I’m attempting to add authentication to my dashboards as well as adding/limiting access depending on AD group membership. I’ve followed the tutorials in the documentation, read forums for similar threads, etc. but I’m still having issues.
As of right now, PSU is able to authenticate against AD but it’s not able to determine if a user is a member of an AD group. Here’s what I did,
Created Application Pool and its running as the LocalSystem
Changed Windows Authentication to True in appsettings.json
Enabled Windows Authentication in IIS and disabled anonymous authentication
Created 2 groups PSU Admin and PSU Users. Added myself and supervisor to PSU Admins, everyone else to PSU Users.
Modified Security Settings to this using my own domain information. The adlogin.txt file does not get created at all.
Modified the Administrator Policy Script to match this using my own LDAP info. The adgroup.txt files does get created and it appends a timestamp and name of user logging in. Neither my supervisor or I are shown to be members of the PSU Admin group.
After looking through the log I found errors that repeat themselves ALOT.
Here is my crude method of using a couple of functions to authenticate the user and the AD group they belong in…this is in older UD but I am sure you could just use these two functions to get the job done
This allowed only certain folks to have Admin access. I then created a new policy for one of my dashboards, and basically used the same script as above, just altered the path to the group in A.D.
The biggest thing for me was it did not work until I set an explicit deny on all the other canned policies such as Reader, Operator, etc. Otherwise people were still able to get to pretty much anything. Since I am not yet using them, I set them all to the below: