LDAP and Active Directory (AD) problem


I have installed CMS5 R2 on Windows XP, and I am trying to create an intranet site using Active Directory (AD) to authenticate editors, but I am having some difficulties.

This is what I have done so far:

I have created an administrative user in the SQL database, and I am using the MultiplexingRoleProvider to perform authentication using the SqlServerRoleProvider first, and the ActiveDirectoryMembershipProvider second. I know that my LDAP connection works ok, because when I log on using the administrative user in the SQL database, all the AD groups are listed when I select "Administer Groups" in admin mode. What is more, if I select "Search user/group" in admin mode and search for the desired AD group, I can even see that it contains all the appropriate AD users.

I have also selected "Set access rights" in admin mode, selected the root node and added the desired AD group with all the rights I desire. In web.config, I have also added the "DOMAIN\mygroup" to the list of allowed roles in the location element for the admin and edit paths.

This is the problem:

When I try to log with some "DOMAIN\user", I just get "Login failed". I have also tried logging in with user@DOMAIN.no with the same result. If I try to log in with just the username (i.e. just "user" to stay consistent with my two examples above), I get nothing, not even "Login failed" (although, I can see that a postback takes place)

In IIS, I have enabled anonymous access and selected "Basic authentication" as the authentication mode.

Does anybody know what I need to do to get the authentication to work with LDAP and AD?

I thought perhaps I had to use the "Synchronize groups" button at the bottom of the "Administer groups" page in admin mode, but this button has disappeared with CMS5 R2 (it used to be there in 4.62 at least).

The PC I am trying to to this from is not part of the domain by the way, but I don't see that this should matter at all as long as the LDAP connection string works fine.

- Bjørn Gustafson

#28449 Mar 09, 2009 11:56
  • René Voigt
    Member since: 2005
    I recommend using a tool like Softerra LDAPBrowser to check if the given DN is giving you access to both users and groups.
    #28451 Mar 09, 2009 13:07
  • Mikael Nordberg
    Member since: 2007

    You need to implement your own providers for this to work, I'm afraid.

    For the membershipprovider you could inherit System.Web.Security.ActiveDirectoryMembershipProvider and everywhere where "username" (or similar) is used, remove the domain prefix.

    For the roleprovider I took the provider that EPiServer created and ineherited that. Here you need to replace the "%" charachter in FindUsersInRole to a "*" char to make this work.

    There  are some articles here on EPiServer that could help you. Hope this will get you a bit futher.


    #28583 Mar 16, 2009 11:03
  • Steve Celius
    Member since: 2001

    Mixing groups (roles) between providers will not work (as it did in EPiServer 4).

    See http://labs.episerver.com/en/Blogs/Johano/Dates/2008/9/Some-ActiveDirectoryRoleProvider-issues/ for some good troubleshooting tips and example code.


    #28628 Mar 16, 2009 16:42