I have installed CMS5 R2 on Windows XP, and I am trying to create an intranet site using Active Directory (AD) to authenticate editors, but I am having some difficulties.
This is what I have done so far:
I have created an administrative user in the SQL database, and I am using the MultiplexingRoleProvider to perform authentication using the SqlServerRoleProvider first, and the ActiveDirectoryMembershipProvider second. I know that my LDAP connection works ok, because when I log on using the administrative user in the SQL database, all the AD groups are listed when I select "Administer Groups" in admin mode. What is more, if I select "Search user/group" in admin mode and search for the desired AD group, I can even see that it contains all the appropriate AD users.
I have also selected "Set access rights" in admin mode, selected the root node and added the desired AD group with all the rights I desire. In web.config, I have also added the "DOMAIN\mygroup" to the list of allowed roles in the location element for the admin and edit paths.
This is the problem:
When I try to log with some "DOMAIN\user", I just get "Login failed". I have also tried logging in with user@DOMAIN.no with the same result. If I try to log in with just the username (i.e. just "user" to stay consistent with my two examples above), I get nothing, not even "Login failed" (although, I can see that a postback takes place)
In IIS, I have enabled anonymous access and selected "Basic authentication" as the authentication mode.
Does anybody know what I need to do to get the authentication to work with LDAP and AD?
I thought perhaps I had to use the "Synchronize groups" button at the bottom of the "Administer groups" page in admin mode, but this button has disappeared with CMS5 R2 (it used to be there in 4.62 at least).
The PC I am trying to to this from is not part of the domain by the way, but I don't see that this should matter at all as long as the LDAP connection string works fine.
- Bjørn Gustafson
You need to implement your own providers for this to work, I'm afraid.
For the membershipprovider you could inherit System.Web.Security.ActiveDirectoryMembershipProvider and everywhere where "username" (or similar) is used, remove the domain prefix.
For the roleprovider I took the provider that EPiServer created and ineherited that. Here you need to replace the "%" charachter in FindUsersInRole to a "*" char to make this work.
There are some articles here on EPiServer that could help you. Hope this will get you a bit futher.
Mixing groups (roles) between providers will not work (as it did in EPiServer 4).
See http://labs.episerver.com/en/Blogs/Johano/Dates/2008/9/Some-ActiveDirectoryRoleProvider-issues/ for some good troubleshooting tips and example code.