Hi Magnus,

This is a confusing issue, but we'll try to straighten it out here for you

Q: What database should contain the user I want to give rights to administer the community? EPiServer? Community? Both?

A: The user should be in the community database, always. The SidProvider kicks in to give community users access to EPiServer 4.62 functionality.

Q: As far as I can understand the user somehow has to be associated with a group that I give the administer rights in Community. Do I need to create duplicate groups in EPiServer too?

A: If a community user is a member of the Administrators group in the community database, EPiServer will be informed of that when he/she tries to log in, and it will be synched to EPiServer 4.62 if it's not already there. This makes it possible to have let's say a "Community" group in the community db, and then assign that group access to certain pages in EPiServer 4.62, linking that to logged in community users.

Q: Ideally the user administrating the community can also publish pages in EPiServer (I have seen the sid == -1 exception). Possibly even browse the community as a member, however that is not a priority.

A: The community user cannot publish pages in EPiServer, since its SID is not available in tblSID. This is solved in CMS 5 where the use of Membership and Role providers have entirely abstracted the references to users. Though, an EPiServer 4.62 user can get access to the Netstar tab and community functions, and this is where the "duplicate users scenario" come in.

The Netstar-tab will check access by looking at who's logged in, by username and if it's available in the community database (with the correct access level) the community functions appear. If an EPiServer 4.62 user would log in, and the same username exist in the community db, you will have a match. The problem is, how do I log in with the right user if they exist in both databases, and both databases are part of the authentication process? Well, you need different passwords, and the "correct" password being the one in EPiServer, the one you log in with.

Do this for the administrator that should work with both page publishing and community administration, but leave the community members solely in the community db so you don't clog the EPiServer db with thousands of users. Community is built to handle great amounts of user.

That's it, please ask if something is unclear .

Best regards,

Mattias Nordberg

System Architect, EPiServer Community.

I think I understand now, thank you!

However, I encountered a new problem. I am trying to create a user that can administer Community and publish in EPiServer. I created the user in EPiServer and then in Community, with different passwords ("correct" one in EPiServer). At first it worked nicely, but a few hours later I can't log in with the user. I thought I had forgotten the password and entered admin mode to set a new password, but I can't because I get an error message saying that the user already exists. It's the same error I got when I tried to add a user to the community database first and then to EPiServer second. Do I always have to create the user in community first, then in EPiServer and then I can never change such things as the password, or is there a way around it?

Edit: I investigated this, and the behaviour is as follows:

0. IISreset to start from known state.
1. Add user in EPiServer, with "right" password and group membership that gives correct access (admin groups used in test)
2. Test login to episerver edit mode: OK.
3. Add user in Community, with "wrong" password and no group membership.
4. Test login to episerver edit mode: OK. Test publish article: OK. Test view community my page: OK. Test edit my page presentation: OK. Test login/logout several times: OK.
5. Edit user in EPiServer (add/remove groups) OR edit user in Community OR IISreset Test login to episerver edit mode: FAIL. Never recovers.

Variant:
4a. Edit user in EPiServer (add/remove groups): OK. Repeat: OK.
4b. Test login to episerver edit mode: FAIL.
4c. Edit user in EPiServer: FAIL ("The user/group could not be saved The user name <user name> already exists.")
4d. IISreset, test login to episerver edit mode: FAIL.
4e. IISreset, Edit user in EPiServer: OK. Repeat: OK.
4f. Test login to episerver admin mode: FAIL.
4g. Edit user in EPiServer: FAIL.

So it seems that what ever I do it will stop working when IIS is restarted, if not before. Any clue what to do?