Content Approval - Specifying user from AD

Vote:
 

In a solution using ActiveDirectoryMembershipProvider, I'm not able to find any users when setting one or several reviewers when setting up a new Contant Approval Sequence.

Groups is found and can be set but not specific users.

Is this a bug?

The docs specifies: Before CMS UI 10.10, a reviewer in an approval definition is the name of a user. In release 10.10, we have introduced a role reviewer, where a reviewer can be either the name of a user or a role.

I am using CMS 11.10.6 and CMS.UI.11.14.0

Please advise.

#263998
Sep 28, 2021 9:20
Vote:
 

Do you have the package EPiServer.CMS.UI.AspNetIdentity installed in your solution? If so can you remove it and try again.

#263999
Sep 28, 2021 9:42
Jonas Boman - Sep 28, 2021 9:45
No that package is not installed.
Would installning it break anything in the current setup, you think?
Scott Reed - Sep 28, 2021 10:26
It shouldn't be installed if you're not using it but if you did have it installed that could explain why. I wrote about something similar

https://world.optimizely.com/blogs/scott-reed/dates/2018/11/working-around-iqueryablenotificationusers-when-using-external-claims-based-cms-users/

And in the comments someone said that support had told them to make sure the package was removed. But essentially as was as I'm aware you want to make sure that whatever implementation IQueryableNotificationUsers is using is correct for Active Directory. I was hoping if you had this package installed that the fallback after removing it would default to the correct one.

I believe the default is to use DefaultSynchronizedUsersRepository but I'm not sure if the Active Directory membership provider syncs users in the DB like the others, I would probably assume not.
Jonas Boman - Sep 29, 2021 13:44
Thanks for your input. I have ensured that package is not installed.
Scott Reed - Sep 29, 2021 14:33
Have you checked in the code what IQueryableNotificationUsers implementation it's using? You could inject it and see what the method returns as this is used in the areas for user search. If there's not an implementation of this for ADMP it's only one method so you should be able to create one easily.
Jonas Boman - Sep 29, 2021 15:19
I cannot find any implementation of IQueryableNotificationUsers in the solution.
And not able to test it against the working AD since its behind a firewall.

One other thing I notice was what i Cms/Admin Search Users only users within SqlServerMembershipProvider is listed, but no from SqlServerMembershipProvider.
Ergo same results as in Content Approval. Groups are, however listed. I guess that is expected.

In app-settings I have a query for Roles.


Is there a equilent setting for users?
Scott Reed - Sep 29, 2021 16:20
Yes as mentioned any user search will use the IQueryableNotificationUsers interface, that's usually both the admin area and the content approvals in my experience. I wouldn't have expected IQueryableNotificationUsers you to have an instance of it in your solution it will be using an implementation in the Optimizely DLLs which as mentioned I think will be DefaultSynchronizedUsersRepository.

The DefaultSynchronizedUsersRepository syncs users from the claims information (email, name and surname) when a user logs in, so that user will also only be available in the search once that user has logged in via the authentication system. The IQueryableNotificationUsers.FindAsync looks in the claims database. I don't think off the top of my head using the ActiveDirectoryMembershipProvider will expose as claims but I could be wrong, although as mentioned only users who have logged in normally will come through so make sure when checking you're aware of that and to only check for users who have logged in.

Usually what happens for example when you install the asp.net identity package is there's a version of the IQueryableNotificationUsers that overrides the default one and supports querying for users based on the underlying provider. This is why I had asked you to check if you had the package installed. As your using the Microsoft ActiveDirectoryMembershipProvider if the claims way of loading isn't going to work for this provider you'll need one that supports it. I did search in the nuget package library but couldn't find anything.

So at worst you'll have to create a class that implements IQueryableNotificationUsers.FindAsync against the ActiveDirectoryMembershipProvider search methods
Scott Reed - Sep 29, 2021 16:21
Also not sure what "In app-settings I have a query for Roles." is. What app setting is this?
Jonas Boman - Oct 13, 2021 7:43
Sorry, I wrote it in previous post, but it was omitted

The key is "ActiveDirectoryRoleProvider.GetAllRolesQuery" and its value is search filter, I guess.

In my debugging, I have come across that its throwing the error "An invalid dn syntax has been specified", so there is a comma character in a group's distingguishedName and in the flow, that comma is being escaped twice.

Now I have ActiveDirectoryRoleProvider extracted and implemented some own methods.

hoping soon this is resolved. Thanks for your answers
Vote:
 

Any other takers? :)

#264106
Sep 29, 2021 13:43
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.