AI OnAI Off
Authenticating against two different Active Directories
Well, the syntax highlighter does not seem to work.
Scenario 1 config
----------------------------------------------
<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="false">
<providers>
<clear />
<add name="MultiplexingRoleProvider"
type="EPiServer.Security.MultiplexingRoleProvider, EPiServer"
provider1="ExternalActiveDirectoryRoleProvider"
provider2="InternalActiveDirectoryRoleProvider"
providerMap1="ExternalActiveDirectoryMembershipProvider"
providerMap2="InternalActiveDirectoryMembershipProvider" />
<add name="ExternalActiveDirectoryRoleProvider"
type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer"
connectionStringName="ExternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName" />
<add name="InternalActiveDirectoryRoleProvider"
type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer"
connectionStringName="InternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName" />
</providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear />
<add name="MultiplexingMembershipProvider"
type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer"
provider1="ExternalActiveDirectoryMembershipProvider"
provider2="InternalActiveDirectoryMembershipProvider" />
<add name="ExternalActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ExternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true" />
<add name="InternalActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="InternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true" />
</providers>
</membership>
----------------------------------------------
Scenario 2 config
----------------------------------------------
<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="false">
<providers>
<clear />
<add name="MultiplexingRoleProvider"
type="EPiServer.Security.MultiplexingRoleProvider, EPiServer"
provider1="ExternalActiveDirectoryRoleProvider"
provider2="WindowsRoleProvider"
providerMap1="ExternalActiveDirectoryMembershipProvider"
providerMap2="WindowsMembershipProvider" />
<add name="ExternalActiveDirectoryRoleProvider"
type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer"
connectionStringName="ExternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName" />
<add name="WindowsRoleProvider"
applicationName="EPiServerSample"
type="EPiServer.Security.WindowsRoleProvider, EPiServer"/>
</providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10">
<providers>
<clear />
<add name="MultiplexingMembershipProvider"
type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer"
provider1="ExternalActiveDirectoryMembershipProvider"
provider2="WindowsMembershipProvider" />
<add name="ExternalActiveDirectoryMembershipProvider"
type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
connectionStringName="ExternalADConnectionString"
connectionUsername="user"
connectionPassword="pass"
attributeMapUsername="sAMAccountName"
enableSearchMethods="true" />
<add name="WindowsMembershipProvider"
type="EPiServer.Security.WindowsMembershipProvider, EPiServer"
deletePrefix="BUILTIN\, DOMAINNAME\"
searchByEmail="true"/>
</providers>
</membership>
----------------------------------------------
Dec 18, 2009 13:16
Check my blog post about using more than one
http://world.episerver.com/Blogs/Anders-Hattestad/Dates/2010/12/Multiplexing-providers/
Mar 04, 2011 8:30
hi Anders
I have had a look at your blog. Thanks, that is great. have you used this to tap into the right hand access rights menu? What we are trying to do is the following
- have a login for users to the website (not cms) which is authenticated through a web service
- set pages to secure using the right click of the mouse in the cms editor and set access rights.
- Secure the page here so front end users have to log into this page.
is this something you have experience doing? or do you know if it can be done? It would be nice for our marketing editors to just be able to secure a page in this way
thanks in advance
Mar 04, 2011 16:54
Hi!
I'm currently working with a project where the client wants an external site with login (but without Epi Admin & Edit) and an internal site for content administration. The
internal site will be authentication against an internal ActiveDirectory. The external site will be in the DMZ with it's own ActiveDirectory. The client accepts the risk of
authenticating external users against an AD, since this external AD is only used for a few applications in the DMZ. The external and internal sites should share the content db,
and we would like to avoid mirroring. We will use EpiServer CMS 5 R2 SP2 on Windows Server 2008 x64, IIS7.
So my idea was to use the Multiplexing Role and Membership providers, with dual ActiveDirectoryXXXProviders. Alternatively, use WindowsXXXProviders for the internal site and
ActiveDirectoryXXXProviders for the external site. Both AD connection strings point to an OU, to only work with a subset of groups and users. I have *almost* got this to work,
but the AD groups are causing me some trouble. I'm hoping someone could help me with this..
Scenario 1 - dual AD providers
config
-------------------------------------------------
-------------------------------------------------
Problem:
Only groups from the external AD is included, none of the groups from the internal AD. If the order in web.config is switched (internal AD put first) it is the other way
around. So, only groups from the first AD provider is usable. I'm not sure if this is a bug in MultiplexingRoleProvider, or something else. If you instead use one
WindowsRoleProvider and one ADRoleProvider, groups from both *are* included. See scenario 2.
Scenario 2 - Windows Provider and AD Provider
Here I tried using Windows provider for the internal site and AD provider for the external site.
config
-------------------------------------------------
-------------------------------------------------
Problem:
In this scenario, all users who have attempted a login on the website are included. As well as all groups that those users belong to. This will include many groups that we
don't want to include. Is there a way to filter or restrict which groups get added?
I have found this provider: EPiServer.Common.Web.Authorization.IntegrationMembershipProvider
However, that assembly belongs to EpiServer Community. Is it possible to use this provider with EpiServer CMS? Or are there another way of restricting Windows groups? Perhaps
we could create our own provider, inheriting from WindowsRoleProvider, and overriding one or more methods?
Also, I'm wondering if there are any downsides or limitations of using Windows providers instead of AD providers..