRootDN="OU=Users,DC=elsitech,DC=local"
      userNameAttribute="cn"
      roleRootDN="OU=Groups,DC=elsitech,DC=local"
      roleNameAttribute="cn"
      roleUserDNAttribute="member"
    />
    <add name="OldDefault" type="Elsinore.ScreenConnect.XmlMembershipProvider" virtualFilePath="~/App_Data/User.xml" />
   </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="Forms">
   <providers>
    <clear />
    <add name="Forms" type="Elsinore.ScreenConnect.LdapRoleProvider" />
    <add name="OldForms" type="Elsinore.ScreenConnect.XmlRoleProvider" />
    <add name="Windows" type="Elsinore.ScreenConnect.WindowsRoleProvider" />
   </providers>
  </roleManager>


Attributes:

Code:

server: fully qualified server name optionally including port.  389 is default port.  636 is standard SSL port, but must be specified even if useSsl is set to true.

useSsl: true or false depending on whether you want to use SSL.  Authentication is basic, so it's passed in clear text unless you use SSL.

serviceUser: DN of user account used to search the directory tree

servicePassword: password of user account used to search the directory tree

userRootDN: DN of root of where users are located.  this can be used to narrow the search scope for users

userNameAttribute: name of attribute that specifies the user name.  "cn" is Common Name and is usually what they consider their "user name".  sAMAccountName can be used for Active Directory if you want them to use what they use to login to windows.

userRoleNameAttribute: (optional, mutually exclusive with roleUserDNAttribute) name of multi-valued attribute on user entry that specifies role names for the user.  If these are DNs, your roles in ScreenConnect need to be full DNs also.

roleRootDN:  (optional, mutually exclusive with userRoleNameAttribute) DN of root of where roles/groups are located.  this can be used to narrow the search scope for groups

roleNameAttribute: (optional, mutually exclusive with userRoleNameAttribute) name of attribute that specifies the name of the role.  Usually "cn".

roleUserDNAttribute: (optional, mutually exclusive with userRoleNameAttribute) name of multi-valued attribute on role/group that lists membership in the form of user DNs.  Typically "member".


Validation process using above settings with username "billy" password "testpass":

- We bind to ldap.elsitech.local:636 (server) with SSL with account "CN=ServiceUser,DC=elsitech,DC=local" (serviceUser) and password "myPassword" (servicePassword)
- We search the tree at root "OU=Users,DC=elsitech,DC=local" (userRootDN) for user entry with "cn" (userNameAttribute) equal to "billy"
- We find an entry at "cn=Billy,OU=Users,DC=elsitech,DC=local"
- We create a new connection and try to bind as "cn=Billy,OU=Users.DC=elsitech,DC=local" with password "testpass"
- We succeed or fail based on whether the bind was successful

Role lookup process using above settings with username "billy":

- We bind to ldap.elsitech.local:636 (server) with SSL with account "CN=ServiceUser,DC=elsitech,DC=local" (serviceUser) and password "myPassword" (servicePassword)
- We search the tree at root "OU=Users,DC=elsitech,DC=local" (userRootDN) for user entry with attribute "cn" (userNameAttribute) equal to "billy"
- We find an entry at "cn=Billy,OU=Users,DC=elsitech,DC=local"
- We search the tree at root "OU=Roles,DC=elsitech,DC=local" (roleRootDN) for group entry with attribute "member" (roleUserDNAttribute) equal to "cn=Billy,OU=Users,DC=elsitech,DC=local"
- We return the value of the "cn" (roleNameAttribute) attribute for each role we find


You define your roles in ScreenConnect the same way you do now. I suppose you should probably define the roles first before you apply these changes, or you'll be locked out.

Please reply on the forum with any issues you encounter. Our support department cannot support the usage of this authentication.

Added 2013-10-12 for 4.1

Added 3 new attributes: userEmailAttribute, userPasswordQuestionAttribute, and userCommentAttribute ... Most notable is userPasswordQuestionAttribute which can specify the name of an attribute that contains Two-Factor Authentication information:
http://forum.screenconne...ctor-Authentication.aspx

Edited by user Tuesday, December 10, 2013 5:08:33 PM(UTC)  | Reason: Not specified

ScreenConnect Team

Nimda_11  
#2 Posted : Tuesday, May 15, 2012 6:46:27 PM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
I am trialing SC and had a few questions regarding LDAP/Windows Auth.

1. Are Windows Auth and LDAP Auth 2 separate things in screen connect?
2. If using Windows Auth, can I assume that in order to work properly that the screenconnect server needs to be a domain member?
3. Can you post an example web.config file so that I can copy and past the LDAP portions of the config? I'm lazy and prone to typo's :)

So far SC is great!

Thanks,
- Sam
Jake  
#3 Posted : Thursday, May 17, 2012 3:11:45 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Yes, they are two different things. Windows and Forms auth are the two main auth modes. LDAP is configured as a provider for forms auth. Yes, the SC server needs to be a domain member.
ScreenConnect Team
Nimda_11  
#4 Posted : Saturday, May 19, 2012 6:06:48 AM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
Ahhhh, as soon as I pulled my head out of my butt and realized your example was txt and not a screenshot (for whatever reason it looked like a screenshot to me), I was able to get it running no problemo.

Using it against Active Directory (2008 R2 Schema), seems to be working great.

A few comments/questions (based on my own testing).
1. To use LDAP, the machine does NOT have to be in a domain, or can even be a member of a different domain than it is querying. If using windows auth, then it needs to be a member of the domain.
2. Is there any risk leaving the user.xml file in place? can/should it be deleted/moved once LDAP is up and running?
3. If I wanted to use SSL, will screen connect deal with certificate errors? (name mismatch)


In any case, thank you for the example, and the response.

- Sam
Jake  
#5 Posted : Thursday, January 31, 2013 11:51:42 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
NOT SUPPORTED ON LINUX/OSX/MONO. SORRY!
ScreenConnect Team
namrebyc  
#6 Posted : Friday, March 22, 2013 9:19:12 AM(UTC)
namrebyc


Rank: Newbie

Joined: 3/22/2013(UTC)
Posts: 2

I have attempted to use this code to authenticate using LDAP to a Server 2003 Active Directory.
When I make the changes for my server, I get the following error in the Event Log (this happens when the application restarts, before attempting to login):

Event Type: Warning
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1309
Date: 3/22/2013
Time: 8:59:00 AM
User: N/A
Computer: SERVER01
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/22/2013 8:59:00 AM
Event time (UTC): 3/22/2013 12:59:00 PM
Event ID: 94ed6e2e3812439aa28ac9eba2b66165
Event sequence: 2
Event occurrence: 1
Event detail code: 0

Application information:
Application domain: 1140319-20-130084307392900111
Trust level: Full
Application Virtual Path: /
Application Path: E:\Program Files\ScreenConnect\
Machine name: SERVER01

Process information:
Process ID: 1892
Process name: Elsinore.ScreenConnect.Service.exe
Account name: NT AUTHORITY\SYSTEM

Exception information:
Exception type: InvalidCastException
Exception message: Unable to cast object of type 'Elsinore.ScreenConnect.PermissionEntry[]' to type 'System.String[]'.

Request information:
Request URL: http://127.0.0.1/Administration.aspx
Request path: /Administration.aspx
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM

Thread information:
Thread ID: 2
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Elsinore.ScreenConnect.LdapMembershipProvider.GetRolesForUser(String userName)
at Elsinore.ScreenConnect.LdapRoleProvider.GetRolesForUser(String userName)
at Elsinore.ScreenConnect.Permissions.GetEntriesForUser()
at Elsinore.ScreenConnect.Permissions.AssertPermission(String permissionName, Boolean throwOrEnd)
at ASP.administration_aspx.OnInit(EventArgs e)
at System.Web.UI.Control.InitRecursive(Control namingContainer)
at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)


Custom event details:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Jake  
#7 Posted : Friday, March 22, 2013 9:28:47 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
I'm not completely sure how that happened, but we just fixed that particular error for 3.2 next build.
ScreenConnect Team
namrebyc  
#8 Posted : Friday, March 22, 2013 10:06:48 AM(UTC)
namrebyc


Rank: Newbie

Joined: 3/22/2013(UTC)
Posts: 2

Jake wrote:
I'm not completely sure how that happened, but we just fixed that particular error for 3.2 next build.


Next build as in not published yet? Just tried the 3/20 release, still broke.

Also, when it works, do the LDAP Providers search just the RootDN, or does it do a recursive search?
I've got users in several different OUs. The SC groups are all under one though.

Thanks.
Jake  
#9 Posted : Friday, March 22, 2013 10:19:38 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
It will search the subtree. You've likely got something configured wrong, but you still shouldn't have received that particular error. New build will be posted today, probably.
ScreenConnect Team
Nimda_11  
#10 Posted : Wednesday, April 3, 2013 4:02:20 PM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
I’ve attached our Web.Config file (sanitized).

When I try to login using this web.config file I get a redirect loop error from the browser.

The end goal being that Screen Connect uses forms auth against my Windows Active Directory for both Users and Roles.

Currently running 3.1.4297.4812


Code:
<configuration>
 <system.web>
  <compilation defaultLanguage="c#" debug="false">
   <assemblies>
    <add assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <add assembly="System.Xml.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <add assembly="System.Data.Linq, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <add assembly="System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <add assembly="Elsinore.ScreenConnect.Web" />
   </assemblies>
  </compilation>
  <authentication>
   <forms loginUrl="~/Login" defaultUrl="~/Host" timeout="525600" cookieless="UseCookies" />
  </authentication>
  <machineKey />
  <membership defaultProvider="Default">
   <providers>
    <clear />
    <add name="Default" type="Elsinore.ScreenConnect.LdapMembershipProvider"
      server="FIT-DC-03.formatech-it.local:389"	
      useSsl="false"
      serviceUser="CN=FIT LDAP Account1,OU=Special Users,OU=FormaTech,DC=formatech-it,DC=local"
      servicePassword="23fjs#s3"
      userRootDN="OU=Users,OU=FormaTech,DC=formatech-it,DC=local"
      userNameAttribute="sAMAccountName"
      roleRootDN="OU=ScreenConnect,OU=LOB Applications,OU=FormaTech,DC=formatech-it,DC=local"
      roleNameAttribute="cn"
      roleUserDNAttribute="member"
    />
	<add name="OldDefault" type="Elsinore.ScreenConnect.XmlMembershipProvider" virtualFilePath="~/App_Data/User.xml" />
   </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="Forms">
   <providers>
    <clear />
    <add name="Forms" type="Elsinore.ScreenConnect.LdapRoleProvider" />
	<add name="OldForms" type="Elsinore.ScreenConnect.XmlRoleProvider" />
    <add name="Windows" type="Elsinore.ScreenConnect.WindowsRoleProvider" />
   </providers>
  </roleManager>
  <pages enableSessionState="false" enableEventValidation="false" enableViewStateMac="false" theme="Plain" validateRequest="false" viewStateEncryptionMode="Never" pageBaseType="Elsinore.ScreenConnect.ThemeablePage, Elsinore.ScreenConnect.Web">
   <controls>
    <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions" />
    <add tagPrefix="asp" namespace="System.Web.UI.WebControls" assembly="System.Web.Extensions" />
    <add tagPrefix="asp" namespace="Elsinore.ScreenConnect" assembly="Elsinore.ScreenConnect.Web" />
   </controls>
   <namespaces>
    <add namespace="System.IO" />
    <add namespace="System.Collections.Generic" />
    <add namespace="System.Web.Configuration" />
    <add namespace="System.Net" />
    <add namespace="System.Net.Mail" />
    <add namespace="System.Net.Configuration" />
    <add namespace="System.Linq" />
    <add namespace="System.Drawing" />
    <add namespace="DR=Resources.Default" />
    <add namespace="Elsinore.ScreenConnect" />
   </namespaces>
  </pages>
  <httpModules>
   <remove name="UrlAuthorization" />
   <remove name="FileAuthorization" />
   <remove name="FormsAuthentication" />
   <add name="BasicMembershipFormsAuthenticationModule" type="Elsinore.ScreenConnect.BasicMembershipFormsAuthenticationModule, Elsinore.ScreenConnect.Web" />
   <add name="DisplayWindowsAuthenticationModule" type="Elsinore.ScreenConnect.DisplayWindowsAuthenticationModule, Elsinore.ScreenConnect.Web" />
   <add name="CacheBusterModule" type="Elsinore.ScreenConnect.CacheBusterModule, Elsinore.ScreenConnect.Web" />
   <add name="DemandAuthenticationModule" type="Elsinore.ScreenConnect.DemandAuthenticationModule, Elsinore.ScreenConnect.Web" />
   <add name="SetupModule" type="Elsinore.ScreenConnect.SetupModule, Elsinore.ScreenConnect.Web" />
   <add name="CompressionModule" type="Elsinore.ScreenConnect.CompressionModule, Elsinore.ScreenConnect.Web" />
  </httpModules>
  <httpHandlers>
   <remove verb="*" path="*.ashx" />
   <add verb="*" path="*.ashx" type="Elsinore.ScreenConnect.SingletonHandlerFactory, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
   
   
   <add verb="GET" path="MacInstaller.axd" type="Elsinore.ScreenConnect.MacInstallerHandler, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="ClickOnceBootstrapper.axd" type="Elsinore.ScreenConnect.ClickOnceBootstrapperHandler, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="WindowsInstaller.axd" type="Elsinore.ScreenConnect.WindowsInstallerHandler, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="CaptureTranscoder.axd" type="Elsinore.ScreenConnect.CaptureTranscoderHandler, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="Elsinore.ScreenConnect.WindowsClient.application" type="Elsinore.ScreenConnect.ClickOnceHandler, Elsinore.ScreenConnect.Web" />
   <add verb="GET" path="Elsinore.ScreenConnect.Client.jnlp" type="Elsinore.ScreenConnect.JavaWebStartHandler, Elsinore.ScreenConnect.Web" />
  </httpHandlers>
  <httpRuntime executionTimeout="600" enableVersionHeader="false" />
  <urlMappings enabled="true">
   <add url="~/Guest" mappedUrl="~/Guest.aspx" />
   <add url="~/Host" mappedUrl="~/Host.aspx" />
   <add url="~/Administration" mappedUrl="~/Administration.aspx" />
   <add url="~/Login" mappedUrl="~/Login.aspx" />
  </urlMappings>
  <hostingEnvironment shadowCopyBinAssemblies="false" />
 </system.web>
 <appSettings>
  <add key="AsymmetricKey" value="" />
  <add key="LicenseFilePath" value="App_Data/License.xml" />
  <add key="SessionGroupFilePath" value="App_Data/SessionGroup.xml" />
  <add key="SessionDirectoryPath" value="App_Data/Session" />
  <add key="RoleFilePath" value="App_Data/Role.xml" />
  <add key="ToolboxDirectoryPath" value="App_Data/Toolbox" />
  <add key="IsSetup" value="true" />
  <add key="AllowRemoteSetup" value="true" />
  <add key="SetupRedirectFilter" value="aspx" />
  <add key="SetupPage" value="~/SetupWizard.aspx" />
  <add key="AlreadySetupPage" value="~/Administration.aspx" />
  <add key="DefaultDocumentName" value="Guest.aspx" />
  <add key="AccessSessionExpireSeconds" value="86400" />
  <add key="HostEligibleExpireSeconds" value="86400" />
  <add key="AccessTokenExpireSeconds" value="86400" />
  <add key="SmtpEnableSsl" value="false" />
  <add key="WebServerListenUri" value="http://+:80/" />
  <add key="RelayListenUri" value="relay://0.0.0.0:443/" />
  <add key="DefaultScreenQualityLevel" value="Medium" />
  <add key="AuditLevel" value="Basic" />
  <add key="ClientConfigDirectoryPath" value="App_ClientConfig" />
 </appSettings>
 <system.net>
  <mailSettings>
   <smtp from="host@screenconnect.com">
    <network defaultCredentials="true" />
   </smtp>
  </mailSettings>
 </system.net>
 <system.codedom>
  <compilers>
   <compiler compilerOptions="/nowarn:1685" language="c#;cs;csharp" extension=".cs" warningLevel="4" type="Microsoft.CSharp.CSharpCodeProvider, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
    <providerOption name="CompilerVersion" value="v3.5" />
    <providerOption name="WarnAsError" value="false" />
   </compiler>
  </compilers>
 </system.codedom>
 <system.serviceModel>
  <client>
   <endpoint address="net.pipe://localhost/scsm" binding="customBinding" contract="Elsinore.ScreenConnect.ISessionManagerChannel" />
  </client>
  <services>
   <service name="Elsinore.ScreenConnect.SessionManager">
    <endpoint address="net.pipe://localhost/scsm" binding="customBinding" contract="Elsinore.ScreenConnect.ISessionManager" />
   </service>
  </services>
 </system.serviceModel>
</configuration>

Edited by moderator Wednesday, May 15, 2013 3:30:36 PM(UTC)  | Reason: Not specified

Nimda_11  
#11 Posted : Friday, April 5, 2013 5:16:14 PM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
giva ya a dollar for a clue :)
Jake  
#12 Posted : Thursday, April 18, 2013 5:20:14 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Did you figure it out? Are you sure your role names match what is the role name in active directory?
ScreenConnect Team
Nimda_11  
#13 Posted : Saturday, April 20, 2013 1:51:56 AM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
Nope. Been waiting for ya :)

The role names definitely match. Using Windows Auth currently. But LDAP is so much easier to use on the mobile (iOS) client.
Nimda_11  
#14 Posted : Monday, May 13, 2013 8:33:32 PM(UTC)
Nimda_11


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/15/2012(UTC)
Posts: 31
Location: Napa

Was thanked: 1 time(s) in 1 post(s)
Any idea's?
Jake  
#15 Posted : Wednesday, May 15, 2013 3:32:33 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
We'd probably use wireshark or network monitor to look at the ldap conversation. And we'd maybe need an ldap browser to make sure everything is setup at the DNs that you entered. It sounds like the username and password match, but you're not getting any roles that give you access.
ScreenConnect Team
mp1  
#16 Posted : Monday, August 5, 2013 1:57:02 AM(UTC)
mp1


Rank: Member

Joined: 8/5/2013(UTC)
Posts: 17

Hi,

We are just testing ScreenConnect with LDAP Authentication agains our Active Directory and it's working fine, although we have to do all our Authentication against our "META-Directory" - it's a LDAP Directory like OpenLDAP.
Therefore we would need the possiblility to configure a LDAP user filter.

Any chance to get this?

like:


Quote:
(&(objectClass=gvOrgPerson)(gvRights=cn=xxx1,gvApplId=xxx2,ou=Applications,dc=test,dc=com)(uid=*))


We would really like Screenconnect ;-)

Thanks and regards,

Martin
Jake  
#17 Posted : Monday, August 5, 2013 12:30:30 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Added two additional attributes: userAdditionalFilter and roleAdditionalFilter ... for 4.0
ScreenConnect Team
mp1  
#18 Posted : Tuesday, August 6, 2013 8:26:30 AM(UTC)
mp1


Rank: Member

Joined: 8/5/2013(UTC)
Posts: 17

Jake wrote:
Added two additional attributes: userAdditionalFilter and roleAdditionalFilter ... for 4.0


Thanks, great ... I saw, that it's already included in 4.0.5106 - Is there a download link available?

Regards,

Martin
mp1  
#19 Posted : Wednesday, August 7, 2013 10:40:09 AM(UTC)
mp1


Rank: Member

Joined: 8/5/2013(UTC)
Posts: 17

Hi,

I am just testing with the latest 4 Build, unfortuantely when I add the new attributes, I can't start the service ->
Windows EventLog: An error occurred while parsing EntityName .... (Line, where userAdditionalFilter is configured)

What I am doing wrong?


Quote:
<membership defaultProvider="Default">
<providers>
<clear />
<add name="Default" type="Elsinore.ScreenConnect.LdapMembershipProvider"
server="xxxx:636"
useSsl="true"
serviceUser="gvGid=AT:L7:ServiceFTP,ou=Service,dc=tirol+gvOuId=AT:L7:LVN:000001,dc=gv,dc=at"
servicePassword="xxxxx"
userRootDN="DC=GV,DC=AT"
userNameAttribute="uid"
roleRootDN="DC=GV,DC=AT"
roleNameAttribute="cn"
roleUserDNAttribute="member"
userAdditionalFilter="(&(objectClass=gvOrgPerson)(gvRights=cn=FTPS-InternBenutzer,gvApplId=FTPS,ou=Applications,ou=TLR-AD,dc=tirol+gvOuId=AT:L7:LVN:000001,dc=gv,dc=at)"
roleAdditionalFilter="(objectClass=gvApplicationRight)"
/>
<add name="OldDefault" type="Elsinore.ScreenConnect.XmlMembershipProvider" virtualFilePath="~/App_Data/User.xml" />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="Forms">
<providers>
<clear />
<add name="Forms" type="Elsinore.ScreenConnect.LdapRoleProvider" />
<add name="OldForms" type="Elsinore.ScreenConnect.XmlRoleProvider" />
<add name="Windows" type="Elsinore.ScreenConnect.WindowsRoleProvider" />
</providers>
</roleManager>


Thanks

Martin
Jake  
#20 Posted : Wednesday, August 7, 2013 11:31:02 AM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
It's xml, so you have to escape your ampersand ... & == &amp; ... and maybe something else I missed. Try to open your web.config in a web browser. It should complain if it's not valid.
ScreenConnect Team
mp1  
#21 Posted : Thursday, August 8, 2013 3:27:51 AM(UTC)
mp1


Rank: Member

Joined: 8/5/2013(UTC)
Posts: 17

Quote:
It's xml, so you have to escape your ampersand ... & == &amp; ... and maybe something else I missed. Try to open your web.config in a web browser. It should complain if it's not valid.


Thanks, it looks good now :-)

Thanks and regards,

Martin

Edited by user Thursday, August 8, 2013 5:40:29 AM(UTC)  | Reason: Not specified

Kyle  
#22 Posted : Wednesday, August 28, 2013 1:55:56 PM(UTC)
Kyle


Rank: Newbie

Joined: 8/28/2013(UTC)
Posts: 3
Man

Thanks: 1 times
I'm having the exact same issues as Nimda_11 did. It looks like I have everything set correctly. Maybe I'm just blinded to how ScreenConnect works in this situation. I do get to the login page and I can put in my credentials but the I always get "Your login attempt was not successful. Please try again". When using LDAP how do I specify my groups? do I still need to use mydomain\mygroup, or do I just specify the group name.


This webpage has a redirect loop

Edited by user Wednesday, August 28, 2013 4:55:37 PM(UTC)  | Reason: Not specified

Kyle  
#23 Posted : Thursday, August 29, 2013 7:42:40 PM(UTC)
Kyle


Rank: Newbie

Joined: 8/28/2013(UTC)
Posts: 3
Man

Thanks: 1 times
I'm not sure where I'm failing on this, I think I have all the correct settings for my environment. When I login with my credentials for a user in a group specified in both LDAP and ScreenConnect IE enters a never-ending spin state, and Chrome give me an error page with the text "This webpage has a redirect loop"

here is my sanitized web.config with the relevant info.


Code:

<membership defaultProvider="Default">
   <providers>
    <clear />

      <add name="Default" type="Elsinore.ScreenConnect.LdapMembershipProvider" 
      server="dc.ad.mydomain.com:389" 
      useSsl="false" 
      serviceUser="cn=ldapLookupUser,OU=Admin Users,DC=ad,DC=mydomain,DC=com" 
      servicePassword="*********************" 
      userRootDN="OU=People,OU=Org Users,DC=ad,DC=mydomain,DC=com" 
      userNameAttribute="sAMAccountName" 
      roleRootDN="OU=Groups,OU=Org Users,DC=ad,DC=mydomain,DC=com" 
      roleNameAttribute="cn" 
      roleUserDNAttribute="member" />


    <add name="oldDefault" type="Elsinore.ScreenConnect.XmlMembershipProvider" virtualFilePath="~/App_Data/User.xml" maxInvalidPasswordAttempts="20" />
   </providers>
  </membership>
  <roleManager enabled="true" defaultProvider="Forms">
   <providers>
    <clear />
    <add name="Forms" type="Elsinore.ScreenConnect.LdapRoleProvider" />
    <add name="oldForms" type="Elsinore.ScreenConnect.XmlRoleProvider" />
    <add name="Windows" type="Elsinore.ScreenConnect.WindowsRoleProvider" />
   </providers>
  </roleManager>


Has anyone else seen this redirect loop? If so what did you do to fix it?

Thanks

Kyle
inevat  
#24 Posted : Saturday, September 7, 2013 9:34:25 PM(UTC)
inevat


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 9/7/2013(UTC)
Posts: 28
Location: Salt Lake City

Was thanked: 1 time(s) in 1 post(s)
Kyle,

I am not sure if you are having this issue, but where I had the problem was it is using CN so you need to use your CN (your full name) not the sAMAccountName (windows login) by default. This means for my users, instead of "userfirst.userlast" they use "UserFirst UserLast". This same rule applies to your service user. Wireshark and temporarily moving to port 389 and turning ssl off ended up being my friend here as I diagnosed. Just make sure to move back to port 636 and turn SSL back on when you get it running.

-Mike
thanks 1 user thanked inevat for this useful post.
Kyle on 9/18/2013(UTC)
Kyle  
#25 Posted : Wednesday, September 18, 2013 4:16:55 PM(UTC)
Kyle


Rank: Newbie

Joined: 8/28/2013(UTC)
Posts: 3
Man

Thanks: 1 times
inevat,
Sorry so late getting back to you, I had sort of given up checking this post after not hearing anything back for several days. That might be my problem, I will double check on my end and let you know. Although I would prefer that I could use our sAMAccountName as this is what everyone uses to login to on the rest of the systems in our company but if it is what it is, it is what it is.

Thanks you
inevat  
#26 Posted : Wednesday, September 18, 2013 7:11:14 PM(UTC)
inevat


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 9/7/2013(UTC)
Posts: 28
Location: Salt Lake City

Was thanked: 1 time(s) in 1 post(s)
Kyle wrote:
inevat,
Sorry so late getting back to you, I had sort of given up checking this post after not hearing anything back for several days. That might be my problem, I will double check on my end and let you know. Although I would prefer that I could use our sAMAccountName as this is what everyone uses to login to on the rest of the systems in our company but if it is what it is, it is what it is.

Thanks you



Kyle,

No worries. There is currently a feature request that allows a separate logon name and full name in the application. I have jumped on that request as well. May I suggest you adding your +1 to http://forum.screenconne...field-for-full-name.aspx with clarification that you want to be able to display CN but login using SAMAccountName.

-Mike
mp1  
#27 Posted : Wednesday, October 9, 2013 7:46:12 AM(UTC)
mp1


Rank: Member

Joined: 8/5/2013(UTC)
Posts: 17

Hi,

I have a problem to connect with LDAPs (636) against our LDAP Directory. Screenconnect (latest 4 Build) is installed on a Windows Server 2012.
With LDAP (389) we have no problems.

Do you have any idea?
Is there no possiblity to generate a logfile?

I already configured the SSL channel logging on the Server, altough without success.

Thanks and regards,

Martin
Jake  
#28 Posted : Wednesday, October 9, 2013 3:13:28 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Wireshark and Microsoft Network Monitor are both awesome (and super easy) to debug this kind of thing. Debugging LDAP over SSL would be tough, but you should be able to debug the SSL handshake.
ScreenConnect Team
Jake  
#29 Posted : Tuesday, December 10, 2013 5:08:43 PM(UTC)
Jake


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/9/2010(UTC)
Posts: 2,061

Thanks: 1 times
Was thanked: 393 time(s) in 188 post(s)
Added 2013-10-12 for 4.1

Added 3 new attributes: userEmailAttribute, userPasswordQuestionAttribute, and userCommentAttribute ... Most notable is userPasswordQuestionAttribute which can specify the name of an attribute that contains Two-Factor Authentication information:
http://forum.screenconne...ctor-Authentication.aspx
ScreenConnect Team
ewellander  
#30 Posted : Saturday, January 4, 2014 5:37:37 PM(UTC)
ewellander


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 1/4/2014(UTC)
Posts: 4
Man
Sweden

Was thanked: 1 time(s) in 1 post(s)
So LDAP is still not supported running ScreenConnect on a Linux server?

-Erik

Originally Posted by: Jake Go to Quoted Post
NOT SUPPORTED ON LINUX/OSX/MONO. SORRY!

We've implemented simple LDAP membership and role providers. They're read-only, so your users and their role membership are configured elsewhere. It works as kind of a hybrid between our Windows and Forms providers. Only roles can be edited like our Windows auth, but users login through a Form like our forms auth.......
jwalker55  
#31 Posted : Sunday, January 19, 2014 4:27:45 AM(UTC)
jwalker55


Rank: Newbie

Joined: 12/9/2013(UTC)
Posts: 9

LDAP auth works great, but is it possible to filter unattended sessions based on the OU that the computer (or maybe even the user) is in?
Alexander  
#32 Posted : Friday, February 7, 2014 6:11:15 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
No, not at the moment.
ScreenConnect Team
jwalker55  
#33 Posted : Wednesday, February 12, 2014 5:44:59 PM(UTC)
jwalker55


Rank: Newbie

Joined: 12/9/2013(UTC)
Posts: 9

Originally Posted by: Alexander Go to Quoted Post
No, not at the moment.


Do you think this will be possible in the future?
Alexander  
#34 Posted : Monday, March 17, 2014 9:10:46 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
Well, there are no plans for it, sorry.
ScreenConnect Team
mbisi  
#35 Posted : Tuesday, May 13, 2014 1:25:01 PM(UTC)
mbisi


Rank: Member

Joined: 11/14/2012(UTC)
Posts: 10
Location: Italy

Thanks: 1 times
Hello , i wanna put my +1 on the queue for LDAP support on Linux server .

Thanks for your work, Screenconnect is awesome, with ldap will be perfect.
Users browsing this topic
Similar Topics
LDAP Authentication time-out during login (General Information)
by Bpleisner 5/9/2017 8:16:24 AM(UTC)
LDAP authentication for Linux (Feature Requests)
by INNOVOT 2/24/2015 3:28:25 PM(UTC)
Ability to use Internal and Windows or LDAP Authentication together (Feature Requests)
by Matt Highsmith 6/23/2014 2:19:30 PM(UTC)
LDAP Authentication Option (Feature Requests)
by Guest 8/25/2011 3:50:47 PM(UTC)
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.