Hi,

Have you tried to login without the domain name specified? Instead of DOMAIN\Username, just try Username.

There has alway been problem with understanding AD and how to sync user. I were in a project, CMS6 and Community with a team from Circuit. They synced all users with a schedule job and then we used ordinary community members to do the rest. This worked perfect and as far as i know the customer do not have any problem. The idé was that workin agains an AD is not very funny so intead we can program and use all users as community members instead.

I think they have that schedule job or something in the old medstor package. http://world.episerver.com/Articles/Items/Relate-Intranet-Demo-Site/

Hi Johan,

I have tried logging in both with and without the DOMAIN prefix. If I use the DOMAIN prefix I receive the "Invalid password error message". If I dont use the DOMAIN prefix we receive no error message whatsoever, it just doesnt log the user in.

I may have to raise it with EPiServer support as it seems to be working very unexpected, and quite unlike anything I've seen before.

Thanks

Al

Hi Eric,

Thanks for your response.

Im not sure this is quite the same approach however, we're not currently synchronosing between AD and EPi, we are exposing AD as a method of logging in and accessing EPiServer.

As I undertand it:

• The Windows membership provider can expose/validate against AD accounts, if the server that EPiServer is running on is a member of the local domain.
• If the Server that EPiServer is running on is not a member of the local domain, or of course you need to authenticate against a different domain the AD/LDAP Membership Provider can be used (there are possibly other reasons for using the AD provider over the Windows provider too).

However, currently the only types of Windows accounts that we can get to work are Local Admin accounts, which makes no sense whatsoever.

Any thoughts anyone?

Thnaks

Al

Hi all,

I've only just noticed that some of my configuration got stripped out when I posted the question. Membership/Role providers are configured as so:

    <roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
      <providers>
        <clear />
        <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider"  />
        <!--<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="ActiveDirectoryRoleProvider" provider3="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="ActiveDirectoryMembershipProvider" providerMap3="WindowsMembershipProvider"  />-->
        <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
        <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryRoleProvider" type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" connectionProtection="None" attributeMapUsername="sAMAccountName" />
      </providers>
    </roleManager>
    <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
      <providers>
        <clear />
        <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" />
        <!--<add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="ActiveDirectoryMembershipProvider" provider3="WindowsMembershipProvider" />-->
        <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
        <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
        <add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

And access tyo Edit mode is granted via:

<location path="EPiServer">
<system.web>
<httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
<pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
<controls>
<add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
</controls>
</pages>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<authorization>
<allow roles="WebEditors, WebAdmins, Administrators, CommunityAdmins, CommunityModerators, MailAdmins, MailEditors, DOTCENTRIC\AD_EPiServer_Editors, DOTCENTRIC\AD_EPiServer_Admins, AD_EPiServer_Editors, AD_EPiServer_Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>

Apologies!!!

Al

Hi, I'm using AD and the difference to your setup is that we don't have the domain name  preceeding the role. So instead of DOTCENTRIC\AD_EPiServer_Editors just have AD_EPiServer_Editors as the role (like you have it doubled).

I don't understand when you start talking about AD authentication but you are not having your AD role and membership providers in multiplexing definition but instead the windowsproviders.

Also I think the documentation says that the user has to be logged on the server at least once so that windows authentication would work.

Is your LDAP connection string correctly set up? Meaning you are quering the correct container? (it will find stuff that is below but not higher, so this cuold be one mistale in the LDAP connection string)

Out on a limb here, but it seems in CMS 7 the membership hashAlgorithmType is set specifically to HMACSHA512 by default:

<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">

Whereas in earlier CMS versions the "hashAlgorithmType" attribute was not set, meaning it defaulted to SHA1. A colleague of mine had trouble authenticating with another membership provider because the passwords there were hashed with SHA1. It worked when he removed the hashAlgorithmType attribute. Could this be your issue too?