Learn More





Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How much can Active Directory do???How much can Active Directory do???
New Post
8/4/2016 2:38 PM

Hey Everyone!

I have an active directory related question that I am really hoping someone can help me with ill give a Tl;Dr; first then more details below please let me know anything you think might be helpful.


Can DNN articulate what user is trying to access a file on a network to the file system?

So rather than:

AD[ allows user access to portal ] -> user requests a file on the portal -> DNN grabs this through its AD permissions -> DNN determines if the file can be served to the user through its permissions

I would like:

 User is logged into portal through AD -> user requests a file on the portal -> the portal articulates to the file system "I am making this request on behalf of this AD user" -> file system can deny the request because the AD user does not have access to the file despite the fact that DNN as an AD user may have access.

Reasoning: certain files on our network NEED to be managed through the AD permissions for data privacy reasons but I would like for our portal to be able to allow access or deny access to certain confidential resources at the file system level so that even an administrator or someone cannot manipulate DNN to access files that they cannot access.

- Detailed Info --------

The way I understand AD to work is that AD manages groups and users within those groups and within the file system you can articulate what users/groups are allowed to access a resources through those group assignments. 

So "If I belong to a group that has access to a file/folder on a network -> I have access to that resource" (Kind of a truism).

I would like to setup some folders on our DNN servers that have the ability to have read/write access to them that is managed by the file system and not by DNN permissions. 

The way that I currently understand a request flow to work is:

1. AD determines if I [the user] have access to the DNN portal
2. When loading a page DNN requests files from the file server [through the "DNN User" (not my permissions but the sites permissions)]
3. DNN makes the determination if it will serve a file or not based on the permission I [the user] have been given within the DNN permission structure.

What I would like is:

1. AD determines if I [the end user] have access to the DNN portal
2. When loading a page DNN requests files from the file server but communicates to the file system that its requesting these on behalf of me [the end user]
3. If I [the end user] do NOT have access to a particular file even though DNN [the "user" in AD] would, it will deny DNN the file because I [the end user] am not permitted access to the file within the AD structure/file system.

I would like to be able to setup certain files/folders to which the site permission structure cannot grant ANYONE access to if it is denied to a user/group on the file system/AD level.

Please let me know if i can clarify any of this it's all a bit confusing and thank you ahead of time for any help I might receive!!!

New Post
8/6/2016 4:52 AM
Accepted Answer 

The way how I understood this scenario is:


  • we have DNN website,

  • we have AD user, let’s say username: ‘bob’, corresponding DNN user id: 11,

  • DNN website is configured with Active Directory,

  • users are automatically signed-in to DNN on behalf of their AD identity (aka SSO);

  • we have DNN page with a ‘Digital Asset Management’ module (aka File Explorer) that can list DNN folder/file structure, (this module will help us to determine the user file permissions),

  • ‘Digital Asset Management’ module is visible for all registered users,

  • we have a file ‘Denied.txt’ located in DNN user ‘bob’ home directory, which is: ‘\Portals\0\Users\011\11\11\Disallow.txt’

  • AD user ‘bob’ has set following attributes for that file: Read -> Deny

  • at the end of web.config file are following lines, this snippet instruct IIS to check file permissions before file will be displayed:

<location path="Portals/0/Users/011/11/11/Disallow.txt">

<!-- Disable Forms Authentication -->

<formsAuthenticationWrapper enabled="false" />




<anonymousAuthentication enabled="false" />

<windowsAuthentication enabled="true" useKernelMode="false" />





Test scenario

User “bob” is signed-in to DNN. He is able to see DNN files through “Digital Asset Management” module, even the \Portals\0\Users\011\11\11\Disallow.txt file. But when he want to see the content of this file he get a ‘Windows Security’ popup, then browser receive HTTP Error 401.3 - Unauthorized,

“You do not have permission to view this directory or page because of the access control list (ACL) configuration or encryption settings for this resource on the Web server.”

This scenario I’m able to reproduce using “AD-Pro Authentication v3” module, I’m wasn’t tested the free plugin "DNN Auth".

New Post
8/6/2016 11:09 AM
Hey thank you very much for the reply! I would say you both understand my problem AND have offered a perfect solution! Thank you very much, now that I'm now this is possible we can (hopefully) move forward.


Thank you again!

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...How much can Active Directory do???How much can Active Directory do???

These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
Try Evoq
For Free
Start Free Trial
a Demo
See Evoq Live
Need More Information?