Active Directory: Problems with Enterprise Edition

Hi. We are experiencing some problems getting this to work. The site is set up with Forms authentication, and we want the editors and webadmins to log in with their AD accounts. So we have set up the following settings in web.config: We have also created two groups in AD to represent the "gateway" into /edit and /admin, and imported these into EPiServer, put them in the location section in web.config, and also given them sufficient rights inside EPiServer. The AD users are now able to log in, but they do not get access to admin or edit. They don't even get the DOPE menu on the pages. All the users have been cached into EPiServer, and they have all been categorized as Windows NT Accounts. Is this correct? The web server is defined into the domain being used, and I have a feeling that the Windows user has been cached into EPiServer, instead of the AD user, if that makes sense... Anyway, hope someone can help us. Frank :)
Nov 02, 2005 21:38
This reply is very late but I have just recently come across this problem myself. I hope my answer might still help others with a similar problem: For AD (Active Directory) authentication to work with groups in the AD it is important that the AD "Domain Functional Level" is set to "Windows 2000 native" or "2003 mode" (and not the NT4 compatible "mixed mode"). If the AD is left in mixed mode then logins will work but the groups the user belongs to can not be properly read by EPiServer. Only machine local groups like Administrators and Users will work, but AD groups will fail. You can upgrade the mode (it can not be reversed though, so make sure you do not have any old NT4 servers or other units that require mixed mode) in the "Active Directory Users and Computers tool" by right clicking the tree name and selecting "Raise Domain Functional Level" in Win2003 or something similar (a button called "Change Domain Mode" instead of a menu option) if you use W2k server. All group types work fine i.e. both domain local, global and universal groups are interpreted by the AD. Any group you wish to use must be specified by name in the group administration dialogue inside EPiServer. How to do this is described in the technote "Security in EPiServer.pdf". In short you just add a group with a name on the format "DOMAIN\Groupname". The change in the AD can take a very long time to activate in EPiServer because login information is being cached by the EPiServer system. To ensure a quick response, log out, log in again and then run "iisreset" on the webserver. There should be a better less interruptive way to do this but I have not found out how yet. Without this procedure you might have to wait for 30 minutes for the AD information to be updated. You do not have to, in fact you should not, specify any LDAP parameters at all! Just leave all these blank since they are only needed for LDAP authentication, not for pure AD authentication. Hope this helps! Best regards, Mats B.
Jan 05, 2007 18:53
Hi. Thanks, Mats. We do not have this problem any longer, but this is good information. Keep up the good work! Frank :)
Jan 07, 2007 19:54
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.