Blog posts by Jukka Hyvärinen2016-01-08T01:00:00.0000000Zhttps://world.optimizely.com/blogs/jukka-hyvarinen/Optimizely WorldThings to be aware of while integrating Active Directory with Episerver<h2 id="the-problem">The problem</h2>
<p>Recently I was tasked with enabling our customer to log in to Episerver (version 8) using their Windows Active Directory credentials.
During the implementation I encountered multiple issues that aren’t mentioned in the <a href="/link/c1e47f8e7f2043699e8778b6dd6aad6f.aspx">official documentation</a>.
In the end, I ended up rewriting large parts of both <a href="https://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider">ActiveDirectoryMembershipProvider</a> (built-in to .NET API)
and <a href="/link/55fe410f4f65482cab72fb59d47c7561.aspx?documentId=cms/8/49807A1D">ActiveDirectoryRoleProvider</a> (provided by Episerver).</p>
<p>The official documentation already does good job at explaining the general steps needed for the integration so I won’t repeat those here.
Instead, I’ll focus on the issues I encountered and how those could be solved.
Some of these issues have been reported elsewhere by others already, but the solutions are spread around different blogs,
so hopefully collecting those into one post will be useful to someone else in the same situation.</p>
<h2 id="firewall-ports">Firewall ports</h2>
<p>The official documentation says that ports 389 and 445 both need to be opened, but it’s not explained why.
Port 389 is the main port for LDAP communication so that one is to be expected, but 445 is the port for SMB file transfer,
usually only needed in LAN environments, and opening it could possibly be a security issue, so IT departments are generally very reluctant about opening that port.</p>
<p>However, as expected, for one reason or another, that port really needs to be open in firewall.
We first tried with just the port 389, but this led to an error message “Workstation service is not started”.
Opening port 445 in the firewall fixed that.
Just make sure that it’s limited to allowing traffic only from certain IPs.
The reason is still a bit uncertain, but I saw suggestions <a href="http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/Port445andtrustcreation.html">that it has something to do with establishing trust between the computers</a>.</p>
<h2 id="searching-users">Searching users</h2>
<p>We noticed that searching users by name or email doesn’t work at all. This is apparently a common issue.</p>
<p>After some debugging it turned out that Episerver surrounds the keyword with SQL wildcards ‘%’, which obviously doesn’t work.
In LDAP you need to use ‘*’ instead. The fix is to override the query methods in ActiveDirectoryMembershipProvider,
replacing the ‘%’ in the query with ‘*’.</p>
<div class="highlighter-rouge"><pre class="highlight"><code>public override MembershipUserCollection FindUsersByName(
string usernameToMatch,
int pageIndex,
int pageSize,
out int totalRecords)
{
return base.FindUsersByName(usernameToMatch.Replace("%", "*"), pageIndex, pageSize, out totalRecords);
}
</code></pre>
</div>
<h2 id="limits-for-the-number-of-groups">Limits for the number of groups</h2>
<p>LDAP (at least the Active Directory implementation) has a limit of 1000 entries per query.
We hit that limit with groups, which led to Episerver not listing all groups in the AD, because ActiveDirectoryRoleProvider tries to load all groups
and do the searching/pagination client side.
I solved this by tweaking the LDAP query so that only specific groups are loaded, which also made it a lot faster since a smaller number of entries is returned.
Loading the full list of groups was painfully slow, even though the result is cached after the first query.</p>
<h2 id="caching-problems-with-multiple-active-directories">Caching problems with multiple active directories</h2>
<p>To improve performance, the AD role provider in Episerver caches results of AD queries, in a class called <a href="/link/55fe410f4f65482cab72fb59d47c7561.aspx?documentId=cms/8/EEDB98B2">AdsiDataFactory</a>.</p>
<p>Looking in decompiler, the cache key looks like this:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>string cacheKey = "EPiServer:DirectoryServiceFindAll:" + filter + scope.ToString();
</code></pre>
</div>
<p>Where <em>scope</em> is an enum value. It uses the query itself as the cache key, which works fine if you have just one AD.
We had two ADs, which means two providers. Since the same queries are issued to both ADs, the results get cached only for the first one.</p>
<p>My solution was to override GetAllRoles in ActiveDirectoryRoleProvider.</p>
<div class="highlighter-rouge"><pre class="highlight"><code>public override string[] GetAllRoles()
{
// For example (sAMAccountName=externals)(sAMAccountName=others)
var groupsToGet = string.Join("", (ConfigurationManager.AppSettings["AD.GroupsToGet"] ?? string.Empty)
.Split(new [] { "," }, StringSplitOptions.RemoveEmptyEntries)
.Select(g => string.Format("({0}={1})", roleNameAttribute, g)));
// AdsiDataFactory (DirectoryDataFactory) caches by query key.
// The extraCacheKey={1} part is needed to add provider name as part of the query to support multiple providers.
var query = string.Format("(&(objectClass=group)(|{0}(extraCacheKey={1})))", groupsToGet, Name);
// The rest is copied from the base class
}
</code></pre>
</div>
<p>Where <em>groupsToGet</em> is a list of AD group names to be loaded. We’re generating a custom LDAP query that filters by group names, and also appends the
provider name to the LDAP query so that it gets cached <strong>per provider</strong>.
This appended part doesn’t match to anything (it’s always false), but since it’s an OR operation, the comparison is effectively ignored.</p>
<h2 id="group-names-with-special-characters">Group names with special characters</h2>
<p>The last problem I encountered was about commas in AD group names, for example a group called “Cats, dogs and sheep” would not be identified.</p>
<p>I pinpointed the problem to how the names are encoded. In ActiveDirectoryRoleProvider there’s this code:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>private void GetRolesForUserRecursive(DirectoryData entry, List<string> roles, HashSet<string> visitedDirectoryEntry)
{
string[] propertyValue1;
if (!entry.TryGetValue("memberOf", out propertyValue1))
return;
foreach (string distinguishedName in propertyValue1)
{
DirectoryData entry1 = this.DirectoryDataFactory.GetEntry(distinguishedName);
/* removed unnecessary code */
}
}
</code></pre>
</div>
<p>The problem is that <em>DirectoryDataFactory.GetEntry</em> encodes the distinguishedName parameter, but the distinguished name (DN)
returned by <em>entry.TryGetValue</em> is already encoded, so it gets encoded twice! This means the DN of the “Cats, Dogs and Sheep” group becomes
<em>CN=Cats\\, dogs and sheep,CN=Users,DC=dev,DC=ad</em> (notice the double backslash before the comma).</p>
<p>You need to override this method as well and somehow make it not double encode the DNs.</p>
<h2 id="alternatives">Alternatives</h2>
<p>Others told me they have implemented the integration using Active Directory Federation Services (ADFS) with better luck, so I’d look into that if possible.
In our case the customer wasn’t ready for ADFS quite yet, so we had to do the integration with LDAP.
It’s also possible to integrate with the AD using <a href="/link/55fe410f4f65482cab72fb59d47c7561.aspx?documentId=cms/8/C3725E6D">WindowsMembershipProvider</a>,
if your webserver is a member of the AD, which wasn’t true in our case. I heard this is even more simple, but I have no first hand experience.</p>
2016-01-08T01:00:00.0000000ZBlog post