- Carousel 7.5.1-7.5.4
- Does not apply to Carousel 7.5.5+
- Does not apply to Carousel Cloud
Carousel has always supported Active Directory (AD) as a means to authenticate users. However prior to 7.5.1 it would only allow a single AD connection string to be specified.
Starting with 7.5.1 Carousel allows multiple AD connection strings to be specified, which enables user authentication across multiple domains.
How to configure Carousel
Note: The following assumes you installed Carousel Server in the C:\TRMS folder. Please substitute the folder's path as appropriate.
Edit the c:\trms\configuration\connectionStrings.config file. Input additional entries under the <connectionStrings> section.
- The name attribute is reference by the membership.config file to associate the connection string with a membership provider.
- The connectionString attribute has to be an LDAP or LDAPS connection string. We do not support GC as a means to authenticate.
- You may specify additional parameters in your LDAP string as needed.
<?xml version="1.0" encoding="utf-8"?> <connectionStrings> <add name="UsADConnectionString" connectionString="LDAP://us.mycorp.com" /> <add name="EuADConnectionString" connectionString="LDAP://eu.mycorp.com" /> <add name="FrontDoorConnectionString" connectionString="data source=(local);Integrated Security=SSPI;initial catalog=FrontDoor50;" providerName="System.Data.SqlClient" /> <add name="CarouselConnectionString" connectionString="data source=(local);Integrated Security=SSPI;MultipleActiveResultSets=true;initial catalog=Carousel50;" providerName="System.Data.SqlClient" /> </connectionStrings>
Edit the c:\trms\configuration\membership.config file.
- Add one provider per connection string. Match each provider's connectionStringName to the name as found in connectionStrings.config above.
- Specify valid credentials for each domain, so that Carousel may successfully bind to AD.
- You may also omit credentials at this time, and instead ensure your Carousel application pool runs under an identity that has access to ALL specified AD domains.
<membership defaultProvider="UsADMembershipProvider"> <providers> <clear /> <!-- Sample Active Directory Membership Config --> <add name="UsADMembershipProvider" connectionStringName="UsADConnectionString" applicationName="/FrontDoor" connectionUsername="email@example.com" connectionPassword="joespassword" connectionProtection="Secure" enableSearchMethods="true" type="System.Web.Security.ActiveDirectoryMembershipProvider" /> <add name="EuADMembershipProvider" connectionStringName="EuADConnectionString" applicationName="/FrontDoor" connectionUsername="firstname.lastname@example.org" connectionPassword="joespassword" connectionProtection="Secure" enableSearchMethods="true" type="System.Web.Security.ActiveDirectoryMembershipProvider" /> </providers> </membership>
Creating Carousel users in AD
On each AD domain, create both a TRMS_Admins and TRMS_Users, Universal Security Groups. Add any users that need to access Carousel to these groups.
Carousel will not parse sub groups. Users need to be added to the above TRMS_ groups individually.
Specify the user's principal name (UPN) when logging in to Carousel. ex: email@example.com
- From your Carousel server, use ldp.exe to query the AD domain(s) for available users. Confirm you see all users as expected.
- Download it from https://support.microsoft.com/en-ca/help/2693643/remote-server-administration-tools-rsat-for-windows-operating-systems .
- In the Connections menu, select Connect. Type in your domain (ex: mycorp.com). Press OK. You'll see data from the Root in the output window.
- In the Connections menu, select Bind. Enter the same credentials used by Carousel (either from the membership.config file, or from the Carousel application pool).
- In the Browse menu, select Search, type in the following search (use your own domain context). The output should contain TRMS_Admins and TRMS_Users groups. Carousel will look in those group to populate its list of admins and users.