LDAP and Active Directory (AD) problem


I have installed CMS5 R2 on Windows XP, and I am trying to create an intranet site using Active Directory (AD) to authenticate editors, but I am having some difficulties.

This is what I have done so far:

I have created an administrative user in the SQL database, and I am using the MultiplexingRoleProvider to perform authentication using the SqlServerRoleProvider first, and the ActiveDirectoryMembershipProvider second. I know that my LDAP connection works ok, because when I log on using the administrative user in the SQL database, all the AD groups are listed when I select "Administer Groups" in admin mode. What is more, if I select "Search user/group" in admin mode and search for the desired AD group, I can even see that it contains all the appropriate AD users.

I have also selected "Set access rights" in admin mode, selected the root node and added the desired AD group with all the rights I desire. In web.config, I have also added the "DOMAIN\mygroup" to the list of allowed roles in the location element for the admin and edit paths.

This is the problem:

When I try to log with some "DOMAIN\user", I just get "Login failed". I have also tried logging in with user@DOMAIN.no with the same result. If I try to log in with just the username (i.e. just "user" to stay consistent with my two examples above), I get nothing, not even "Login failed" (although, I can see that a postback takes place)

In IIS, I have enabled anonymous access and selected "Basic authentication" as the authentication mode.

Does anybody know what I need to do to get the authentication to work with LDAP and AD?

I thought perhaps I had to use the "Synchronize groups" button at the bottom of the "Administer groups" page in admin mode, but this button has disappeared with CMS5 R2 (it used to be there in 4.62 at least).

The PC I am trying to to this from is not part of the domain by the way, but I don't see that this should matter at all as long as the LDAP connection string works fine.

- Bjørn Gustafson

Mar 09, 2009 11:56
I recommend using a tool like Softerra LDAPBrowser to check if the given DN is giving you access to both users and groups.
Mar 09, 2009 13:07

You need to implement your own providers for this to work, I'm afraid.

For the membershipprovider you could inherit System.Web.Security.ActiveDirectoryMembershipProvider and everywhere where "username" (or similar) is used, remove the domain prefix.

For the roleprovider I took the provider that EPiServer created and ineherited that. Here you need to replace the "%" charachter in FindUsersInRole to a "*" char to make this work.

There  are some articles here on EPiServer that could help you. Hope this will get you a bit futher.


Mar 16, 2009 11:03

Mixing groups (roles) between providers will not work (as it did in EPiServer 4).

See http://labs.episerver.com/en/Blogs/Johano/Dates/2008/9/Some-ActiveDirectoryRoleProvider-issues/ for some good troubleshooting tips and example code.


Mar 16, 2009 16:42
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.