LDAP for authentication

I'm having difficulties implementing LDAP user authentication on my EPiServer installation. Under "Administer Groups" in ADMIN-mode I can import group information from LDAP server, but when I change the AuthenticationMode to "Windows" in Web.Config users in the imported LDAP-group cannot access the website. I've followed the white-paper "Using LDAP for User Authentication", but no success. When LDAP-users try to access the web, they get a (windows)login pop-up, but after 3 attempts they receive a HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials. Any suggestions on how to resolve this problem? -Lars
Nov 28, 2005 10:00
Is "Act as part of the operating system" set for the ASPNET user? /HAXEN
Nov 28, 2005 10:17
I think I've come one step closer to the solution. I'm now able to login, but it seems my LDAP-users are not having enough privileges. They are automatically redirected to the login page, even though the user has just logged in. By using "userInformation.aspx" I've managed to retreive this information: Your authenticationtype is: EPiSec The current Sid type is: LdapUser You are logged on as "domain-name\user" and you are a member of the following groups: Everyone This LDAP-user should have been member of a group called "DomainUsers-Users-domain-name-com" (imported from LDAP-server), which has sufficient privileges in my EPiServer installatation. The user is also listed in the "Search Users/Groups" under "Access right" in Admin-mode. -Lars
Nov 28, 2005 14:20
Try another group, and see if that group is listed. The Domain Users group is special in AD, and I'm not sure that will be handled by EPiServer. In AD, all users have a Primary Group (usually Domain Users), which is not part of the "memberOf" ldap attribute, which is the one EPiServer uses to determine group membership. /Steve
Nov 28, 2005 17:50
I was setting up LDAP authentication for a client last week and had exactly the same problem. The solution to my problem was that I had set the EPsLdapRootContext value to a to narrow scope. When I changed this to a wider scope (to the root of AD) it all worked. I also recommend using custom groups as the automatic groups such as Domain Users will not work. Cheers, Jeremy.
Nov 28, 2005 20:38
Problem solved! I changed between different groups and after some trial-and-error I found the one I was looking for. Now it seems to be working... (I was originally using the "Domain Users"-group) -Lars
Nov 29, 2005 9:12
This thread is locked and should be used for reference only.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.