Separate authenticataion for edit/admin

Vote:
 
Hi. Can anyone give me a quick hint/example as how to completely separate the authentication for edit/admin pages from the authentication used in the actual web site? If I set a custom section in web.config like I will get an error "it is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS." Ok, so if I configure edit and admin as applications, instead I get a "file not found" error in the httpmodules workflow section. (Since these subapplications look for the episerver dll.s in its own bin-directory.) Tried to copy the dll-s to edit\bin but ran into a new error "ClassFactory not initialized" I suppose there is a standard way to do this that I'm missing?
#13025
Mar 25, 2008 18:35
Vote:
 
The usual way to accomplish what you want is to have a separate Edit/Admin-site parallell to the web site (two EPiServer installation pointing to the same database). The edit/admin-site can then have another authentication mode than the public website (some also use another port number to make it a little more difficult for hackers). Regards Johan Olofsson
#15268
Mar 25, 2008 18:46
Vote:
 
I've created an EPiServer site with two different types of authentication + EPiServer authentication, without using more than one site. An ASP.NET site can only have one authentication and one loginURL. An unauthenticated user (trying to access a protected page) will always be redirected to the page specified in loginURL (for example MainLogin.aspx). In MainLogin.aspx you have to find out if the user wants log in to edit/admin, or is trying to access a page on your site. If trying to access a page on your site, redirect to your custom login page. Since I had two different types of authentication, I also had to find out what section of the site the user was trying to access, and redirect the user to one of the two custom login pages.
#15269
Mar 25, 2008 18:46
Vote:
 
Cool. But could you mix Windows with Forms authentication within the same site? /johan
#15270
Mar 25, 2008 18:46
Vote:
 
I didn't try that but I dont see that it should be a problem. I created two custom EPiServer authentication providers and added these to the authentication provider chain (as specified in http://www.episerver.com/downloads/Documents/TechNotes/EPiServer%204.61/All%20Technical%20Notes/Configurable%20Authentication%20Provider%20Chain.pdf). I removed the windows authentication provider from the chain since we don't need it, but I guess that if it was still there it would be possible to log in with a "windows login". When creating this solution I also solved an issue with the EPiServer authentication provider chain solution: If two different kind of users (using different kinds of authentication) are having the same username, you will get a problem. For example, use a default installation of EPiServer (4.61 in my case) and add a user in the admin tool with the same username as a "windows user" on the same machine/domain. The user will function fine in EPiServer, but after a while the windows account gets locked because EPiServer also tries to authenticate the user in the active directory. I had to solve this so that a username just needed to be unique for that type of user. But the solution wasn't very pretty... :-)
#15271
Mar 25, 2008 18:46
Vote:
 
But the problem was (as far as I've understood it), that Asp.Net wont let you specify a different "authentication mode" for separate locations within the site. Say for example that you want "/edit" and "/admin" authenticated with (so users can be authenticated through NTLM challenge/response and wont have to see a login page at all) and the rest of the site be using (for extranet users) If that's the scenario, I dont think there is a way but setting up two parallell sites towards the same database, one edit/admin-site with and the other with . Regards, Johan Olofsson
#15272
Mar 25, 2008 18:46
Vote:
 
No, you're probably right. If you don't want to have a login form at all you can't use this approach.
#15273
Mar 25, 2008 18:46
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.