In this Article

We recommend using Windows Authentication if you are configuring Telligent Enterprise within an internal environment where members of the community are authenticated against Active Directory (also called Windows security groups). Your members can then access Telligent Enterprise without explicitly creating a registered account and logging in.

By default, Telligent Enterprise only allows the most common characters to be used in a user name. Usernames are limited to:
  • Alphanumeric characters (A-z, 0-9)
  • Underscores (_)
  • Hyphens (-)
  • Periods (.)
  • At signs (@)
  • Spaces
If the user names in your Active Directory include characters other than these, you must explicitly configure Telligent Enterprise to allow nonstandard characters in user names.

Configure Telligent Enterprise for Windows Authentication

The Windows SSO Module is configured through the communityserver.config file.  As an alternative to directly editing this file (because applying a future upgrade to Telligent Enterprise will wipe out changes), we can make our changes through an external communityserver_override.config file. (Note: Out of the box, Telligent Enterprise does not include a communityserver_override.config file. You need to create this yourself. For more details on how to create this file, read the documentation on override files.)

  1. Enable the Windows Authentication Module:
    1. Set the extensionModules enabled attribute to true ( <extensionModules enabled="true">) in the communityserver.config file in your Web folder.
    2. Enable the Windows Authentication module. In the communityserver_override file, set extensionModules to true:  
      <Override xpath="/CommunityServer/Core/extensionModules"
                mode = "change"
                name="enabled"
                value="true" />

  2. Configure the Windows Authentication Module
    The following options may be configured. To configure a particular option, add the provided override into your communityserver_override.config file. If you want to use a different value for the option than used in the example, replace the highlighted section of the overrides with your own value.
    • allowAutoUserRegistration (default value: true):
      Determines whether you want Telligent Enterprise to automatically create new accounts if an authenticated user who doesn't already have an account accesses Telligent Enterprise. To turn this setting off, use the following override: 
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="allowAutoUserRegistration"
                value="false" />
    • adminWindowsGroupIsSystemAdministrator (default true):
      Controls whether members of the Administrators group are automatically treated as administrators by Telligent Enterprise. To turn this setting off, use the following override: 
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="adminWindowsGroupIsSystemAdministrator"
                value="false" />
    • adminwindowsGroup (default Administrators):
      If adminWindowsGroupIsSystemAdministrator is set to true, this specifies the role which will be automatically added as an administrator in Telligent Enterprise. To change this role to MyAdministrativeGroup, use the following override: 
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="adminWindowsGroup"
                value="MyAdministrativeGroup" />
    • stripDomainName (default true):
      Windows usernames are normally in the form DOMAIN\UserNameNAME.  By default, Telligent Enterprise strips the domain name from a user's username when creating the user in Telligent Enterprise. If you do not want to strip the domain name, use the following override:

      NOTE      : The default user-name regex pattern is set to deny user-names with a backslash (that is,  DOMAIN\UserNameNAME), so modify the user name RegEx pattern to ^[a-zA-Z0-9\\_\- @\.]+$
      Essentially allowing the backslash in the user name. See Registration experience for more details.
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="stripDomainName"
                value="false" />
    • emailDomain (default: @TempURI.org):
      Specifies the domain name that is appended to a user's username when creating the user in Telligent Enterprise. To change this to Telligent.com, use the following override: 
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="emailDomain"
                value="@Telligent.com" />
    • profileRefreshInterval (default 7):
      Specifies the interval (in days) after which Telligent Enterprise will refresh users. To change this value to occurring every day (every 24 hours), use the following override: 
      <Override xpath="/CommunityServer/Core/extensionModules/add[@name='WindowsAuthentication']"
                mode = "change"
                name="profileRefreshInterval"
                value="1" />
    • Mapping Active Directory groups to Telligent Enterprise roles
      If you want to map Active Directory groups to Telligent Enterprise roles, configure Active Directory group mappings.

  3. Copy your changed communityserver_override.config file into your Telligent Job Scheduler directory (overwriting the pre-packaged override file if one exists there). The default path for this file is c:\program files\Telligent\Job Scheduler.
  4. Change the Authentication Mode to Windows
    Open up your web.config file, find the line which looks like: 
    <authentication mode="Forms">

    and change it to

    <authentication mode="Windows">

Configure IIS

  1. Internet Information Services (IIS), by default, allows anonymous users to access your community without being required to log in. Disable anonymous authentication within IIS on every Web server in your environment, preventing users who aren't already logged into the network from being recognized. You also need to configure IIS to accept Windows credentials:
    • In IIS6:
      1. Open Internet Information Service (IIS) Manager.
      2. Browse to your Telligent Enterprise Web site in the left pane.
      3. Right-click the Web site and select properties.
      4. Select the Directory Security tab, and under Authentication and access control click Edit.
      5. Deselect the Enable anonymous access check box and select the Integrated Windows Authentication check box.
    • In IIS7:
      1. Open IIS Manager.
      2. Browse to your Telligent Enterprise Web site in the left pane.
      3. In the IIS section of the right pane, double-click Authentication. (If you don't see this, ensure you're in Features View rather than Content View.)
      4. Disable all authentication types except Windows Authentication, leaving Windows Authentication as the only enabled authentication type. 
  2. Set the permissions on the \Web directory in each Web server for all groups and users who will accessing your community:
    1. Remove Full Control rights.
    2. Grant Modify, Read & Execute, List Folder Contents, Read, and Write permissions.
If you encounter authentication errors when using Windows Authentication against localhost, refer to Microsoft's KB 896861.