When I switched from CMS to AD authentication and authorization I lost the ability to edit and create in my local CMS. Is there a way to add an active directory virtual role?
You can create virtual roles, but I don't know if that suits your needs. Here is some examples http://virtualroles.codeplex.com/.
Otherwise you have to create the groups in your AD or configure multiplexing provider. Here is an good article about security in EPiServer http://blog.fredrikhaglund.se/blog/2010/03/08/episerver-security-and-access-control-12/
So to see the AD group that I'm logged in under, I have to create a group of groups that includes all the AD groups including the one I'm in?
Hmm I missread your question. Thought you were not able to edit groups.
In web.config you'll find some <location path=""> elements, where path point to your cms location. In these elements you'll find the authorization element. There can you configure which group(s) should have access to the cms.
In EPiServerFramework.config you also have to configure the virtual roles "CmsEditors" and "CmsAdmins" with correct group(s).
Thank you for your response and excuse my ignorance as I am brand new to the EPiSERVER CMS. You are correct. I can't edit or create pages in the CMS nor can I see the AD group I'm logged in when I search for the group. So to achieve admin access in the CMS, do I modifty the following as such
<add roles="WebAdmins, Administrators, ADGROUP" mode="Any" name="CmsAdmins" type="EPiServer.Security.MappedRole, EPiServer.Framework" />
Yes you do :)
But you also have to change the groups in web.config, in two places.
Oh thank you. Yes I have found those and changed them as well.
Do I need to do extra configuration for the users in AD to show in the Search Users/Group section under the Admin Mode tab?
No, but groups are only searchable once someone in that group has logged in. Groups are "cached" that way.
Are you using WindowsRoleProvider and WindowsMembershipProvider or ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider?
ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider are searchable through LDAP, but the other two are only cached up when users are logging in.
I'm using ActiveDirectoryRoleProvider and ActiveDirectoryMembershipProvider with the correct LDAP connection string but the users and groups does not show up in the search.
Have you set enableSearchMethods to true on the ActiveDirectoryRoleProvider in web.config?
Yes that is set to true. I should also note that I had to create a custom AD provider class because the default provider kept giving exceptions.
Well I extended the ActiveDirectoryMembershipProvider class because the exception wouldn't go away.
Found this article about search in AD providers http://bergdaniel.se/using-the-active-directory-membership-provider-with-episerver.
Oooh good find. Thank you.
Do you know if the CMS caches the search results from AD?
No it doesn't. I guess you can confirm it by using Reflector and look at the code in the provider. EPiServer has nothing to do with it, it's just an ASP.NET provider.
Okay thank you for all your help.