Try our conversational search powered by Generative AI!

Active Directory Virtual Role


When I switched from CMS to AD authentication and authorization I lost the ability to edit and create in my local CMS. Is there a way to add an active directory virtual role?

Aug 20, 2012 21:19

You can create virtual roles, but I don't know if that suits your needs. Here is some examples

Otherwise you have to create the groups in your AD or configure multiplexing provider. Here is an good article about security in EPiServer

Aug 21, 2012 2:08

So to see the AD group that I'm logged in under, I have to create a group of groups that includes all the AD groups including the one I'm in?

Aug 21, 2012 15:10

Hmm I missread your question. Thought you were not able to edit groups.

In web.config you'll find some <location path=""> elements, where path point to your cms location. In these elements you'll find the authorization element. There can you configure which group(s) should have access to the cms.

In EPiServerFramework.config you also have to configure the virtual roles "CmsEditors" and "CmsAdmins" with correct group(s).

Aug 21, 2012 15:17

Thank you for your response and excuse my ignorance as I am brand new to the EPiSERVER CMS. You are correct. I can't edit or create pages in the CMS nor can I see the AD group I'm logged in when I search for the group. So to achieve admin access in the CMS, do I modifty the following as such

<add roles="WebAdmins, Administrators, ADGROUP" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" />

Aug 21, 2012 15:38

Yes you do :)

But you also have to change the groups in web.config, in two places.

Aug 21, 2012 15:43

Oh thank you. Yes I have found those and changed them as well.

Aug 21, 2012 15:45

Do I need to do extra configuration for the users in AD to show in the Search Users/Group section under the Admin Mode tab?

Edited, Aug 21, 2012 16:41

No, but groups are only searchable once someone in that group has logged in. Groups are "cached" that way.

Edited, Aug 21, 2012 16:59

Are you using WindowsRoleProvider and WindowsMembershipProvider or ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider?

ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider are searchable through LDAP, but the other two are only cached up when users are logging in.

Aug 21, 2012 17:03

I'm using ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider with the correct LDAP connection string but the users and groups does not show up in the search.

Aug 21, 2012 17:10

Have you set enableSearchMethods to true on the ActiveDirectoryRoleProvider in web.config?

Aug 21, 2012 17:12

Yes that is set to true. I should also note that I had to create a custom AD provider class because the default provider kept giving exceptions.

Edited, Aug 21, 2012 17:13

Well I extended the ActiveDirectoryMembershipProvider class because the exception wouldn't go away.

Aug 21, 2012 17:54

Hi again,

Found this article about search in AD providers

Aug 22, 2012 17:31

Oooh good find. Thank you.

Aug 22, 2012 17:47

Do you know if the CMS caches the search results from AD?

Aug 22, 2012 17:55

No it doesn't. I guess you can confirm it by using Reflector and look at the code in the provider. EPiServer has nothing to do with it, it's just an ASP.NET provider.

Aug 22, 2012 17:58

Okay thank you for all your help.

Aug 22, 2012 18:19
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.