Subscribe to PortalGuard's Quarterly Newsletter for News & Updates on the Latest Release! Click to Subscribe

Group Authorization for PortalGuard Help Desk Access

Problem

You would like to allow access to the PortalGuard Help Desk Console using Active Directory Groups or OU Designations.

Solution

Modify the 'User Repository' Configuration in the PortalGuard Configuration Editor, as well as the web.config file for the Help Desk Utility.

Pre-Requisites

  • This is currently ONLY supported for the PortalGuard Help Desk Utility.  This feature DOES NOT apply to PortalGuard Admin Dashboard Access.
  • To support nested group membership in Active Directory, you must set the 'Group Search Filter' on the LDAP Advanced tab of the User Repository to the following Microsoft-specific query:
    • (member:1.2.840.113556.1.4.1941:=%s)
  • If using SQL as a User Repository instead of AD (or some other LDAP), you must have a query defined in the 'User Roles Query' field on the Configuration -> SQL Roles tab in the User Repository Configuration.
  • If you have multiple User Repositories defined, this feature MUST be enabled on ALL user repositories or NONE

Steps for Enabling Support for Active Directory Group and OU Designations for Help Desk Access

  1. On the PortalGuard Server, launch an Administrative text editor (we recommend Notepad++)
  2. open the root web.config file for the PortalGuard website
    • i.e. C:\inetpub\PortalGuard\web.config
  3. Search for 'Security.GroupAuthz' to find the proper line in the <system.webServer><modules> section
  4. Uncomment the '<add name="GroupAuthz" type="Pistolstar.Security.GroupAuthz"...> element by removing the <!-- text at the beginning of the line and the --> text at the end of the line.
    • Before:
      • Commented GroupAuthZ
    • After:
      • Uncommented GroupAuthZ
  5. Search for '<GroupRoleAuthZ>' and change the enabled attribute here from "false" to "true":
    • GroupRoleAuthZ Enabled
  6. Save the changes to the root web.config file.
  7. In the same text editor, open the following file:
    • C:\inetpub\PortalGuard\PG_HelpDesk\web.config
  8. Set the users value of the <deny...> element to "?" and the users value of the <allow...> element to "*".  Your final result should look like the following screenshot:
    • Help Desk Config Change
  9. Save the changes to this file and close the text editor.
  10. Open the PortalGuard Configuration Editor
  11. Navigate to the 'User Repositories' Tab and highlight the Repository that users should be able to manage
  12. Click the 'Edit' button on the right-hand side of the PortalGuard Configuration Editor
  13. Navigate to the 'Features' Tab
  14. Under the 'Help Desk' sub-tab, check the box labeled 'Support Group/Role Authorization?':
    • Group Auth Checkbox
  15. Click 'Save' to save these changes. 
  16. Click 'Apply to PortalGuard Server' and then click 'Sync' for these changes to take effect.
  17. Open a Command Prompt as Administrator and run iisreset for the changes to take effect. 
    • This is always required when custom PortalGuard settings are changed in web.config files.

REV. 08/2018 | PortalGuard

  • 43
  • 01-Aug-2018
  • 418 Views