November Happy Hour will be moved to Thursday December 5th.
November Happy Hour will be moved to Thursday December 5th.
Product version: |
EPiServer CMS 5 R2 SP1 |
---|---|
Document version: |
1.0 |
Document last saved: |
This technical note describes how to use the Authorization Manager (frequently referred to as AzMan) together with EPiServer CMS.
This tech note uses the Active Directory authorization store type as an example, but if you want to use plain Acitive Directory we recommend using the ActiveDirectory Membership and Role providers. Authorization Manager is the preferred option only if you have complex business rules for your authorization handling, since it has a much higher overhead, both in terms of configuration and performance.
From a .NET viewpoint you will simply use the AuthorizationStoreRoleProvider which is fairly easy to set up. The complex part is AzMan itself and the underlying infrastructure. You should carefully evaluate your authorization needs and only use AzMan if you need the advanced features and administration support that AzMan provides.
Note: One feature of AzMan is the possibility to dynamically evaluate role memberships based on scripts. This feature can be implemented in EPiServer CMS by using virtual roles. See the separate tech note on this subject.
There is plenty of information concerning AzMan and using the XML file authorization store, so we will not cover that configuration, but instead focus on using ActiveDirectory as the authorization store.
For more information on AzMan, see
» http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/management/athmanwp.mspx - General information.
» http://msdn2.microsoft.com/en-us/library/Aa480244.aspx - Comprehensive white paper for developers.
» http://blogs.msdn.com/azman/ - AzMan blogs.
If running on Windows XP, install the Windows Server 2003 Administration Pack, which contains AzMan, from
Note: If your Active Directory domain is running in Windows 2000 mixed mode you will receive the following message.
To proceed you need to go to Windows 2003 functionality level.
In order to make AzMan do anything useful you need to define one or more roles and then assign the roles.
You need to define the groups / users that have access to AzMan in order for external systems such as EPiServer to be able to connect to AzMan and use its authorization features. This is configured by right-clicking the EPiServer authorization store and selecting Properties.
Select the Security tab and select the Reader user role from the drop down:
If you are running on a Windows Server 2003, add the IIS_WPG group to the list of readers, if running under Windows XP, add the ASPNET account to the Readers role.
There are a lot of capabilities in AzMan that we have not discussed, such as defining roles from sub-roles and tasks, determining role membership by LDAP queries, determining role membership with scripts etc. These are Azman specific features and does not affect the EPiServer connection.
First you need to configure EPiServer to use a suitable membership provider. With the ActiveDirectory scenario that we are discussing, the ActiveDirectoryMembershipProvider should be used.
To configure it, add the following to the <membership><providers> section of web.config:
<add name="ActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ActiveDirectoryMembershipProviderConnection"
connectionUsername="Some AD account with read access to AD"
connectionPassword="Password for AD account"
enableSearchMethods="true" />
Modify the connectionUsername and connectionPassword and insert values for a user account with appropriate privileges. See the documentation for the class ActiveDirectorymembershipProvider for details on security issues.
You should also add a connection string to the <connectionStrings> section that defines how the membership provider will connection to the ActiveDirectory. An example:
<add name="ActiveDirectoryMembershipProviderConnection"
connectionString="LDAP://domain.mycompany.local" />
Once again, see documentation for the class ActiveDirectorymembershipProvider for details on the connection string and configuration parameters.
Now we are ready to add the AuthorizationStoreRoleProvider which is the actual connection to AzMan. Add the following to the <roleManager><providers> section:
<add name="AuthorizationStoreRoleProvider"
type="System.Web.Security.AuthorizationStoreRoleProvider, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="AuthorizationServices"
applicationName="EPiServer Application"
cacheRefreshInterval="1"
scopeName="" />
Note: The applicationName should match the name entered when creating the application in AzMan (see above).
You should also add a connection string to the <connectionStrings> section. An example:
<add name="AuthorizationServices"
connectionString="msldap://servername/CN=EPiServer,CN=Program Data,
DC=domain,DC=mycompany,DC=local" />
See the developer documentation for AutorizationStoreRoleProvider class for details on the connection string and provider parameters.
You should now be ready to test your application in an ActiveDirectory environment.