The usual way to accomplish what you want is to have a separate Edit/Admin-site parallell to the web site (two EPiServer installation pointing to the same database). The edit/admin-site can then have another authentication mode than the public website (some also use another port number to make it a little more difficult for hackers). Regards Johan Olofsson

I've created an EPiServer site with two different types of authentication + EPiServer authentication, without using more than one site. An ASP.NET site can only have one authentication and one loginURL. An unauthenticated user (trying to access a protected page) will always be redirected to the page specified in loginURL (for example MainLogin.aspx). In MainLogin.aspx you have to find out if the user wants log in to edit/admin, or is trying to access a page on your site. If trying to access a page on your site, redirect to your custom login page. Since I had two different types of authentication, I also had to find out what section of the site the user was trying to access, and redirect the user to one of the two custom login pages.

Cool. But could you mix Windows with Forms authentication within the same site? /johan

I didn't try that but I dont see that it should be a problem. I created two custom EPiServer authentication providers and added these to the authentication provider chain (as specified in http://www.episerver.com/downloads/Documents/TechNotes/EPiServer%204.61/All%20Technical%20Notes/Configurable%20Authentication%20Provider%20Chain.pdf). I removed the windows authentication provider from the chain since we don't need it, but I guess that if it was still there it would be possible to log in with a "windows login". When creating this solution I also solved an issue with the EPiServer authentication provider chain solution: If two different kind of users (using different kinds of authentication) are having the same username, you will get a problem. For example, use a default installation of EPiServer (4.61 in my case) and add a user in the admin tool with the same username as a "windows user" on the same machine/domain. The user will function fine in EPiServer, but after a while the windows account gets locked because EPiServer also tries to authenticate the user in the active directory. I had to solve this so that a username just needed to be unique for that type of user. But the solution wasn't very pretty... :-)

But the problem was (as far as I've understood it), that Asp.Net wont let you specify a different "authentication mode" for separate locations within the site. Say for example that you want "/edit" and "/admin" authenticated with (so users can be authenticated through NTLM challenge/response and wont have to see a login page at all) and the rest of the site be using (for extranet users) If that's the scenario, I dont think there is a way but setting up two parallell sites towards the same database, one edit/admin-site with and the other with . Regards, Johan Olofsson

No, you're probably right. If you don't want to have a login form at all you can't use this approach.