Support Thread

Does Apg Vnext Support Windows Authentication Active Directory

Does Apg Vnext Support Windows Authentication Active Directory — APG vNext Guide

Does Apg Vnext Support Windows Authentication Active Directory — a configuration and setup topic from the APG vNext support community.

Key Configuration Points

  • IIS App Pool: .NET 4.0 Integrated Pipeline mode is required.
  • Connection String: Verify SQL Server name, database, and credentials in web.config.
  • File Permissions: App pool identity needs read/write on the upfiles folder.
  • URL Rewriting: Install IIS URL Rewrite 2.0 module for clean SEO-friendly URLs.
  • Full-Text Search: Enable SQL Server Full-Text Indexing for forum search.

More Help

Windows Authentication and Active Directory Support in APG vNext

Yes - APG vNext supports Windows Authentication (NTLM/Kerberos) and Active Directory integration. Windows Authentication enables a true zero-login experience for users on a corporate network: they open the forum and are automatically authenticated as their Windows domain user without entering credentials. Active Directory integration provides LDAP-based authentication and optional directory attribute synchronisation.

Enabling Windows Authentication

<!-- web.config -->
<system.web>
  <authentication mode="Windows" />
  <identity impersonate="false" />
</system.web>

<!-- Also in IIS: disable Anonymous Authentication, enable Windows Authentication -->
<add key="APG.Auth.Mode"            value="Windows" />
<add key="APG.Auth.WinAuth.Domain"  value="YOURDOMAIN" />
<add key="APG.Auth.AutoProvision"   value="true" />

Mixed Mode: Windows + Forms Auth

For communities with both internal (Windows) and external (password) users, use Mixed Mode:

<add key="APG.Auth.Mode" value="Mixed" />
<!-- Internal users are auto-authenticated via NTLM -->
<!-- External users see the standard login form -->

Kerberos vs NTLM

Kerberos is preferred over NTLM for security and performance on domain networks. Kerberos requires a Service Principal Name (SPN) registered for the IIS service account:

# Register SPN for the forum (run as domain admin):
setspn -A HTTP/forum.company.com DOMAIN\svc-apg
setspn -A HTTP/forum DOMAIN\svc-apg

Active Directory Attribute Synchronisation

Beyond authentication, APG vNext can synchronise member profile attributes from Active Directory on each login. This keeps the forum's member data in sync with the authoritative source without requiring members to update their forum profile separately:

<!-- web.config: AD attribute mapping -->
<add key="APG.AD.SyncAttributes"  value="true" />
<add key="APG.AD.Attr.Email"       value="mail" />
<add key="APG.AD.Attr.DisplayName" value="displayName" />
<add key="APG.AD.Attr.Department"  value="department" />
<add key="APG.AD.Attr.Title"       value="title" />
<!-- Department and Title mapped to custom member profile fields -->

Group-Based Forum Permissions from AD Groups

One of the most powerful benefits of Active Directory integration is automatic forum permission assignment based on AD security group membership. Members added to the AD group Forum-Moderators automatically gain moderator permissions in APG vNext; members added to Forum-Restricted automatically have posting restricted to read-only forums. This eliminates manual permission management in APG vNext's admin panel for organisations that already manage access through AD:

<!-- Map AD groups to APG vNext member groups -->
<add key="APG.AD.GroupMapping.Forum-Moderators" value="APG-Moderators" />
<add key="APG.AD.GroupMapping.Forum-Admins"     value="APG-Admins" />
<add key="APG.AD.GroupMapping.Forum-ReadOnly"   value="APG-ReadOnly" />
<!-- APG vNext re-evaluates group membership on each login -->

Troubleshooting Windows Authentication on IIS

The most common Windows Authentication issue is receiving a 401 Unauthorized or infinite login prompt loop. The cause is usually one of: Anonymous Authentication not disabled on the IIS site (must be disabled when using Windows Auth), a missing or incorrect SPN (required for Kerberos, but NTLM can work without it), or the application pool identity lacking access to the domain controller for Kerberos ticket validation. Check IIS authentication settings first, then verify the SPN registration using setspn -L DOMAIN\svc-account, and finally test with NTLM forced (by disabling Kerberos in IIS) to isolate whether the issue is Kerberos-specific.

Azure Active Directory (Entra ID) Integration

For organisations moving to cloud identity, APG vNext 5.x supports Azure Active Directory (now called Microsoft Entra ID) authentication in addition to on-premises AD. Azure AD authentication uses OpenID Connect (OIDC) rather than NTLM/Kerberos, making it suitable for internet-facing forums where members authenticate with their Microsoft 365 organisational accounts:

<!-- web.config: Azure AD OIDC configuration -->
<add key="APG.Auth.Mode"                value="AzureAD" />
<add key="APG.AzureAD.TenantID"         value="your-tenant-id" />
<add key="APG.AzureAD.ClientID"         value="your-app-registration-id" />
<add key="APG.AzureAD.ClientSecret"     value="your-client-secret" />
<add key="APG.AzureAD.CallbackPath"     value="/signin-azuread" />
<add key="APG.AzureAD.AutoProvision"    value="true" />

Azure AD authentication is ideal for corporate intranet forums and customer community portals where members already have Microsoft 365 accounts. The forum appears as a standard Microsoft enterprise application in the Azure AD app gallery, and IT administrators can control access through the same Azure AD conditional access policies used for other enterprise apps.

ADFS Integration for On-Premises Federation

Organisations running Active Directory Federation Services (ADFS) on-premises can use ADFS as a claims provider for APG vNext authentication. ADFS acts as a federation layer between APG vNext and the on-premises Active Directory, supporting both SAML 2.0 and WS-Federation protocols. This configuration is common in organisations that need SSO across multiple internal web applications where ADFS is already the established federation service. ADFS also enables federation with external identity providers (other organisations' AD, social login providers), allowing partner organisation members to log into your APG vNext forum using their own organisation's credentials without creating a separate APG vNext account.

Related Resources


Looking for more help? Browse the support forum or check the Knowledge Base.