Mixed Authentication and LDAP
Context
Mixed authentication is an advanced configuration allowing multiple login modes to coexist on the same Avanteam instance.
Prerequisites
- System administration rights
- Access to IIS server
- Service account with read rights on Active Directory
- Access to application's web.config file
Mixed Authentication Principle
Mixed authentication works according to the following principle:
- The application first attempts to connect the user via their Windows/AD token (SSO).
- In case of failure (user outside domain, external contractor, or access from mobile device), the system automatically displays the classic login page.
- This ensures a smooth experience for internal users while allowing access to external users.
LDAP Connection (Network Mode)
The LDAP protocol is used to query the enterprise directory in real time.
How it works
- When a user enters their password on the login page, Avanteam does not store it; it asks your LDAP server to validate it.
- Security: If an account is disabled in your AD, it is instantly blocked in Avanteam without manual intervention.
Mixed Authentication Configuration
To enable this mode, the following steps are necessary:
Web Server (IIS)
"Windows Authentication" and "Anonymous Authentication" modes must be enabled simultaneously on the Avanteam site.
Configuration file
The MixedAuthenticationModule module must be declared in the application's web.config file.
Avanteam Settings
In Settings > Authentication, enable Network Mode (LDAP) and enter your domain controller address to allow verification of manually entered passwords.
User Profile
For each user who must use their Windows account, ensure that the Connection Type is set to Network and that their Windows identifier is correctly entered.
Detailed LDAP Configuration
LDAP Server Connection
- LDAP Path: Enter the LDAP path (ex:
LDAP://DC=mycompany,DC=com) - Service Account: Provide credentials for a service account with read rights on AD
- Connection Port: Default 389 (LDAP) or 636 (secure LDAPS)
Attribute Mapping
Map LDAP attributes to Avanteam fields:
sAMAccountName→ Login identifiermail→ Email addressdisplayName→ Full namemanager→ Hierarchical manager
Security Filters
Define filters to restrict access:
- Example:
(&(objectCategory=person)(objectClass=user)(memberOf=CN=Avanteam_Group,...)) - Allows only members of a specific group to be authorized
Mixed Authentication Benefits
- Flexibility: Allows both internal and external users to access the application
- Security: Centralizes password management on AD
- User Experience: Transparent SSO for internal users
- Service Continuity: Access maintained even in case of domain controller unavailability (degraded mode)
Best Practices
- Test in development environment before deploying to production
- Document external accounts that use Application mode
- Monitor authentication logs to detect unauthorized access attempts
- Enable LDAPS (secure LDAP) to encrypt communications with the directory