Configure Windows authentication (with AD, Windows and Sql logins)

Vote:
 

Hello,

I have quite a bit of problems to get the authentication to work properly in EPiServer 5. The goal is to have EPiServer configured so that it mainly authenticates with a local AD server. But we also want Sql and Windows role providers active as customer wants to be able to login with local accounts (sql) and local administrator (windows).

So to the question. How is this done in IIS and in web.config? I have tried to read the tech docs and forums on this topic but cant get it running as I want.

Some sample snippet from web.config would help a lot I think.

Right now, IIS is set to Integrated Authentication and <authentication mode="Windows" /> in web.config.

AD connection is setup properly as I have mapped the AD groups accordingly in edit mode. This was done with auth mode Forms in web.config, as when I switch to Windows auth mode, I get access denied exceptions.

If I dont add the attributeMapUsername="sAMAccoutName" attribute, I get other errors that user does not exists.

Any help is appreciated. 

#25347
Oct 22, 2008 9:24
Vote:
 

Set authentication mode to forms. And configure the MultiplexingRoleProvider and MultiplexingMembershipProvider. The attributes provider1, provider2 etc is in wich order they should be used. I guess you first want to authenicate with Windows, then AD and last SqlServer. The IIS security tab: "Enable anonymous acccess" is enough.

Sample from CMS 5 R2 where the ActiveDirectory providers are builtin:

<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
    <providers>
        <clear />
        <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="WindowsRoleProvider" provider2="ActiveDirectoryRoleProvider" provider3="SqlServerRoleProvider" providerMap1="WindowsMembershipProvider" providerMap2="ActiveDirectoryMembershipProvider" providerMap3="SqlServermembershipProvider" />
        <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
        <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="ActiveDirectoryRoleProvider"
type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer"
connectionStringName="ActiveDirectoryProviderConnection"
connectionUsername="DOMAIN\ADServiceAccount"
connectionPassword="password"
attributeMapUsername="sAMAccountName"
/>
    </providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10">
    <providers>
        <clear />
        <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="WindowsMembershipProvider" provider2="ActiveDirectoryMembershipProvider" provider3="SqlServermembershipProvider" />
        <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
        <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
        <add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ActiveDirectoryProviderConnection"
connectionUsername="DOMAIN\ADServiceAccount"
connectionPassword="password"
enableSearchMethods="true"
attributeMapUsername="sAMAccountName" />
    </providers>
</membership>

http://world.episerver.com/en/Articles/Items/Membership-and-Roles-in-EPiServer-CMS-5/

I have used the Multiplexing providers but I havent used the ActiveDirectory providers so I dont know how that should be configured. 

Hope this helps

/Hans

#25349
Oct 22, 2008 10:52
Vote:
 

Hello Hans, 

Thank you very much for your answer. I have managed to setup and got it working under Forms auth as you say, but to enable automatic login you must have it set to Windows auth (and Integrated auth in IIS) AFAIK.

If someone could post a working setup with integrated auth in IIS and AD, Windows and Sql role provider (in that order) in web.config  that can autologin I would be very happy.

In EPiServer 4 this was very much possible, but in 5 now with ASP.NET auth mechanism I cant get it to work :/

 

#25379
Oct 23, 2008 8:45
Vote:
 
#25380
Oct 23, 2008 9:52
Vote:
 

As I see it this is not possible. If you have authentication mode windows the membershipproviders will never call "MembershipProvider.ValidateUser" because windows controls the authentication. You can use the WindowsRoleProvider with authentication mode Windows.

The SqlMembershipProvider requires forms authentication. I dont know about the ActiveDirectoryMembershipProvider.

But maybe someone else can explain it better.

/Hans

#25381
Edited, Oct 23, 2008 9:56
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.