Hi,
Have you tried to login without the domain name specified? Instead of DOMAIN\Username, just try Username.
There has alway been problem with understanding AD and how to sync user. I were in a project, CMS6 and Community with a team from Circuit. They synced all users with a schedule job and then we used ordinary community members to do the rest. This worked perfect and as far as i know the customer do not have any problem. The idé was that workin agains an AD is not very funny so intead we can program and use all users as community members instead.
I think they have that schedule job or something in the old medstor package. http://world.episerver.com/Articles/Items/Relate-Intranet-Demo-Site/
Hi Johan,
I have tried logging in both with and without the DOMAIN prefix. If I use the DOMAIN prefix I receive the "Invalid password error message". If I dont use the DOMAIN prefix we receive no error message whatsoever, it just doesnt log the user in.
I may have to raise it with EPiServer support as it seems to be working very unexpected, and quite unlike anything I've seen before.
Thanks
Al
Hi Eric,
Thanks for your response.
Im not sure this is quite the same approach however, we're not currently synchronosing between AD and EPi, we are exposing AD as a method of logging in and accessing EPiServer.
As I undertand it:
However, currently the only types of Windows accounts that we can get to work are Local Admin accounts, which makes no sense whatsoever.
Any thoughts anyone?
Thnaks
Al
Hi all,
I've only just noticed that some of my configuration got stripped out when I posted the question. Membership/Role providers are configured as so:
<roleManager enabled="true" defaultProvider="MultiplexingRoleProvider" cacheRolesInCookie="true">
<providers>
<clear />
<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="WindowsMembershipProvider" />
<!--<add name="MultiplexingRoleProvider" type="EPiServer.Security.MultiplexingRoleProvider, EPiServer" provider1="SqlServerRoleProvider" provider2="ActiveDirectoryRoleProvider" provider3="WindowsRoleProvider" providerMap1="SqlServerMembershipProvider" providerMap2="ActiveDirectoryMembershipProvider" providerMap3="WindowsMembershipProvider" />-->
<add name="WindowsRoleProvider" applicationName="EPiServerSample" type="EPiServer.Security.WindowsRoleProvider, EPiServer" />
<add name="SqlServerRoleProvider" connectionStringName="EPiServerDB" applicationName="EPiServerSample" type="System.Web.Security.SqlRoleProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />
<add name="EPiServerCommonRoleProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.RoleProvider, EPiServer.Common.Web.Authorization" />
<add name="ActiveDirectoryRoleProvider" type="EPiServer.Security.ActiveDirectoryRoleProvider, EPiServer" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" connectionProtection="None" attributeMapUsername="sAMAccountName" />
</providers>
</roleManager>
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
<providers>
<clear />
<add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="WindowsMembershipProvider" />
<!--<add name="MultiplexingMembershipProvider" type="EPiServer.Security.MultiplexingMembershipProvider, EPiServer" provider1="SqlServerMembershipProvider" provider2="ActiveDirectoryMembershipProvider" provider3="WindowsMembershipProvider" />-->
<add name="WindowsMembershipProvider" type="EPiServer.Security.WindowsMembershipProvider, EPiServer" deletePrefix="BUILTIN\" searchByEmail="true" />
<add name="SqlServerMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="EPiServerDB" requiresQuestionAndAnswer="false" applicationName="EPiServerSample" requiresUniqueEmail="true" passwordFormat="Hashed" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" />
<add name="EPiServerCommonMembershipProvider" applicationName="EPiServerCommonApplication" type="EPiServer.Common.Web.Authorization.MembershipProvider, EPiServer.Common.Web.Authorization" />
<add name="ActiveDirectoryMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="ActiveDirectoryProviderConnection" connectionUsername="DOMAIN\LDAPUser" connectionPassword="Password123" enableSearchMethods="true" attributeMapUsername="sAMAccountName" />
</providers>
</membership>
And access tyo Edit mode is granted via:
<location path="EPiServer">
<system.web>
<httpRuntime maxRequestLength="1000000" requestValidationMode="2.0" />
<pages enableEventValidation="true" enableViewState="true" enableSessionState="true" enableViewStateMac="true">
<controls>
<add tagPrefix="EPiServerUI" namespace="EPiServer.UI.WebControls" assembly="EPiServer.UI" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.ClientScript.WebControls" assembly="EPiServer" />
<add tagPrefix="EPiServerScript" namespace="EPiServer.UI.ClientScript.WebControls" assembly="EPiServer.UI" />
</controls>
</pages>
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
<authorization>
<allow roles="WebEditors, WebAdmins, Administrators, CommunityAdmins, CommunityModerators, MailAdmins, MailEditors, DOTCENTRIC\AD_EPiServer_Editors, DOTCENTRIC\AD_EPiServer_Admins, AD_EPiServer_Editors, AD_EPiServer_Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
Apologies!!!
Al
Hi, I'm using AD and the difference to your setup is that we don't have the domain name preceeding the role. So instead of DOTCENTRIC\AD_EPiServer_Editors just have AD_EPiServer_Editors as the role (like you have it doubled).
I don't understand when you start talking about AD authentication but you are not having your AD role and membership providers in multiplexing definition but instead the windowsproviders.
Also I think the documentation says that the user has to be logged on the server at least once so that windows authentication would work.
Is your LDAP connection string correctly set up? Meaning you are quering the correct container? (it will find stuff that is below but not higher, so this cuold be one mistale in the LDAP connection string)
Out on a limb here, but it seems in CMS 7 the membership hashAlgorithmType is set specifically to HMACSHA512 by default:
<membership defaultProvider="MultiplexingMembershipProvider" userIsOnlineTimeWindow="10" hashAlgorithmType="HMACSHA512">
Whereas in earlier CMS versions the "hashAlgorithmType" attribute was not set, meaning it defaulted to SHA1. A colleague of mine had trouble authenticating with another membership provider because the passwords there were hashed with SHA1. It worked when he removed the hashAlgorithmType attribute. Could this be your issue too?
Hello,
We're running a CMS7/Community site. WE are using a combination of the SQL/Windows and Common Membership PRoviders. We need to allow Active Directory users to login too. Our configuration is as follows (NOTE: I have commented out the AD provider for the meanwhile)
<location path="EPiServer/CMS/admin">
<system.web>
<authorization>
<allow roles="WebAdmins, Administrators, DOMAIN\AD_EPiServer_Admins, AD_EPiServer_Admins" />
<deny users="*" />
</authorization>
</system.web>
</location>
We are experiencing the following issues:
I should note that Local Windows accounts who are members of the Administrators account can login without any problems.
Am I missing something here?
Thanks in advance
Al