Login with Active Directory account

Vote:
 

Hello,

We're running a CMS7/Community site. WE are using a combination of the SQL/Windows and Common Membership PRoviders. We need to allow Active Directory users to login too. Our configuration is as follows (NOTE: I have commented out the AD provider for the meanwhile)

<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
      <providers>
        <clear />
        <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider"  />
        <!--<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="ActiveDirectoryRoleProvider" provider3="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="ActiveDirectoryMembershipProvider" providerMap3="WindowsMembershipProvider"  />-->
        <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
        <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryRoleProvider" type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="MYDOMAIN\LDAPUser" connectionPassword="Password1!" connectionProtection="None" attributeMapUsername="sAMAccountName" />
      </providers>
    </roleManager>
    <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
      <providers>
        <clear />
        <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" />
        <!--<add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="ActiveDirectoryMembershipProvider" provider3="WindowsMembershipProvider" />-->
        <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
        <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
        <add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="MYDOMAIN\LDAPUser" connectionPassword="Password1!" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

Then we have configured access to Edit and View Mode with the config:

<location path="EPiServer">
    <system.web>
      <httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
      <pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
        <controls>
          <add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer" />
          <add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
        </controls>
      </pages>
      <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
      <authorization>
        <allow roles="WebEditors, WebAdmins, Administrators, CommunityAdmins, CommunityModerators, MailAdmins, MailEditors, DOMAIN\AD_EPiServer_Editors, DOMAIN\AD_EPiServer_Admins, AD_EPiServer_Editors, AD_EPiServer_Admins" />
        <deny users="*" />
      </authorization>
    </system.web>
</location>
    
And

<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="WebAdmins, Administrators, DOMAIN\AD_EPiServer_Admins, AD_EPiServer_Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>

We are experiencing the following issues:

  1. If we enable the Active Directory provider, we can see the AD accounts from within Admin>Search Users/Groups, however a user cannot login using either their Username or DOMAIN\Username. There is no login failed message, but EPiServer just redirects back to the login page.
  2. If we disable the Active Directory provider, once a user attempts to login with a Domain account (the server we are running on is a member of the domain), the same happens. We can see their account has been created in EPiServer, specifically within the tblWindowsUsers table, but they cannot login. There is no error message, but they are just redirected back to the login page.

I should note that Local Windows accounts who are members of the Administrators account can login without any problems.

Am I missing something here?

Thanks in advance

Al

 

#75757
Oct 04, 2013 19:12
Vote:
 

Hi,


Have you tried to login without the domain name specified? Instead of DOMAIN\Username, just try Username.

#75759
Oct 04, 2013 19:59
Vote:
 

There has alway been problem with understanding AD and how to sync user. I were in a project, CMS6 and Community with a team from Circuit. They synced all users with a schedule job and then we used ordinary community members to do the rest. This worked perfect and as far as i know the customer do not have any problem. The idé was that workin agains an AD is not very funny so intead we can program and use all users as community members instead.

I think they have that schedule job or something in the old medstor package. http://world.episerver.com/Articles/Items/Relate-Intranet-Demo-Site/

#75760
Oct 05, 2013 10:26
Vote:
 

Hi Johan,

I have tried logging in both with and without the DOMAIN prefix. If I use the DOMAIN prefix I receive the "Invalid password error message". If I dont use the DOMAIN prefix we receive no error message whatsoever, it just doesnt log the user in.

I may have to raise it with EPiServer support as it seems to be working very unexpected, and quite unlike anything I've seen before.

Thanks

Al

#75761
Oct 05, 2013 14:57
Vote:
 

Hi Eric,

Thanks for your response.

Im not sure this is quite the same approach however, we're not currently synchronosing between AD and EPi, we are exposing AD as a method of logging in and accessing EPiServer.

As I undertand it:

  • The Windows membership provider can expose/validate against AD accounts, if the server that EPiServer is running on is a member of the local domain.
  • If the Server that EPiServer is running on is not a member of the local domain, or of course you need to authenticate against a different domain the AD/LDAP Membership Provider can be used (there are possibly other reasons for using the AD provider over the Windows provider too).

However, currently the only types of Windows accounts that we can get to work are Local Admin accounts, which makes no sense whatsoever.

Any thoughts anyone?

Thnaks

Al

#75762
Oct 05, 2013 15:06
Vote:
 

Hi all,

 

I've only just noticed that some of my configuration got stripped out when I posted the question. Membership/Role providers are configured as so:

    <roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
      <providers>
        <clear />
        <add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider"  />
        <!--<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="ActiveDirectoryRoleProvider" provider3="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="ActiveDirectoryMembershipProvider" providerMap3="WindowsMembershipProvider"  />-->
        <add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
        <add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
        <add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryRoleProvider" type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" connectionProtection="None" attributeMapUsername="sAMAccountName" />
      </providers>
    </roleManager>
    <membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
      <providers>
        <clear />
        <add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" />
        <!--<add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="ActiveDirectoryMembershipProvider" provider3="WindowsMembershipProvider" />-->
        <add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
        <add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
        <add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization" />
        <add name="ActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

And access tyo Edit mode is granted via:

<location path="EPiServer">
<system.web>
<httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
<pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
<controls>
<add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
</controls>
</pages>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<authorization>
<allow roles="WebEditors, WebAdmins, Administrators, CommunityAdmins, CommunityModerators, MailAdmins, MailEditors, DOTCENTRIC\AD_EPiServer_Editors, DOTCENTRIC\AD_EPiServer_Admins, AD_EPiServer_Editors, AD_EPiServer_Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>

Apologies!!!

Al

#75763
Edited, Oct 05, 2013 15:27
Vote:
 

Hi, I'm using AD and the difference to your setup is that we don't have the domain name  preceeding the role. So instead of DOTCENTRIC\AD_EPiServer_Editors just have AD_EPiServer_Editors as the role (like you have it doubled).

I don't understand when you start talking about AD authentication but you are not having your AD role and membership providers in multiplexing definition but instead the windowsproviders.

Also I think the documentation says that the user has to be logged on the server at least once so that windows authentication would work.


Is your LDAP connection string correctly set up? Meaning you are quering the correct container? (it will find stuff that is below but not higher, so this cuold be one mistale in the LDAP connection string)

#75823
Oct 07, 2013 21:41
Vote:
 

Out on a limb here, but it seems in CMS 7 the membership hashAlgorithmType is set specifically to HMACSHA512 by default:

<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">

    

Whereas in earlier CMS versions the "hashAlgorithmType" attribute was not set, meaning it defaulted to SHA1. A colleague of mine had trouble authenticating with another membership provider because the passwords there were hashed with SHA1. It worked when he removed the hashAlgorithmType attribute. Could this be your issue too?

#75997
Oct 15, 2013 10:49
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.