HTTP Commander  AJS 5.x
Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager
Free Installation assistance
Manual Home page

Active Directory integration

This article describes details of HTTP Commander integration with Active Directory. It covers the following topics:

HTTP Commander supports two authentication modes that deal with windows accounts: "Windows" and "Forms with Windows users". In both modes you use windows accounts to authenticate to HTTP Commander. The application impersonates the logged in user and processes all requests on behalf of the user. The two modes differ in the mechanism of how the authentication is performed. In "Windows" mode, authentication is handled by IIS. Underlying authentication is either Windows integrated or Basic. The user enters their credentials in a special dialog provided by the web browser. In "Forms with Windows users" mode, authentication is handled by HTTP Commander application. The user enters their credentials in a web form that is identical to the form in "Forms" authentication mode. The only difference in the "Forms" mode, from user's point of view, is that he/she uses windows accounts for authentication instead of custom application accounts.

To authenticate to HTTP Commander, the account in question must be enabled, it should not be locked due to a large number of invalid login attempts. The account must have "logon over Network" account right enabled on the web server machine.

When HTTP Commander is installed on a standalone server that is not joined to a domain, you may use only SAM accounts of the server machine for authentication. When the web server machine is joined to domain, you may use either SAM accounts or domain accounts for authentication. In the case of several trusted domains, you may use all of them for authentication.

To specify an account in particular domain, use a pre-Windows 2000 account name like "DomainName\UserName" or a user principal name like "UserName@DomainName" instead of an isolated name like "UserName". Replace "DomainName" with "MachineName" for SAM accounts.

In the "Forms with Windows users" authentication mode, you may modify the account name before it's passed to HTTP Commander authentication engine, see btnLogin_Click function in Default.aspx. For example, you may prepend default domain name to user name if the user did not specify one.

In "Windows" authentication mode with Basic authentication, you may configure the default domain in IIS.

Virtual folders may be assigned to windows users and groups. HTTP Commander utilizes pre-Windows 2000 names of users and groups in the access control list. All user and group names are converted to pre-Windows 2000 name format internally, security identifiers are detected. Names that cannot be resolved are not discarded but saved as is, they may be resolved later. This feature allows you to specify users and groups in HTTP Commander before they are physically created in the Active Directory or SAM database. HTTP Commander distinguishes users having the same isolated name but originated from different domains.

The Admin panel that you normally use to configure virtual folders provides a dropdown list of users and groups to help you select one. Note that these lists contain only users and groups of the current domain, that is, the domain of the user logged into HTTP Commander (or SAM users and groups if you've logged into HTTP Commander with a SAM account). HTTP Commander does not restrict your choice to users and groups from the list. You may enter any name in the text field, even a name of a not yet existing user or group that you'll create later.

Account names

HTTP Commander supports two formats of domain account names: pre-Windows 2000 name and @-name (user principal name).

In a pre-Windows 2000 name, the domain name is separated from the user or group name with a backslash character. The domain name comes first, and the user or group name terminates the name. For example, Contoso\john, or Contoso\Users. General form: Domain\User, Domain\Group. The domain part may be either NetBIOS domain name or Fully Qualified Domain Name of domain. The user name part of the user name may contain either a simple user name (the first part of user principal name before the @ sign) or a SAM account name (stored in sAMAccountName attribute of the user object in Active Directory). The group name part of group name may contain either a simple group name (stored in name attribute of the group object in Active Directory) or a SAM account name (stored in sAMAccountName attribute of the group object in Active Directory).

In @-name, the domain is separated from user or group name with the @ character. The user or group name comes first, and the domain name terminates the name. The @-name of the user is named user principal name, it is stored in userPrincipalName attribute of the user object in Active Directory. For example, john@contoso.com. The domain part of the user principal name is normally the Fully Qualified Domain Name of the domain, but, generally speaking, it may be an arbitrary string. The @-name of the group is supported for symmetry with a user principal name, it does not have a special name and it is not stored in Active Directory's group object as separate attribute. For example, users@contoso.com. The group name part of the group name may contain either simple group name (stored in name attribute of the group object in Active Directory) or SAM account name (stored in sAMAccountName attribute of the group object in Active Directory). The domain part may be either NetBIOS domain name or Fully Qualified Domain Name of domain.

Domain users and groups may be also specified with unqualified names, that is a name without the domain part. For example, john, users. In this case DefaultDomain parameter applies. If specified, DefaultDomain is appended to the unqualified name before resolution attempt.

The simple user name is usually identical to the SAM user account name. In the same way, the simple group name is usually identical to SAM group account name. The SAM account name has stricter rules on the set of allowed characters and length than a simple name, therefore a simple name is different from SAM account name if the former contains some characters not allowed in the SAM account name or has an inappropriate length. A SAM account name may also differ from a simple name if it is specified as such by the administrator. The simple name and the SAM account name may be changed independently.

In other words, the following domain account names are allowed:

HTTP Commander supports one format of SAM account names: pre-Windows 2000 name. The first part of the name must be NetBIOS name of the machine containing the SAM database, the second part of the name is the SAM account name of the user or group. You may also specify the SAM account name without the machine name, in this case the DefaultDomain parameter applies. If specified, the DefaultDomain is appended to the unqualified name before resolution attempt.

In other words, the following names are allowed: