Focusing on Question #2, I'm still having trouble with Windows Integrated Authentication (Kerberos) in BlogEngine 1.6.
Here's what I've done thus far:
1. Unzipped the source code onto my dev box.
2. Opened the solution in VS.Net 2010, and let it convert the solution for 2010, as well as let it convert the website to run on .Net 4.0 - this shouldn't cause problems but I'm happy to eliminate this step and run it under a 2.0 app cool Classic style if
3. I compile and run the application without modification and it works locally as well as deployed to our dev web server box (using copy website in VS.Net)... but it is using Forms authentication tied to the XML role providers and membership providers.
4. I open up web.config at the root of the application and change Authentication Mode to Windows, enable Identity Impersonation, and then I set the authorization section to deny non-authenticated users, and allow Domain Users. Lastly under "appSettings"
I change the BlogEngine.AdminRole to our web admin group, and the BlogEngine.EditorRole to our Domain Users group. -- Nothing else has been altered.
5. When I run the application locally now it "works" in that the pages come up and someone is logged in, but since it is using the XmlRoleProvider, I'm not sure where the mismatch is... Kerberos + Impersonation via Windows Auth would mean that
the app pool running the site is working as me "domain\trey" but the AdminRole and EditorRole settings are AD Groups... the "roles.xml" file now looks like this:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
6. I am unable to post... should I be using the AspNetWindowsTokenRoleProvider here? If so, how I do I set that properly? I tried simply commenting out the RoleManager tag in web.config and adding my own in <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"
/> but that blows up machine.config somehow...
Any thoughts on what's going on and what is left to do?
The end result I am looking for is that
A) The site executes as the user logged into the domain - ex. the custom app pool identity (domain\attendentAccount) impersonates me (domain\trey)
B) Authorization is coordinated with AD users and groups - web.config
C) Blogs can be assigned to a single user, or to a group - ex. a user group can have a blog, and all it's members can post to it (domain\someGroup)
This possible or am I nuts?