LDAP for authentication

Vote:
 
I'm having difficulties implementing LDAP user authentication on my EPiServer installation. Under "Administer Groups" in ADMIN-mode I can import group information from LDAP server, but when I change the AuthenticationMode to "Windows" in Web.Config users in the imported LDAP-group cannot access the website. I've followed the white-paper "Using LDAP for User Authentication", but no success. When LDAP-users try to access the web, they get a (windows)login pop-up, but after 3 attempts they receive a HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Any suggestions on how to resolve this problem? -Lars
#16893
Mar 25, 2008 19:25
Vote:
 
Is "Act as part of the operating system" set for the ASPNET user? /HAXEN
#17052
Mar 25, 2008 19:31
Vote:
 
I think I've come one step closer to the solution. I'm now able to login, but it seems my LDAP-users are not having enough privileges. They are automatically redirected to the login page, even though the user has just logged in. By using "userInformation.aspx" I've managed to retreive this information: Your authenticationtype is: EPiSec The current Sid type is: LdapUser You are logged on as "domain-name\user" and you are a member of the following groups: Everyone This LDAP-user should have been member of a group called "DomainUsers-Users-domain-name-com" (imported from LDAP-server), which has sufficient privileges in my EPiServer installatation. The user is also listed in the "Search Users/Groups" under "Access right" in Admin-mode. -Lars
#17053
Mar 25, 2008 19:31
Vote:
 
Try another group, and see if that group is listed. The Domain Users group is special in AD, and I'm not sure that will be handled by EPiServer. In AD, all users have a Primary Group (usually Domain Users), which is not part of the "memberOf" ldap attribute, which is the one EPiServer uses to determine group membership. /Steve
#17054
Mar 25, 2008 19:31
Vote:
 
I was setting up LDAP authentication for a client last week and had exactly the same problem. The solution to my problem was that I had set the EPsLdapRootContext value to a to narrow scope. When I changed this to a wider scope (to the root of AD) it all worked. I also recommend using custom groups as the automatic groups such as Domain Users will not work. Cheers, Jeremy.
#17055
Mar 25, 2008 19:31
Vote:
 
Problem solved! I changed between different groups and after some trial-and-error I found the one I was looking for. Now it seems to be working... (I was originally using the "Domain Users"-group) -Lars
#17056
Mar 25, 2008 19:31
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.