November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

CMS and LDAP not working, using Multiplexing role provider

Mats Norgren
Mats Norgren
Vote:
 
We are trying to upgrade from 4.61 to CMS and the code and database works fine. But we have tried to set up LDAP without success. We use the same AD för our CMS solution as for our 4.61 solution, but the CMS fails. The problem seems to be: if I try logging in to edit mode I get no error like "Login failed", but I get the login page again with form fields empty. It is like I have been authenticated via MultiplexingMembershipProvider (set up with the same username and password as the MultiplexingRoleProvider) but checking the roles from the AD is failing? If I try logging in with wrong password I get "Login failed". We have tried the technote "Configuring EPiServer CMS 5 to Use Active Directory Membership Provider for setting up LDAP for CMS" but we must have missed something ? http://www.episerver.com/en/EPiServer_Knowledge_Center/Documentation/TechNotes/EPiServer-CMS-5-SP1/Configuring-EPiServer-CMS-5-to-Use-Active-Directory-Membership-Provider/ The CMS is installed on the same web server as the 4.61 version so they are in the same environment. And we use what is calles MultiPlexRoleProvider Anyone out there with the solution or knows where to look for the error? Regards Mats
#17023
Feb 14, 2008 13:55
Lars Bodahl
Lars Bodahl
Vote:
 
You have set the Multiplex provider to be the default provider, so if you have registered a username in episerver with the same username as your ad account, episerver will try to authenticate you by using the episerver user. Since you do not get an "log in failed" message, that means you are authenticated correctly. I'm guessing there something wrong with your access rights. If you are using episerver (SqlServerMembershipProvider) users, you need to create the WebAdmins and WebEditors groups manually to get access to admin/edit mode. If you are using your ad user, you need to make sure that your ad group have access to edit/admin mode. Check your web.config file and make sure that the ad group is listed in the line. Eg: -- Lars Øyvind Bodahl www.epinova.no
#17178
Feb 21, 2008 7:19
Kjetil Simensen
Kjetil Simensen
Vote:
 

I can see Lars' example got lost so I'll try adding an example of how to permit a new group to access the editmode pages:

<authorization>
        <allow roles="WebEditors, WebAdmins, Administrators,

DOMAIN\YOUR_GROUP_NAME" />
       

<deny users="*" />
      </authorization>

 -Kjetil

#22827
Edited, Aug 18, 2008 14:52
Mats Norgren
Mats Norgren
Vote:
 

Hi!

Now the Multiplexing provider works fine. I can log in via my AD account to Episerver CMS.

But I get another error when managing groups and users in Episerver, ie trying to insert new users via SQL Server provider.

In the multiplexing provider, I have specified that the first choice of Role provider and Membership provider should be SQL Server (ASP.NET tables) and the second choice is Active Directory provider.

And I can log in now, and I can create groups via SqlServerRoleProvider. So far so good. But when trying to add a new user, I get an error immediately when trying to reach that page.

[ArgumentException: The parameter 'username' must not be empty.
Parameter name: username]
   System.Web.Util.SecUtility.CheckParameter(String& param, Boolean checkForNull, Boolean checkIfEmpty, Boolean checkForCommas, Int32 maxSize, String paramName) +830853
   System.Web.Security.ActiveDirectoryMembershipProvider.CheckUserName(String& username, Int32 maxSize, String paramName) +29
   System.Web.Security.ActiveDirectoryMembershipProvider.GetUser(String username, Boolean userIsOnline) +86
   EPiServer.Security.MultiplexingMembershipProvider.FindMembershipUser(String username) +81
   EPiServer.Security.MultiplexingMembershipProvider.get_CurrentMembershipUser() +74
   EPiServer.Security.MultiplexingMembershipProvider.get_CurrentProvider() +70
   EPiServer.Security.MultiplexingRoleProvider.get_CurrentProvider() +60
   EPiServer.Security.VirtualRoles.GetAllRolesForUser(String username) +67
   EPiServer.UI.Edit.UserMembership.PopulateRoleFields() +71
   EPiServer.UI.Edit.UserMembership.OnLoad(EventArgs e) +901
   System.Web.UI.Control.LoadRecursive() +47
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Control.LoadRecursive() +131
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1436

#23170
Aug 29, 2008 14:07
Mats Norgren
Mats Norgren
Vote:
 

Insert of a new user is ok IF I in web.config change the default provider to SqlServerMembershipProvider, while I am logged in to my Episerver site.

If I then try the link "Create user" I get the input fields for adding a new user and I can add the user.

But when I log out, I can not login again with my AD account (because I do not use the multiplexing provider) so the story begins again...

Something is wrong with having multiplexingprovider that uses both sql server and ad? Or have I missed something?

 

#23171
Edited, Aug 29, 2008 15:40
Nicklas Israelsson
Nicklas Israelsson
Vote:
 

Both these issues is known issues with EPiServer:

#9151: CreatePrincipal("nonExistingUser") throws ProviderException with AD provider

#11957: Can't create SQL-user when using multiplexing provider with SQL and AD

Both are marked as fixed in our tracking system, but the're untested. They will probably be included in the R2 release coming later this year.

 

#23215
Sep 01, 2008 8:38
Vote:
 

Those of you who are using the Active Directory Membership Provider, are you able to search for a user by user name or e-mail address? We're having difficulties with it (we have about 2000+ users in the AD).

#23257
Sep 01, 2008 20:39
Petter Klang
Petter Klang
Vote:
 

Hello Ted,

I think there is a limitation in DirectorySearcher to 1000 users. Maby this is causing the problems for you?

 

#23271
Sep 02, 2008 9:43
Vote:
 

Hi Petter! I thought the 1000 users limit was a default which applies when you don't specify a limit explicitly? I can still retrieve a list of all 2000+ users, I just can't search for a specific username or e-mail address through the EPiServer admin interface.

#23466
Sep 06, 2008 16:50
Vote:
 

Hello!

I´m having the same problem as Ted. Can´t search for AD-users by name or email when using Active Directory Membership Provider.

Did you solve this one?

#26418
Dec 04, 2008 15:57
Vote:
 

The ActiveDirectoryMembershipProvider (build by Microsoft btw) do use *paged searches*, so it can handle resultsets spanning more than 1000 entries (which is a max limit implied by the AD-_server_.  You can define a limit _less_ than 1000, but any limit > 1000 will still get you only 1000 in each searchresult).

/johan

 

#26421
Dec 04, 2008 16:21
karl.ahlin@valtech.se
karl.ahlin@valtech.se
Vote:
 
Rikard and Ted, I have a (somewhat complicated) solution here: http://world.episerver.com/Forum/Pages/Thread.aspx?id=26441&epslanguage=en
#26485
Dec 08, 2008 15:19
This thread is locked and should be used for reference only.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.